Component-level sandboxing
First Claim
1. A method of sandboxing a data access request made by an application executing on a computer, comprising:
- monitoring the application to detect the data access request made by the application, the application not executing within a sandbox;
determining whether to sandbox the data access request; and
responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by;
identifying a thread that made the data access request for the application; and
sandboxing the thread that made the data access request while not sandboxing other threads of the application.
2 Assignments
0 Petitions
Accused Products
Abstract
Component-level sandboxing is implemented in the example context of an enterprise rights management system. A policy enforcement module monitors an application executing on a client to detect and evaluate data access requests in view of a rights policy. The policy enforcement module determines how to handle the request based on the whether the policy permits the request. If the request is permitted, the policy enforcement module allows the requests and sandboxes it using virtualization. The sandbox virtualizes the thread making the request and/or a data access component involved in the request. Other aspects of the application that do not implicate the rights policy are not sandboxed. In this way, sandboxing is used to enforce the rights policy in a manner that is transparent to the user and consumes relatively few resources of the client.
-
Citations
17 Claims
-
1. A method of sandboxing a data access request made by an application executing on a computer, comprising:
-
monitoring the application to detect the data access request made by the application, the application not executing within a sandbox; determining whether to sandbox the data access request; and responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by; identifying a thread that made the data access request for the application; and sandboxing the thread that made the data access request while not sandboxing other threads of the application. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer for sandboxing a data access request made by an application executing on the computer, comprising:
a non-transitory computer-readable storage medium storing executable computer program modules comprising; a monitoring module for monitoring the application to detect the data access request made by the application, the application not executing within a sandbox; a request evaluation module for determining whether to sandbox the data access request; and a sandbox module for, responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by; identifying a thread that made the data access request for the application; and sandboxing the thread that made the data access request while not sandboxing other threads of the application. - View Dependent Claims (9, 10, 11, 12)
-
13. A non-transitory computer-readable storage medium storing executable computer program modules for sandboxing a data access request made by an application executing on a computer, the modules comprising:
-
a monitoring module for monitoring the application to detect the data access request made by the application, the application not executing within a sandbox; a request evaluation module for determining whether to sandbox the data access request; and a sandbox module for, responsive to a determination to sandbox the data access request, sandboxing the data access request while not sandboxing the application that made the request by; identifying a thread that made the data access request for the application; and sandboxing the thread that made the data access request while not sandboxing other threads of the application. - View Dependent Claims (14, 15, 16, 17)
-
Specification