Performing secure and insecure computing operations in a compartmented operating system
First Claim
1. A method for running a process, comprising:
- (a) providing a host operating system;
(b) running operations of a process directly on the host operating system;
(c) selectively providing a guest operating system when the process attempts a predetermined operation; and
(d) running the predetermined operation and remaining operations of the process on the guest operating system, wherein the operations of the process are divided into a first set of operations which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second set of operations and the remaining operations may fall into either the first set of operations or the second set of operations.
3 Assignments
0 Petitions
Accused Products
Abstract
A process 23 runs directly on a host operating system 22, until the process 23 attempts an operation which can affect security of the host operating system 22 (such as loading a kernel module or using system privileges). A guest operating system 25 is then provided running as a virtual machine session within a compartment 24 of the host operating system 22 and running of the process 23 continues using the guest operating system. Operations of the process 23 which can affect security of the host operating system 22 are instead performed on the guest operating system 25, giving greater security. The guest operating system 25 is only invoked selectively, leading to greater overall efficiency.
-
Citations
14 Claims
-
1. A method for running a process, comprising:
-
(a) providing a host operating system; (b) running operations of a process directly on the host operating system; (c) selectively providing a guest operating system when the process attempts a predetermined operation; and (d) running the predetermined operation and remaining operations of the process on the guest operating system, wherein the operations of the process are divided into a first set of operations which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second set of operations and the remaining operations may fall into either the first set of operations or the second set of operations. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for running a process, comprising:
-
(a) providing a host operating system; (b) providing a process which attempts one or more operations; (c) monitoring attempted one or more operations of the process by comparing against a first set of operations and a second set of operations; (d) executing the attempted operation directly on the host operating system if it falls into the first set of operations; (e) providing a guest operating system and allowing the attempted operation and remaining operations to execute on the guest operating system if the attempted operation falls into the second set of operations, wherein the remaining operations may fall into either the first set of operations or the second set of operations.
-
-
9. A computing platform system, comprising:
-
a memory to store a computer-executable instructions; and a processor operatively coupled to said memory and configured to implement said computer-executable instructions and configured to; execute operations of a process on a host operating system; and execute a predetermined operation and remaining operations of the process when the process attempts the predetermined operation on a guest operating system, wherein the operations of the process are divided into a first set of operation which are allowed to run directly on the host operating system and a second set of operations which are not allowed to run directly on the host operating system, wherein the predetermined operations fall into the second of operations and the remaining operations may fall into either the first set of operations or the second set of operations. - View Dependent Claims (10, 11, 12, 13)
-
-
14. A method for running a process, comprising:
-
(a) providing a host operating system; (b) providing a process which attempts one or more operations; (c) monitoring attempted one or more operations of the process by comparing against a first set of operations and a second of operations; (d) executing the attempted one or more operations directly on the host operating system if the one or more operations fall into the first set of operations; (e) migrating execution of a remainder of the process to a guest operating system if the attempted one or more operations fall into the second set of operations, wherein the remainder of the process may contain either the first set of operations or the second set of operations.
-
Specification