Systems and methods for RADE service isolation

US 9,965,622 B2
Filed: 05/26/2015
Issued: 05/08/2018
Est. Priority Date: 12/14/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating, by a local machine comprising at least one processor, a first isolation environment with permissions at a first security privilege level;

starting a service in the first isolation environment;

receiving, by the local machine, a request to execute an application;

determining that the application requires use of the service and that the application is isolated from the service;

creating, by the local machine responsive to determining that the application requires the use of the service and that the application is isolated from the service, a second isolation environment with permissions at a second security privilege level different from the permissions at the first security privilege level;

starting the application in the second isolation environment;

intercepting a service call for the use of the service from the application; and

routing the intercepted service call to the service in the first isolation environment.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is directed towards systems and methods of streaming an application from a remote location to a local machine system, and using local machine system resources in executing that application. In various embodiments, services needed by a streamed application may be started with high local system privileges in their own isolation environment. These service may be started, stopped, and otherwise managed by a Service Control Manager. In order for an application to both access services that operate at high local system privileges and the network so that it can access remotely stored, streaming, information; a streaming application may rely on privileges of the user when accessing network information rather than the higher privileges of the services running in isolation.

26 Citations

View as Search Results

20 Claims

1. A method, comprising:
- creating, by a local machine comprising at least one processor, a first isolation environment with permissions at a first security privilege level;
  
  starting a service in the first isolation environment;
  
  receiving, by the local machine, a request to execute an application;
  
  determining that the application requires use of the service and that the application is isolated from the service;
  
  creating, by the local machine responsive to determining that the application requires the use of the service and that the application is isolated from the service, a second isolation environment with permissions at a second security privilege level different from the permissions at the first security privilege level;
  
  starting the application in the second isolation environment;
  
  intercepting a service call for the use of the service from the application; and
  
  routing the intercepted service call to the service in the first isolation environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein starting the service is responsive to a determination that the application requires use of the service.
  - 3. The method of claim 1, comprising executing, by the local machine, a Service Control Manager (“
    - SCM”
      
      ) to control the service in the first isolation environment.
  - 4. The method of claim 3, comprising controlling, by the SCM, the service by one or more of:
    - initiating the service, starting the service, pausing the service, stopping the service, or deleting the service.
  - 5. The method of claim 3, comprising determining, by the SCM, whether the application needs access to the service.
  - 6. The method of claim 5, comprising starting, by the SCM, the service in the first isolation environment responsive to determining that the application needs access to the service.
  - 7. The method of claim 1, comprising creating the first isolation environment based on a determination by a Service Control Manager (“
    - SCM”
      
      ) executing on the local machine that the service needs to be isolated.
  - 8. The method of claim 1, wherein intercepting the service call comprises hooking the service call.
  - 9. The method of claim 8, comprising executing, by the local machine, a Service Control Manager (“
    - SCM”
      
      ) to hook the service call and to route the hooked service call to the service in the first isolation environment.
  - 10. The method of claim 1, wherein intercepting the service call comprises intercepting a call to a service application program interface (“
    - API”
      
      ) call.

11. A system, comprising memory storing computer-executable instructions and at least one processor configured to execute the computer-executable instructions, wherein the instructions, when executed, cause the at least one processor to:
- create a first isolation environment with permissions at a first security privilege level;
  
  start a service in the first isolation environment;
  
  receive a request to execute an application;
  
  determine that the application requires use of the service and that the application is isolated from the service;
  
  create, responsive to the determination that the application requires the use of the service and that the application is isolated from the service, a second isolation environment with permissions at a second security privilege level different than the permissions at the first security privilege level;
  
  start the application in the second isolation environment;
  
  intercept a service call for the use of the service from the application; and
  
  route the intercepted service call to the service in the first isolation environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the instructions cause the at least one processor to start the service responsive to a determination that the application requires use of the service.
  - 13. The system of claim 11, wherein the instructions, when executed, further cause the at least one processor to execute a Service Control Manager (“
    - SCM”
      
      ), wherein the SCM controls the service in the first isolation environment.
  - 14. The system of claim 13, wherein the SCM controls the service by one or more of:
    - initiating the service, starting the service, pausing the service, stopping the service, or deleting the service.
  - 15. The system of claim 13, wherein the SCM determines whether the application needs access to the service.
  - 16. The system of claim 15, wherein the SCM starts the service in the first isolation environment responsive to determining that the application needs access to the service.
  - 17. The system of claim 11, wherein the instructions, when executed, further cause the at least one processor to create the first isolation environment based on a determination by a locally-executing Service Control Manager (“
    - SCM”
      
      ) that the service needs to be isolated.
  - 18. The system of claim 11, wherein intercepting the service call comprises hooking the service call.
  - 19. The system of claim 18, wherein the instructions, when executed, further cause the at least one processor to execute a Service Control Manager (“
    - SCM”
      
      ), wherein the SCM hooks the service call and routes the hooked service call to the service in the first isolation environment.
  - 20. The system of claim 11, wherein intercepting the service call comprises intercepting a call to a service application program interface (“
    - API”
      
      ) call.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Sandhu, Vikramjeet, Nord, Joseph
Primary Examiner(s)
Tiv, Backhean

Application Number

US14/721,328
Publication Number

US 20150254455A1
Time in Patent Office

1,078 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/105   Arrangements for software l...

G06F 21/53   by executing in a restricte...

G06F 2221/033   Test or assess software

G06F 2221/2145   Inheriting rights or proper...

G06F 8/61   Installation

G06F 9/455   Emulation; Interpretation; ...

G06F 9/542   Event management; Broadcast...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

Systems and methods for RADE service isolation

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for RADE service isolation

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links