ULTRA-LOW COST SANDBOXING FOR APPLICATION APPLIANCES

US 20120017213A1
Filed: 07/13/2010
Published: 01/19/2012
Est. Priority Date: 07/13/2010
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:

an isolation container in which an isolated application runs in isolation from a non-isolated application, the isolated application and non-isolated application both running in association with a single operating system (OS); and

an isolated OS subsystem of the isolation container that provides services to the isolated application, and a non-isolated OS subsystem of the OS that provides services to the non-isolated application, the isolated OS subsystem and non-isolated OS subsystem providing equivalent services to the corresponding isolated application and non-isolated application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.

86 Citations

View as Search Results

20 Claims

1. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
- an isolation container in which an isolated application runs in isolation from a non-isolated application, the isolated application and non-isolated application both running in association with a single operating system (OS); and
  
  an isolated OS subsystem of the isolation container that provides services to the isolated application, and a non-isolated OS subsystem of the OS that provides services to the non-isolated application, the isolated OS subsystem and non-isolated OS subsystem providing equivalent services to the corresponding isolated application and non-isolated application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the isolated application and the non-isolated application use basic computation services provided by the OS.
  - 3. The system of claim 2, wherein the isolated application receives access to the basic computation services through an isolation monitor.
  - 4. The system of claim 3, wherein the isolated OS subsystem receives basic computation services through the isolation monitor.
  - 5. The system of claim 3, wherein the isolation monitor employs a collection of rules that map from an application manifest to approval or denial of resource requests, the manifest defines which resources outside the isolation container are available to the isolated application.
  - 6. The system of claim 2, wherein the basic computation services include at least one of virtual memory management, thread creation, or thread synchronization.
  - 7. The system of claim 1, wherein the equivalent services include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
  - 8. The system of claim 1, wherein the isolated application uses a remote user input/output (I/O) server that communicates with a user I/O client outside the isolation container.
  - 9. The system of claim 1, wherein the isolated application is migrated to a second computing environment by reading from some or all of an address space of the isolation container, which isolation container is in a first computing environment.

10. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
- an isolation container in which an application for a first OS runs in isolation, the isolation container formed in association with a second OS;
  
  an isolated OS subsystem that runs in the isolation container in association with and interfaces to the application to provide rich functionality to the application; and
  
  an isolation monitor of the second OS that interfaces basic computation services of the second OS to the isolated OS subsystem to enable the application to run in isolation on the second OS.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The system of claim 10, wherein the basic computation services include at least one of virtual memory management, thread creation, or thread synchronization.
  - 12. The system of claim 10, wherein the rich functionality provided by the isolated OS subsystem includes at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
  - 13. The system of claim 10, wherein the isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside the isolation container.
  - 14. The system of claim 10, wherein the isolated application is migrated to a second computing environment by reading from some or all of an address space of the isolation container, which is in a first computing environment.
  - 15. The system of claim 10, wherein the isolation monitor employs a collection of rules that map from an application manifest to approval or denial of resource requests, the manifest defines which resources outside the isolation container are available to the isolated application.

16. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
- a first isolation container in which a first isolated application runs in isolation, and a second isolation container in which a second isolated application runs in isolation, the first isolated application and the second isolated application running in association with a single OS;
  
  a first isolated OS subsystem of the first isolation container that provides services to the first isolated application, a second isolated OS subsystem of the second isolation container that provides services to the second isolated application; and
  
  an isolation monitor via which basic computation services are provided to each of the first isolated OS subsystem and the second isolated OS subsystem.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The system of claim 16, wherein the basic computation services include at least one of virtual memory management, threads creation, or thread synchronization.
  - 18. The system of claim 16, wherein the rich functionality includes at least one of the isolated OS subsystems, the isolated OS subsystems comprise at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
  - 19. The system of claim 16, wherein at least one of the first isolated application or the second isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside of a corresponding isolation container.
  - 20. The system of claim 16, where the first isolated application uses a first corresponding remote user I/O server and the second isolated application uses a second corresponding remote user I/O server, and the first corresponding remote user I/O server and the second corresponding remote user I/O server both communicate with a first user I/O client outside the isolation containers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Hunt, Galen C., Porter, Donald

Granted Patent

US 9,323,921 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/100
CPC Class Codes

G06F 21/53 by executing in a restricte...

ULTRA-LOW COST SANDBOXING FOR APPLICATION APPLIANCES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

86 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

ULTRA-LOW COST SANDBOXING FOR APPLICATION APPLIANCES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

86 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links