ULTRA-LOW COST SANDBOXING FOR APPLICATION APPLIANCES
First Claim
1. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
- an isolation container in which an isolated application runs in isolation from a non-isolated application, the isolated application and non-isolated application both running in association with a single operating system (OS); and
an isolated OS subsystem of the isolation container that provides services to the isolated application, and a non-isolated OS subsystem of the OS that provides services to the non-isolated application, the isolated OS subsystem and non-isolated OS subsystem providing equivalent services to the corresponding isolated application and non-isolated application.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.
86 Citations
20 Claims
-
1. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
-
an isolation container in which an isolated application runs in isolation from a non-isolated application, the isolated application and non-isolated application both running in association with a single operating system (OS); and an isolated OS subsystem of the isolation container that provides services to the isolated application, and a non-isolated OS subsystem of the OS that provides services to the non-isolated application, the isolated OS subsystem and non-isolated OS subsystem providing equivalent services to the corresponding isolated application and non-isolated application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
-
an isolation container in which an application for a first OS runs in isolation, the isolation container formed in association with a second OS; an isolated OS subsystem that runs in the isolation container in association with and interfaces to the application to provide rich functionality to the application; and an isolation monitor of the second OS that interfaces basic computation services of the second OS to the isolated OS subsystem to enable the application to run in isolation on the second OS. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
-
a first isolation container in which a first isolated application runs in isolation, and a second isolation container in which a second isolated application runs in isolation, the first isolated application and the second isolated application running in association with a single OS; a first isolated OS subsystem of the first isolation container that provides services to the first isolated application, a second isolated OS subsystem of the second isolation container that provides services to the second isolated application; and an isolation monitor via which basic computation services are provided to each of the first isolated OS subsystem and the second isolated OS subsystem. - View Dependent Claims (17, 18, 19, 20)
-
Specification