Method and system for controlling inter-zone communication

US 8,056,119 B2
Filed: 04/25/2008
Issued: 11/08/2011
Est. Priority Date: 04/25/2008
Status: Active Grant

First Claim

Patent Images

1. A method for executing a target program, comprising:

opening, by a hardware processor and in response to a request from a source program, a door between a source container and a global container,wherein the source container is controlled by the global container,wherein the request specifies a target program, andwherein the source container comprises the source program;

sending the request to an access module located in the global container using the door;

verifying, by the hardware processor, that the request can be executed in a target container using a policy definition, wherein the target program is in the target container and wherein the target container is controlled by the global container;

logging in to the target container after the request has been verified;

initiating a gateway within the target container in response to the login;

setting an execution context of the gateway based on the policy definition; and

executing the target program by the hardware processor, using the execution context, to generate a response to the request,wherein the global container is executed by an operating system,wherein the global container comprises the source container, the target container, the door, and the access module,wherein the global container, the source container, and the target container are isolated execution environments, andwherein the door is an inter-process communication mechanism.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for executing a target program that includes opening, in response to a request, a door between the source container and the global container, where the source container is controlled by the global container and the request specifies a target program. The method further includes sending the request to an access module located in the global container using the door, verifying that the request can be executed in a target container using a policy definition, where the target program is in the target container and the target container is controlled by the global container, logging in to the target container after the request has been verified, initiating a gateway within the target container in response to the login, setting an execution context of the gateway based on the policy definition, and executing the target program by the gateway, using the execution context, to generate a response to the request.

14 Citations

View as Search Results

20 Claims

1. A method for executing a target program, comprising:
- opening, by a hardware processor and in response to a request from a source program, a door between a source container and a global container,wherein the source container is controlled by the global container,wherein the request specifies a target program, andwherein the source container comprises the source program;
  
  sending the request to an access module located in the global container using the door;
  
  verifying, by the hardware processor, that the request can be executed in a target container using a policy definition, wherein the target program is in the target container and wherein the target container is controlled by the global container;
  
  logging in to the target container after the request has been verified;
  
  initiating a gateway within the target container in response to the login;
  
  setting an execution context of the gateway based on the policy definition; and
  
  executing the target program by the hardware processor, using the execution context, to generate a response to the request,wherein the global container is executed by an operating system,wherein the global container comprises the source container, the target container, the door, and the access module,wherein the global container, the source container, and the target container are isolated execution environments, andwherein the door is an inter-process communication mechanism.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - spawning, in response to receiving the request, a thread in the global container by the access module, wherein the thread verifies that the request can be executed in the target container using the policy definition.
  - 3. The method of claim 1, wherein the policy definition comprises at least one selected from a group consisting of a program definition and an entity definition.
  - 4. The method of claim 2, further comprising:
    - prior to initiating the gateway in the container, verifying a gateway executable for the gateway by the thread.
  - 5. The method of claim 2, wherein a child process of the thread logs into the target container after the request has been verified.
  - 6. The method of claim 3, wherein the program definition comprises a name of the target program, a name of the source container, and a name of the target container.
  - 7. The method of claim 3, wherein the program definition comprises a name of the target program, a label of the source container, and a label of the target container.
  - 8. The method of claim 3, wherein the entity definition comprises a name of an entity in the source container, a name of the target program, a name of the source container, and a name of the target container.
  - 9. The method of claim 3, wherein the entity definition comprises a name of an entity in the source container, a name of the target program, a label of the source container, and a label of the target container.
  - 10. The method of claim 4, wherein the gateway is verified using a checksum function.
  - 11. The method of claim 6, wherein the program definition further comprises an execution identification, wherein the execution identification is used to login to the target container.
  - 12. The method of claim 7, wherein the label of the source container is less restrictive than the label of the target container.
  - 13. The method of claim 8, wherein the entity definition further comprises a forced option and wherein the forced option is added to the request.

14. A non-transitory computer readable medium comprising executable instructions to perform a method when executed by a processor, the method comprising:
- opening, in response to a request from a source program, a door between a source container and a global container,wherein the source container is controlled by the global container,wherein the request specifies a target program, andwherein the source container comprises the source program;
  
  sending the request to an access module located in the global container using the door;
  
  verifying that the request can be executed in a target container using a policy definition, wherein the target program is in the target container and wherein the target container is controlled by the global container;
  
  logging in to the target container after the request has been verified;
  
  initiating a gateway within the target container in response to the login;
  
  setting an execution context of the gateway based on the policy definition; and
  
  executing the target program, using the execution context, to generate a response to the request,wherein the global container is executed by an operating system,wherein the global container comprises the source container, the target container, the door, and the access module,wherein the global container, the source container, and the target container are isolated execution environments, andwherein the door is an inter-process communication mechanism.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The non-transitory computer readable medium of claim 14, the method further comprising:
    - spawning, in response to receiving the request, a thread in the global container by the access module,wherein the thread verifies that the request can be executed in the target container using the policy definition, andwherein the policy definition comprises at least one selected from a group consisting of a program definition and an entity definition.
  - 16. The non-transitory computer readable medium of claim 14, wherein the method further comprises:
    - prior to initiating the gateway in the container, verifying a gateway executable for the gateway by the thread.
  - 17. The non-transitory computer readable medium of claim 15, wherein the program definition comprises one selected from a group consisting of:
    - (a) a name of the target program, a name of the source container, and a name of the target container; and
      
      (b) a name of the target program, a label of the source container, and a label of the target container.
  - 18. The non-transitory computer readable medium of claim 15, wherein the entity definition comprises one selected from a group consisting of:
    - (a) a name of an entity in the source container, a name of the target program, a name of the source container, and a name of the target container; and
      
      (b) a name of an entity in the source container, a name of the target program, a label of the source container, and a label of the target container.
  - 19. The non-transitory computer readable medium of claim 16, wherein the gateway is verified using a checksum function.

20. A system, comprising:
- a hardware platform comprising a processor;
  
  an operating system executing on the hardware platform; and
  
  a global container executing on the operating system, wherein the global container comprises a first container, a second container, a door, and an access module,wherein the second container comprises a target program,wherein the first container comprises a source program configured to send a request for the target program to the access module via the door,wherein the access module, using a policy definition, is configured to enable the target program to process the request,wherein the policy definition comprises at least one selected from a group consisting of a program definition and an entity definition,wherein the global container, the first container, and the second container are isolated execution environments, andwherein the door is an inter-process communication mechanism.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Blanquart, Bart, Gillet, Bruno Jean
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
Salehi; Helai

Application Number

US12/110,073
Publication Number

US 20090271840A1
Time in Patent Office

1,292 Days
Field of Search

726/1, 726/2, 726/27, 713182-186, 711163-164
US Class Current

726/2
CPC Class Codes

G06F 21/6209 to a single file or object,...

G06F 2221/2113 Multi-level security, e.g. ...

Method and system for controlling inter-zone communication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for controlling inter-zone communication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links