Performing secure and insecure computing operations in a compartmented operating system

US 7,159,210 B2
Filed: 06/18/2002
Issued: 01/02/2007
Est. Priority Date: 06/19/2001
Status: Active Grant

First Claim

Patent Images

1. A method for running a process, comprising:

(a) providing a host operating system;

(b) running operations of a process directly on the host operating system;

(c) selectively providing a guest operating system when the process attempts a predetermined operation; and

(d) running the predetermined operation and remaining operations of the process on the guest operating system, wherein the operations of the process are divided into a first set of operations which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second set of operations and the remaining operations may fall into either the first set of operations or the second set of operations.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A process 23 runs directly on a host operating system 22, until the process 23 attempts an operation which can affect security of the host operating system 22 (such as loading a kernel module or using system privileges). A guest operating system 25 is then provided running as a virtual machine session within a compartment 24 of the host operating system 22 and running of the process 23 continues using the guest operating system. Operations of the process 23 which can affect security of the host operating system 22 are instead performed on the guest operating system 25, giving greater security. The guest operating system 25 is only invoked selectively, leading to greater overall efficiency.

Citations

14 Claims

1. A method for running a process, comprising:
- (a) providing a host operating system;
  
  (b) running operations of a process directly on the host operating system;
  
  (c) selectively providing a guest operating system when the process attempts a predetermined operation; and
  
  (d) running the predetermined operation and remaining operations of the process on the guest operating system, wherein the operations of the process are divided into a first set of operations which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second set of operations and the remaining operations may fall into either the first set of operations or the second set of operations.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the paragraph (c) comprises identifying an attempt to perform an operation falling into the second set.
  - 3. The method of claim 1, wherein in the paragraph (c) the guest operating system is provided within a compartment of the host operating system.
  - 4. The method of claim 1, wherein in the paragraph (b) the process runs within a compartment of the host operating system.
  - 5. The method of claim 1, wherein the guest operating system is provided by a virtual machine session.
  - 6. The method of claim 1, further comprising (e) closing the guest operating system in response to a condition caused by running the process on the guest operating system.
  - 7. The method of claim 6, wherein the guest operating system is provided within a compartment of the host operating system, and the paragraph (e) comprises closing the compartment.

8. A method for running a process, comprising:
- (a) providing a host operating system;
  
  (b) providing a process which attempts one or more operations;
  
  (c) monitoring attempted one or more operations of the process by comparing against a first set of operations and a second set of operations;
  
  (d) executing the attempted operation directly on the host operating system if it falls into the first set of operations;
  
  (e) providing a guest operating system and allowing the attempted operation and remaining operations to execute on the guest operating system if the attempted operation falls into the second set of operations, wherein the remaining operations may fall into either the first set of operations or the second set of operations.

9. A computing platform system, comprising:
- a memory to store a computer-executable instructions; and
  
  a processor operatively coupled to said memory and configured to implement said computer-executable instructions and configured to;
  
  execute operations of a process on a host operating system; and
  
  execute a predetermined operation and remaining operations of the process when the process attempts the predetermined operation on a guest operating system, wherein the operations of the process are divided into a first set of operation which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second of operations and the remaining operations may fall into either the first set of operations or the second set of operations.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computing platform of claim 9, wherein the host operating system indentifies an attempt to performed an operating falling into the second set, and in response provides the guest operating system.
  - 11. The computing platformed of claim 9, wherein the host operating system provides a compartment for containing the process.
  - 12. The computing platform of claim 9, wherein the host operating system provides a compartment for containing the guest operating system.
  - 13. The computing platform of claim 9, wherein the guest operating system is provided by a virtual machine session running on the host operating system.

14. A method for running a process, comprising:
- (a) providing a host operating system;
  
  (b) providing a process which attempts one or more operations;
  
  (c) monitoring attempted one or more operations of the process by comparing against a first set of operations and a second of operations;
  
  (d) executing the attempted one or more operations directly on the host operating system if the one or more operations fall into the first set of operations;
  
  (e) migrating execution of a remainder of the process to a guest operating system if the attempted one or more operations fall into the second set of operations, wherein the remainder of the process may contain either the first set of operations or the second set of operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Griffin, Jonathan, Dalton, Christopher I.
Primary Examiner(s)
STEELMAN, MARY J

Application Number

US10/175,553
Publication Number

US 20020194241A1
Time in Patent Office

1,659 Days
Field of Search

717/140, 717/141, 717/120, 713/200, 713/168, 713/164, 713/167, 711/152, 711/153, 718/1
US Class Current

717/141
CPC Class Codes

G06F 9/45537 Provision of facilities of ...

Performing secure and insecure computing operations in a compartmented operating system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Performing secure and insecure computing operations in a compartmented operating system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links