Method and apparatus for moving processes between isolation environments

US 8,352,964 B2
Filed: 03/21/2011
Issued: 01/08/2013
Est. Priority Date: 09/30/2004
Status: Active Grant

First Claim

Patent Images

1. A computer system configured to execute an operating system and at least one isolation environment for isolating access by application programs to native resources provided by the operating system,each isolation environment comprising:

a first application isolation layer providing a first application isolation scope;

a user isolation layer storing an instance of a native resource, the user isolation layer providing a user isolation scope corresponding to a user; and

a redirector intercepting a request for the native resource made by a process executing on behalf of the user and redirecting the request to the user isolation scope;

the computer system configured to;

(a) monitor a process running in the first isolation layer, determine whether the process is processing a request, and queue requests to the process;

(b) suspend execution of the process in the first isolation layer;

(c) change, using a rules engine, an association of the process from the first application isolation layer to a second application isolation layer, the second application isolation layer providing a second application scope;

(d) change the association of the process form the first application isolation layer to the second application isolation layer in a file system filter driver;

(e) load, by the rules engine, at least one rule associated with the second application isolation layer;

(f) move the process into the second isolation layer; and

(g) resume execution of the process with the second isolation scope.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for moving an executing process from a source isolation scope to a target isolation scope includes the step of determining that the process is in a state suitable for moving. The association of the process changes from a source isolation scope to a target isolation scope. A rule loads in association with the target isolation scope.

369 Citations

12 Claims

1. A computer system configured to execute an operating system and at least one isolation environment for isolating access by application programs to native resources provided by the operating system,each isolation environment comprising:
- a first application isolation layer providing a first application isolation scope;
  
  a user isolation layer storing an instance of a native resource, the user isolation layer providing a user isolation scope corresponding to a user; and
  
  a redirector intercepting a request for the native resource made by a process executing on behalf of the user and redirecting the request to the user isolation scope;
  
  the computer system configured to;
  
  (a) monitor a process running in the first isolation layer, determine whether the process is processing a request, and queue requests to the process;
  
  (b) suspend execution of the process in the first isolation layer;
  
  (c) change, using a rules engine, an association of the process from the first application isolation layer to a second application isolation layer, the second application isolation layer providing a second application scope;
  
  (d) change the association of the process form the first application isolation layer to the second application isolation layer in a file system filter driver;
  
  (e) load, by the rules engine, at least one rule associated with the second application isolation layer;
  
  (f) move the process into the second isolation layer; and
  
  (g) resume execution of the process with the second isolation scope.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The computer system of claim 1 wherein the redirector returns a handle to the requesting application that identifies the native resource.
  - 3. The computer system of claim 1, the isolation environment further comprising a rules engine specifying behavior for the redirector when redirecting the request.
  - 4. The computer system of claim 1 wherein the redirector comprises a file system filter driver.
  - 5. The computer system of claim 1 wherein the redirector comprises a function hooking mechanism.
  - 6. The computer system of claim 5 wherein the function hooking apparatus intercepts an operation selected from the group of file system operations, registry operations, WINDOWS services, MSI services, named object operations, window operations, file-type association operations and COM server operations.
  - 7. The computer system of claim 1 wherein the application isolation environment further comprises a second user isolation scope storing a second instance of the native resource.
  - 8. The computer system of claim 1 wherein the application isolation environment further comprises a second user isolation scope storing an instance of the native resource, the second user isolation scope corresponding to a second user.
  - 9. The computer system of claim 1 wherein the computer system is further configured to put the process into a state suitable for moving.
  - 10. The computer system of claim 1 wherein the computer system is further configured to put the process into a state suitable for moving via one of a user interface and an administration program.
  - 11. The computer system of claim 1 wherein the computer system is further configured to prohibit new requests to the process.
  - 12. The computer system of claim 1 wherein the computer system is further configured to process the queued requests after associating the process with the second isolation scope.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Laborczfalvi, Lee, Roychoudhry, Anil, Mazzaferri, Richard, Bissett, Nicholas Alexander, Borzycki, Andrew, Muir, Jeffrey, Chin, Huai
Primary Examiner(s)
Ho, Andy
Assistant Examiner(s)
SEYE, ABDOU K

Application Number

US13/052,931
Publication Number

US 20110173618A1
Time in Patent Office

659 Days
Field of Search

719/320
US Class Current

719/320
CPC Class Codes

G06F 16/10   File systems; File servers

G06F 21/53   by executing in a restricte...

G06F 2209/542   Intercept

G06F 8/61   Installation

G06F 9/45537   Provision of facilities of ...

G06F 9/468   Specific access rights for ...

G06F 9/4856   resumption being on a diffe...

G06F 9/5011   the resources being hardwar...

G06F 9/52   Program synchronisation; Mu...

G06F 9/541   via adapters, e.g. between ...

G06F 9/545   where tasks reside in diffe...

Y10S 707/99931   Database or file accessing

Method and apparatus for moving processes between isolation environments

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

369 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for moving processes between isolation environments

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

369 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links