Method and apparatus for isolating execution of software applications
First Claim
1. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
- (a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a native resource provided by an operating system and stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user;
(b) failing to locate in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user;
(c) redirecting the request to the application isolation layer;
(d) locating in the memory element an instance of the requested native resource associated with an application isolation scope provided by the application isolation layer; and
(e) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the application isolation scope.
8 Assignments
0 Petitions
Accused Products
Abstract
A method for isolating access by application programs to native resources provided by an operating system redirects a request for a native resource made by an application program executing on behalf of a user to an isolation environment. The isolation environment includes a user isolation scope and an application isolation scope. An instance of the requested native resource is located in the user isolation scope corresponding to the user. The request for the native resource is fulfilled using the version of the resource located in the user isolation scope. If an instance of the requested native resource is not located in the user isolation scope, the request is redirected to an application isolation scope. The request for the native resource is fulfilled using the version of the resource located in the application isolation scope. If an instance of the requested native resource is not located in the application isolation scope, the request is redirected to a system scope.
-
Citations
27 Claims
-
1. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a native resource provided by an operating system and stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (b) failing to locate in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user; (c) redirecting the request to the application isolation layer; (d) locating in the memory element an instance of the requested native resource associated with an application isolation scope provided by the application isolation layer; and (e) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the application isolation scope. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a-1) intercepting by a file system filter driver a request for a file system native resource provided by an operating system and stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (a-2) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer the request for the file system native resource; (b) locating in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user; and (c) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the user isolation scope.
-
-
9. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a file stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (b) locating in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user; and (c) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the user isolation scope.
-
-
10. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a registry database entry stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (b) locating in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user; and (c) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the user isolation scope.
-
-
11. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a native resource provided by an operating system and stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (b) locating in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user; (c) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the user isolation scope; (d) redirecting to the isolation environment a request for the native resource made by a second process executing on behalf of a second user; (e) locating in the memory element an instance of the requested native resource associated with a second user isolation scope provided by the user isolation layer on behalf of the second user; and (f) responding to the request for the native resource using the instance of the native resource located in the memory element and associated with the second user isolation scope. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method for isolating access by application programs to native resources provided by an operating system, the method comprising instructing a suitably programmed computer to perform the steps of:
-
(a) redirecting to an isolation environment comprising a user isolation layer and an application isolation layer a request for a native resource provided by an operating system and stored in a memory element provided by a computer, the request made by a process executing on behalf of a first user; (b) locating in the memory element an instance of the requested resource associated with a user isolation scope provided by the user isolation layer on behalf of a first user (c) responding to the request for the native resource using the instance of the requested native resource located in the memory element and associated with the user isolation scope; (d) redirecting to the isolation environment a request for a native resource made by a second process executing on behalf of a first user; (e) locating in the memory element an instance of the requested native resource associated with the user isolation scope; and (f) responding to the request for the native resource using the instance of the resource associated with the user isolation scope. - View Dependent Claims (17, 18, 19)
-
-
20. An apparatus for isolating access by application programs to native resources provided by an operating system, the apparatus comprising:
-
computer-readable program means for associating an instance of a native resource provided by an operating system with a user isolation scope provided by an isolation environment comprising an application isolation layer and a user isolation layer, the user isolation scope corresponding to a user; computer-readable program means for associating an instance of a native resource with an application isolation scope provided by the isolation environment, the application isolation scope corresponding to an application; and computer-readable program means for intercepting a request for a native resource made by a process executing on behalf of the user and redirecting the request to the instance of the resource associated with the user isolation scope. - View Dependent Claims (21, 22, 23, 24, 25, 26)
-
-
27. An apparatus for isolating access by application programs to native resources provided by an operating system, the apparatus comprising:
-
computer-readable program means for;
(i) associating an instance of a native resource provided by an operating system with a user isolation scope provided by an isolation environment comprising an application isolation layer and a user isolation layer, the user isolation scope corresponding to a user, and for (ii) associating an instance of the native resource with a second user isolation scope, the second user isolation scope corresponding to a second user; andcomputer-readable program means for intercepting a request for a native resource made by a process executing on behalf of the user and redirecting the request to the instance of the resource associated with the user isolation scope.
-
Specification