Ultra-low cost sandboxing for application appliances
First Claim
1. A system comprising:
- one or more computer readable media storing executable instructions; and
one or more processing units configured to execute the executable instructions, wherein the executable instructions cause the one or more processing units to;
execute, in a first application process, a non-isolated application,execute, in an isolation container comprising a second application process, an isolated application in isolation from the non-isolated application, wherein the isolated application and the non-isolated application both execute in association with a single operating system (OS),provide OS services to the isolated application using an isolated OS subsystem of the isolation container, wherein the isolated OS subsystem comprises the OS services for the isolated application and wherein the isolated OS subsystem runs in the second application process with the isolated application,provide the OS services to the non-isolated application using a non-isolated OS subsystem of the OS,perform basic computation services for the isolated application and the non-isolated application, wherein the basic computation services are provided by the OS in one or more other processes that do not include the first application process and do not include the second application process,wherein the non-isolated OS subsystem is configured to execute outside of the isolation container, andwherein the OS services include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.
246 Citations
18 Claims
-
1. A system comprising:
-
one or more computer readable media storing executable instructions; and one or more processing units configured to execute the executable instructions, wherein the executable instructions cause the one or more processing units to; execute, in a first application process, a non-isolated application, execute, in an isolation container comprising a second application process, an isolated application in isolation from the non-isolated application, wherein the isolated application and the non-isolated application both execute in association with a single operating system (OS), provide OS services to the isolated application using an isolated OS subsystem of the isolation container, wherein the isolated OS subsystem comprises the OS services for the isolated application and wherein the isolated OS subsystem runs in the second application process with the isolated application, provide the OS services to the non-isolated application using a non-isolated OS subsystem of the OS, perform basic computation services for the isolated application and the non-isolated application, wherein the basic computation services are provided by the OS in one or more other processes that do not include the first application process and do not include the second application process, wherein the non-isolated OS subsystem is configured to execute outside of the isolation container, and wherein the OS services include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method performed by one or more processing units of a computing system, the method comprising:
-
providing a first application process to a non-isolated application that executes in the first application process; providing an isolation container comprising a second application process to an isolated application that executes in the isolation container, wherein the isolation container isolates the isolated application from the non-isolated application; providing operating system services to the isolated application using an isolated operating system subsystem of the isolation container, wherein the isolated operating system subsystem comprises the operating system services for the isolated application and wherein the isolated operating system subsystem executes in the second application process with the isolated application; providing the operating system services to the non-isolated application using a non-isolated operating system subsystem that executes outside of the isolation container, wherein the operating system services provided to the isolated application and the non-isolated application include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service; and performing basic computation services for the isolated application and the non-isolated application in one or more other processes that do not include the first application process and do not include the second application process. - View Dependent Claims (11, 12, 13, 14, 15)
-
-
16. A computer memory storing computer-executable instructions that, when executed by one or more processing units of a computing system, cause the one or more processing units to perform acts comprising:
-
providing a first application process to a non-isolated application that executes in the first application process; providing an isolation container comprising a second application process to an isolated application that executes in the isolation container, wherein the isolation container isolates execution of the isolated application from execution of the non-isolated application; providing operating system services to the isolated application using an isolated operating system subsystem of the isolation container, wherein the isolated operating system subsystem comprises the operating system services for the isolated application and wherein the isolated operating system subsystem executes in the second application process with the isolated application; providing the operating system services to the non-isolated application using a non-isolated operating system subsystem that executes outside of the isolation container, wherein the operating system services provided to the isolated application and the non-isolated application include at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service; and performing basic computation services for the isolated application and the non-isolated application in one or more other processes that do not include the first application process and do not include the second application process. - View Dependent Claims (17, 18)
-
Specification