SANDBOXED EXECUTION OF PLUG-INS
First Claim
1. A computer-implemented program management system, comprising:
- an interface component for receiving auxiliary code for execution with an application;
an isolation component for receiving and securely isolating the auxiliary code in an isolated environment using one or more levels of isolation; and
a management component for monitoring and managing execution of the auxiliary code in the isolated environment based in part on abnormal execution behavior.
2 Assignments
0 Petitions
Accused Products
Abstract
A sandbox architecture that isolates and identifies misbehaving plug-ins (intentional or unintentional) to prevent system interruptions and failure. Based on plug-in errors, the architecture automatically disables and blocks registration of the bad plug-in via a penalty point system. Publishers of bad plug-ins are controlled by disabling the bad plug-ins and registering the publisher in an unsafe list. Isolation can be provided in multiple levels, such as machine isolation, process isolation, secure accounts with limited access rights, and application domain isolation within processes using local security mechanisms. A combination of the multiple levels of isolation achieves a high level of security. Isolation provides separation from other plug-in executions and restriction to system resources such as file system and network IP. Moreover, the architecture is highly scalable, stateless, and low administration architecture for the execution of the plug-ins, which can be scaled by adding/removing additional sandbox servers on-the-fly without prior configuration.
-
Citations
20 Claims
-
1. A computer-implemented program management system, comprising:
-
an interface component for receiving auxiliary code for execution with an application; an isolation component for receiving and securely isolating the auxiliary code in an isolated environment using one or more levels of isolation; and a management component for monitoring and managing execution of the auxiliary code in the isolated environment based in part on abnormal execution behavior. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented program management system, comprising:
-
an interface component for receiving auxiliary code for execution with an application and ensuring that calls from the auxiliary code are directed to the application; an isolation component for receiving and securely isolating the auxiliary code in an isolated environment using a least one of a machine isolation level, a process isolation level, or an application domain code access isolation level; a penalty component for tracking penalty points accumulated by the auxiliary code in response to abnormal execution behavior; and a management component for monitoring and managing execution of the auxiliary code in the isolated environment based on the penalty points. - View Dependent Claims (9, 10, 11, 12)
-
-
13. A computer-implemented method of managing a program, comprising:
-
receiving auxiliary code for execution; sending the auxiliary code to an isolated environment for execution; executing the auxiliary code in the isolated environment; monitoring execution of the auxiliary code for abnormal execution behavior; and managing the execution of the auxiliary code based on the abnormal execution behavior. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification