Component-level sandboxing

US 8,180,893 B1
Filed: 03/15/2010
Issued: 05/15/2012
Est. Priority Date: 03/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method of sandboxing a data access request made by an application executing on a computer, comprising:

monitoring the application to detect the data access request made by the application, the application not executing within a sandbox;

determining whether to sandbox the data access request; and

responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by;

identifying a thread that made the data access request for the application; and

sandboxing the thread that made the data access request while not sandboxing other threads of the application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Component-level sandboxing is implemented in the example context of an enterprise rights management system. A policy enforcement module monitors an application executing on a client to detect and evaluate data access requests in view of a rights policy. The policy enforcement module determines how to handle the request based on the whether the policy permits the request. If the request is permitted, the policy enforcement module allows the requests and sandboxes it using virtualization. The sandbox virtualizes the thread making the request and/or a data access component involved in the request. Other aspects of the application that do not implicate the rights policy are not sandboxed. In this way, sandboxing is used to enforce the rights policy in a manner that is transparent to the user and consumes relatively few resources of the client.

Citations

17 Claims

1. A method of sandboxing a data access request made by an application executing on a computer, comprising:
- monitoring the application to detect the data access request made by the application, the application not executing within a sandbox;
  
  determining whether to sandbox the data access request; and
  
  responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by;
  
  identifying a thread that made the data access request for the application; and
  
  sandboxing the thread that made the data access request while not sandboxing other threads of the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein monitoring the application to detect the data access request made by the application comprises:
    - identifying an interface of a data access component that performs data access requests; and
      
      monitoring the interface to detect invocation of the interface by the application making the data access request.
  - 3. The method of claim 1, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      virtualizing the second data access request while not virtualizing the application that made the second request.
  - 4. The method of claim 1, wherein identifying a thread that made the data access request for the application comprises identifying an assignment of a task associated with the data access request to the thread;
    - and wherein sandboxing the thread that made the data access request comprises sandboxing the thread that is assigned to the task for a duration of an execution of the assigned task.
  - 5. The method of claim 1, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      identifying a data access component referenced by the second data access request; and
      
      sandboxing the data access component while not sandboxing the application that made the second request.
  - 6. The method of claim 1, wherein determining whether to sandbox the data access request comprises:
    - identifying a data access component referenced by the data access request;
      
      using recognition data to determine whether the identified data access component is recognized; and
      
      permitting the data access request responsive to recognition of the data access component.
  - 7. The method of claim 6, wherein the recognition data comprise a white list identifying data access components that are permitted under a rights policy and wherein determining whether the data access request is recognized comprises determining whether the data access component is listed on the white list.

8. A computer for sandboxing a data access request made by an application executing on the computer, comprising:
- a non-transitory computer-readable storage medium storing executable computer program modules comprising;
  
  a monitoring module for monitoring the application to detect the data access request made by the application, the application not executing within a sandbox;
  
  a request evaluation module for determining whether to sandbox the data access request; and
  
  a sandbox module for, responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by;
  
  identifying a thread that made the data access request for the application; and
  
  sandboxing the thread that made the data access request while not sandboxing other threads of the application.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer of claim 8, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      virtualizing the second data access request while not virtualizing the application that made the request.
  - 10. The computer of claim 8, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      identifying a data access component referenced by the second data access request; and
      
      sandboxing the data access component while not sandboxing the application that made the second request.
  - 11. The computer of claim 8, wherein determining whether to sandbox the data access request comprises:
    - identifying a data access component referenced by the data access request;
      
      using recognition data to determine whether the identified data access component is recognized; and
      
      permitting the data access request responsive to recognition of the data access component.
  - 12. The computer of claim 11, wherein the recognition data comprise a white list identifying data access components that are permitted under a rights policy and wherein determining whether the data access request is recognized comprises determining whether the data access component is listed on the white list.

13. A non-transitory computer-readable storage medium storing executable computer program modules for sandboxing a data access request made by an application executing on a computer, the modules comprising:
- a monitoring module for monitoring the application to detect the data access request made by the application, the application not executing within a sandbox;
  
  a request evaluation module for determining whether to sandbox the data access request; and
  
  a sandbox module for, responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by;
  
  identifying a thread that made the data access request for the application; and
  
  sandboxing the thread that made the data access request while not sandboxing other threads of the application.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The computer-readable storage medium of claim 13, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      virtualizing the second data access request while not virtualizing the application that made the request.
  - 15. The computer-readable storage medium of claim 13, comprising:
    - monitoring the application to detect a second data access request made by the application; and
      
      identifying a data access component referenced by the second data access request; and
      
      sandboxing the data access component while not sandboxing the application that made the second request.
  - 16. The computer-readable storage medium of claim 13, wherein determining whether to sandbox the data access request comprises:
    - identifying a data access component referenced by the data access request;
      
      using recognition data to determine whether the identified data access component is recognized; and
      
      permitting the data access request responsive to recognition of the data access component.
  - 17. The computer-readable storage medium of claim 16, wherein the recognition data comprise a white list identifying data access components that are permitted under a rights policy and wherein determining whether the data access request is recognized comprises determining whether the data access component is listed on the white list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Spertus, Michael
Primary Examiner(s)
Meky, Moustafa M

Application Number

US12/724,297
Time in Patent Office

792 Days
Field of Search

709200-203, 709217-224, 709/225
US Class Current

709/224
CPC Class Codes

G06F 21/52 during program execution, e...

G06F 21/53 by executing in a restricte...

Component-level sandboxing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Component-level sandboxing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links