Method for governing interaction between code within a code base
First Claim
1. A method for governing interaction between code within a code base operable on a computer comprising:
- determining a region in a memory of said computer in which said code base resides;
defining container boundaries in said region for a plurality of containers, said containers containing subsets of said code;
creating a policy that governs said interaction between said subsets of said code contained in said containers; and
executing said operating system on said computer in accordance with said policy.
1 Assignment
0 Petitions
Accused Products
Abstract
A separation management system (32) for governing interaction between code within a code base (50) operable on a computer (30) determines a region in a memory (44) of the computer (30) in which the code base (50) resides and defines container boundaries (118, 124, 130, 135) in the region for a plurality of containers (95). Each of the containers (95) contains subsets of the code (120, 126, 132, 137) that cannot be trusted. A policy (94) is created that governs interaction between the subsets of the code in the containers (95). The code base (50) is executed in the computer (30) in accordance with the policy (94) such that the subsets of code within the containers (95) are prevented from accessing code outside of their respective containers (95) when access is disallowable as indicated by the policy (94).
16 Citations
23 Claims
-
1. A method for governing interaction between code within a code base operable on a computer comprising:
-
determining a region in a memory of said computer in which said code base resides; defining container boundaries in said region for a plurality of containers, said containers containing subsets of said code; creating a policy that governs said interaction between said subsets of said code contained in said containers; and executing said operating system on said computer in accordance with said policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A computer-implemented separation management system executable in connection with an operating system of a computer for providing separation between code within a code base of said operating system, said system comprising:
-
a plurality of containers established in a region of a memory of said computer in which said code base resides, said containers being defined by container boundaries, and said containers containing subsets of said code within said code base, said subsets of said code being untrusted code within said operating system; a policy that governs interaction between said subsets of said code contained in said containers; and a policy manager executed in connection with said operating system on said computer, said policy manager utilizing said policy to govern interaction between said subsets of said code. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A method for governing interaction between code within a code base operable on a computer comprising:
-
determining a region in a memory of said computer in which said code base resides; defining container boundaries in said region for a plurality of containers, said containers containing subsets of said code, and said defining operation including; identifying unique footprints in said region of said memory for each of said containers; and selecting said code for a first one of said subsets of said code that belongs to a discrete function of said code base; creating a policy that governs interaction between said subsets of said code contained in said containers; executing said code base on said computer in accordance with said policy such that each of said subsets of said code is prevented from access to said code outside of an associated one of said plurality of containers when said access is disallowable as indicated by said policy. - View Dependent Claims (22, 23)
-
Specification