Kernel interface with categorized kernel objects
First Claim
Patent Images
1. One or more processor-readable media comprising processor-executable instructions that, when executed by a processor, perform operations comprising:
- providing a kernel interface to call an operating system'"'"'s kernel for access to one or more kernel objects of an executing process;
facilitating a call, via the kernel interface, from the executing process to the kernel for access to the one or more kernel objects of the executing process, the call specifying a kernel-object identifier that identifies a called kernel object, the kernel-object identifier being an exclusive member of one of a plurality of designated categories of kernel-object identifiers, wherein each designated category of kernel-object identifiers has a format that is different from and incompatible with one or more formats of one or more other designated categories of kernel-object identifiers;
determining whether the kernel-object identifier specified by the call identifies a local kernel objects that is for exclusive use by the executing process or identifies a peer kernel object that is for use by the executing process and one or more other executing processes;
when the kernel-object identifier identifies the local kernel object, permitting the executing process to access the local kernel object via the call; and
when the kernel-object identifier identifies the peer kernel object, blocking the call to prevent the executing process from accessing the peer kernel object.
2 Assignments
0 Petitions
Accused Products
Abstract
Described herein are one or more implementations that separate kernel interfaces functions into those that act on kernel objects owned by a process and accessed exclusively by that process—described herein as local kernel objects—from access to kernel objects owned by a process and accessible by other active processes.
164 Citations
14 Claims
-
1. One or more processor-readable media comprising processor-executable instructions that, when executed by a processor, perform operations comprising:
-
providing a kernel interface to call an operating system'"'"'s kernel for access to one or more kernel objects of an executing process; facilitating a call, via the kernel interface, from the executing process to the kernel for access to the one or more kernel objects of the executing process, the call specifying a kernel-object identifier that identifies a called kernel object, the kernel-object identifier being an exclusive member of one of a plurality of designated categories of kernel-object identifiers, wherein each designated category of kernel-object identifiers has a format that is different from and incompatible with one or more formats of one or more other designated categories of kernel-object identifiers; determining whether the kernel-object identifier specified by the call identifies a local kernel objects that is for exclusive use by the executing process or identifies a peer kernel object that is for use by the executing process and one or more other executing processes; when the kernel-object identifier identifies the local kernel object, permitting the executing process to access the local kernel object via the call; and when the kernel-object identifier identifies the peer kernel object, blocking the call to prevent the executing process from accessing the peer kernel object. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. One or more processor-readable storage media comprising processor-executable instructions that, when executed by a processor, perform operations comprising:
-
recognizing one or more kernel objects of a subject process prior to and without execution of the subject process; categorizing one or more of the recognized kernel objects into at least two categories based upon access permission functions of a kernel interface designated to act on a recognized kernel object, the first category comprising local kernel objects that are owned by the subject process and are for exclusive use by the subject process, and the second category comprising peer kernel objects that are owned and for use by the subject process and one or more other processes, wherein each kernel object is categorized into one of a plurality of mutually exclusive categories such that a format of an identifier for a kernel object in each kernel object category is different from and incompatible with formats of identifiers for kernel objects in one or more other kernel object categories; when a recognized kernel object is categorized into the first category, permitting the subject process to access the recognized kernel object; and when the recognized kernel object is categorized into the second category, blocking the subject process from accessing the recognized kernel object. - View Dependent Claims (9, 10)
-
-
11. A method implemented by executable instructions stored on one or more processor-readable media, the method comprising:
-
facilitating execution of one or more processes in a context of a computer operating system environment; facilitating execution of a kernel in the computer operating system environment; providing a kernel interface for the one or more executing processes to call the kernel, wherein the call directs the kernel to perform a function that directly affects the execution of the kernel or the execution of the one or more processes; facilitating a spawning call, via the kernel interface, from a calling process to the kernel, wherein the spawning call directs the kernel to create a new child process which is permitted to communicate with only other processes that the calling process specifies when the calling process makes the spawning call; and restricting calls, via the kernel interface, from the calling process from directly affecting the child process while the child process is executing. - View Dependent Claims (12, 13, 14)
-
Specification