Ultra-low cost sandboxing for application appliances

US 9,323,921 B2
Filed: 07/13/2010
Issued: 04/26/2016
Est. Priority Date: 07/13/2010
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more computer readable media storing executable instructions; and

one or more processing units configured to execute the executable instructions, wherein the executable instructions cause the one or more processing units to;

execute, in a first application process, a non-isolated application,execute, in an isolation container comprising a second application process, an isolated application in isolation from the non-isolated application, wherein the isolated application and the non-isolated application both execute in association with a single operating system (OS),provide OS services to the isolated application using an isolated OS subsystem of the isolation container, wherein the isolated OS subsystem comprises the OS services for the isolated application and wherein the isolated OS subsystem runs in the second application process with the isolated application,provide the OS services to the non-isolated application using a non-isolated OS subsystem of the OS,perform basic computation services for the isolated application and the non-isolated application, wherein the basic computation services are provided by the OS in one or more other processes that do not include the first application process and do not include the second application process,wherein the non-isolated OS subsystem is configured to execute outside of the isolation container, andwherein the OS services include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.

246 Citations

18 Claims

1. A system comprising:
- one or more computer readable media storing executable instructions; and
  
  one or more processing units configured to execute the executable instructions, wherein the executable instructions cause the one or more processing units to;
  
  execute, in a first application process, a non-isolated application,execute, in an isolation container comprising a second application process, an isolated application in isolation from the non-isolated application, wherein the isolated application and the non-isolated application both execute in association with a single operating system (OS),provide OS services to the isolated application using an isolated OS subsystem of the isolation container, wherein the isolated OS subsystem comprises the OS services for the isolated application and wherein the isolated OS subsystem runs in the second application process with the isolated application,provide the OS services to the non-isolated application using a non-isolated OS subsystem of the OS,perform basic computation services for the isolated application and the non-isolated application, wherein the basic computation services are provided by the OS in one or more other processes that do not include the first application process and do not include the second application process,wherein the non-isolated OS subsystem is configured to execute outside of the isolation container, andwherein the OS services include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1, wherein the basic computation services include at least one of virtual memory management, thread creation, or thread synchronization.
  - 3. The system of claim 2, wherein the executable instructions further cause the one or more processing units to:
    - execute an isolation monitor configured to provide the isolated application with access to the basic computation services.
  - 4. The system of claim 3, wherein the isolated OS subsystem is configured to receive the basic computation services through the isolation monitor.
  - 5. The system of claim 3, wherein the isolation monitor is configured to employ a collection of rules that map from an application manifest to approval or denial of resource requests, wherein the manifest defines resources outside the isolation container that are available to the isolated application.
  - 6. The system of claim 2, wherein the basic computation services include the virtual memory management, the thread creation, and the thread synchronization.
  - 7. The system of claim 1, wherein the OS services include the GUI service.
  - 8. The system of claim 1, wherein the executable instructions cause the one or more processing units to:
    - provide the isolated application with a remote user input/output (I/O) server that communicates with a user I/O client outside the isolation container.
  - 9. The system of claim 1, wherein the executable instructions further cause the one or more processing units to:
    - migrate the isolated application to a separate system by reading from some or all of an address space of the isolation container.

10. A method performed by one or more processing units of a computing system, the method comprising:
- providing a first application process to a non-isolated application that executes in the first application process;
  
  providing an isolation container comprising a second application process to an isolated application that executes in the isolation container, wherein the isolation container isolates the isolated application from the non-isolated application;
  
  providing operating system services to the isolated application using an isolated operating system subsystem of the isolation container, wherein the isolated operating system subsystem comprises the operating system services for the isolated application and wherein the isolated operating system subsystem executes in the second application process with the isolated application;
  
  providing the operating system services to the non-isolated application using a non-isolated operating system subsystem that executes outside of the isolation container, wherein the operating system services provided to the isolated application and the non-isolated application include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service; and
  
  performing basic computation services for the isolated application and the non-isolated application in one or more other processes that do not include the first application process and do not include the second application process.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10, wherein the operating system services provided to the isolated application and the non-isolated application include the GUI service and the GUI service displays windows or directs device input to specific windows.
  - 12. The method of claim 11, wherein the device input comprises keyboard input or mouse input.
  - 13. The method of claim 10, wherein equivalent operating system services are provided to the isolated application and the non-isolated application.
  - 14. The method of claim 10, wherein the operating system services provided to the isolated application and the non-isolated application are from a single operating system.
  - 15. The method of claim 10, further comprising migrating the second application process from the computing system to another computing system.

16. A computer memory storing computer-executable instructions that, when executed by one or more processing units of a computing system, cause the one or more processing units to perform acts comprising:
- providing a first application process to a non-isolated application that executes in the first application process;
  
  providing an isolation container comprising a second application process to an isolated application that executes in the isolation container, wherein the isolation container isolates execution of the isolated application from execution of the non-isolated application;
  
  providing operating system services to the isolated application using an isolated operating system subsystem of the isolation container, wherein the isolated operating system subsystem comprises the operating system services for the isolated application and wherein the isolated operating system subsystem executes in the second application process with the isolated application;
  
  providing the operating system services to the non-isolated application using a non-isolated operating system subsystem that executes outside of the isolation container, wherein the operating system services provided to the isolated application and the non-isolated application include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service; and
  
  performing basic computation services for the isolated application and the non-isolated application in one or more other processes that do not include the first application process and do not include the second application process.
- View Dependent Claims (17, 18)
- - 17. The computer memory of claim 16, embodied as a solid state memory.
  - 18. The computer memory of claim 16, the acts further comprising:
    - transferring the second application process to another computing system, including sending an address space of the second application process and operating system state to the another computing system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Inventors
Hunt, Galen C., Porter, Donald
Primary Examiner(s)
Kawsar, Abdullah Al

Application Number

US12/834,895
Publication Number

US 20120017213A1
Time in Patent Office

2,114 Days
Field of Search

718 1-105, 726/1, 726/2
US Class Current

1/1
CPC Class Codes

G06F 21/53 by executing in a restricte...

Ultra-low cost sandboxing for application appliances

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

246 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Ultra-low cost sandboxing for application appliances

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

246 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others