AU2011239288A1 - Compiling executable code into a less-trusted address space - Google Patents

Compiling executable code into a less-trusted address space Download PDF

Info

Publication number
AU2011239288A1
AU2011239288A1 AU2011239288A AU2011239288A AU2011239288A1 AU 2011239288 A1 AU2011239288 A1 AU 2011239288A1 AU 2011239288 A AU2011239288 A AU 2011239288A AU 2011239288 A AU2011239288 A AU 2011239288A AU 2011239288 A1 AU2011239288 A1 AU 2011239288A1
Authority
AU
Australia
Prior art keywords
mode
kernel
address space
code
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
AU2011239288A
Inventor
Robert Sadao Unoki
David Charles Wrighton
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Corp
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US11/564,249 priority Critical
Application filed by Microsoft Corp filed Critical Microsoft Corp
Priority to AU2011239288A priority patent/AU2011239288A1/en
Publication of AU2011239288A1 publication Critical patent/AU2011239288A1/en
Withdrawn legal-status Critical Current

Links

Abstract

C NRPonbilCC\HFS\394257_ I DOC.21/101O Unsafe application programs that implement managed code can be executed in a secure fashion. In particular, an operating system can be configured to execute an application 5 program in user mode, but handle managed code compilation through a type-safe JIT compiler operating in kernel mode. The operating system can also designate a single memory location to be accessed through multiple address spaces with different permission sets. An application program operating in user mode can be executed in the read/execute address space, while the JIT compiler operates in a read/write address space. When 10 encountering one or more pointers to intermediate language code, the application runtime can send one or more compilation requests to a kernel mode security component, which validates the requests. If validated, the JIT compiler will compile the requested intermediate language code, and the application program can access the compiled code from a shared memory heap.

Description

Australian Patents Act 1990 - Regulation 3.2 ORIGINAL COMPLETE SPECIFICATION STANDARD PATENT Invention Title: Compiling executable code into a less-trusted address space The following statement is a full description of this invention, including the best method of performing it known to me: P/00/0 11 5951 COMPILING EXECUTABLE CODE INTO A LESS-TRUSTED ADDRESS SPACE BACKGROUND [00011 As computerized systems have increased in popularity, so have the 5 various application programs used on the computerized systems. In particular, there are now a wide range of applications programs configured for any number of purposes, whether to function as complex operating systems, databases, and so forth, or as a simple calculator. In many cases, software developers will write new application programs with a particular operating system in mind, using any number 10 of appropriate languages. Once the software is complete, the developer will compile the application into machine-executable code, which can then be installed on a computer system with the appropriate operating system. [00021 One will appreciate, therefore, that there are a number of considerations that often must considered by developers of operating systems as well as of the 15 individual application programs. Many of these interests may even be competing. For example, many application program developers may have interests related to quick and fast operation, while many operating system developers may have interests related to security and stability. In some cases, the security and stability requirements can cause some application programs to have slower execution and/or 20 lower-performance. [00031 For example, the operating system may be configured to have application programs run in a less-trusted "user" level, but have other system components run in a trusted "kernel" level. As a result, an application program running in a user level might only be able to perform certain types of functions by requesting the 25 given function through an intermediary, trusted component. The intermediate component can then validate the request and then pass the request for the function to a kernel level component, which can then execute the request. [00041 Other ways of managing security are to limit the various applications and components to specific readable, writable, and/or executable permission spaces. 30 For example, an operating system might allow certain application programs to run only in a read/execute address space. This might allow the application programs to 1 execute any existing instructions, but would prohibit the application from performing any write operations. By contrast, the operating system might allow other sensitive system components to operate only in a read/write address space. This might allow the sensitive components to make new writes, but would prohibit 5 those writes from being executed. [00051 In still other cases, an operating system might allow only certain types of application programs conforming to certain code standards to run in a space that is readable, writable, and executable. For example, the operating system might only allow "type-safe" applications to run in a read/write/execute address space. One 10 example of a type-safety rule might be to require an integer value to be added only to other integer values, rather than to floating point values. A type-safe compiler could then be used to compile only that executable program code that is type-safe, and thus trusted by the operating system. [0006] Unfortunately, some recent trends in application program developing 15 complicates various aspects of the above-mentioned security management approaches. For example, a wide range of application developers are now creating video game application programs using "managed code." In general, managed code includes executable program code, as well as intermediate language code that can be compiled on an as-needed basis. For example, a developer of an application 20 program might include one or more references (in the compiled, executable code) to intermediate code. Thus, when the executable code comes to a point where it needs to use a function that is available only in intermediate language code, a JIT (just-in-time) compiler is used to compile certain intermediate language code into executable instructions. 25 100071 One can appreciate, therefore, that operating systems will sometimes limit the use of managed code to type-safe applications. In particular, since the JIT compiler will need to write, and since the application will need to execute, and further since the application program will need to access the compiled code written by the JIT compiler, the JIT compiler and the executing application program will 30 typically operate in the same address space, which is readable, writable, and executable. Thus, if the intermediate language code were not type-safe (or 2 conforming to some other program code restrictions), a malicious party could trick the JIT compiler into generating harmful instructions that are executed. [0008] Unfortunately, program code restrictions such as type-safety are often believed to conflict with speed and performance considerations. This can be 5 particularly problematic for video game applications, where speed and performance considerations are placed at a premium. In some cases, therefore, the developers of video game applications may find it better or more efficient to ignore specific code specifications, such as type-safety. BRIEF SUMMARY 10 [00091 Implementations of the present invention provide systems, methods, and computer program products configured to allow for the use of managed code in an operating system, where the managed code may not necessarily conform to any particular code standard. In one implementation, for example, an operating system provides access to a memory location in two different address spaces, and sets the 15 permissions in the address spaces, such that the memory location is accessible with different permissions from the two different address spaces. In one implementation, a JIT compiler operating in one address space passes compiled code into a shared memory heap. Executable program code, in turn, accesses the compiled code from the memory heap, and executes it in the other memory address 20 space. [00101 For example, a method of executing managed code so that untrusted program code can be compiled and executed in a manner that does not threaten or otherwise compromise system security can involve executing an application program in a first address space of a memory location. The method can also 25 involve receiving one or more requests from the application program to compile one or more sets of intermediate language instructions. In addition, the method can involve compiling the one or more sets of intermediate language instructions into newly compiled code using a JIT compiler running in a second address space of the memory location. Furthermore, the method can involve passing the newly 30 compiled code to a shared memory heap. The application program can then 3 C \NRPorbl\DCC\HFS\3942574 1.DOC-21110201 I retrieve the newly compiled code from the shared memory heap into the first address space. 100111 Similarly, another method of generating computer executable program code in a manner that uses JIT compilation while avoiding security violations can involve 5 receiving application program code that includes executable code and code to be compiled. The method can also involve executing the executable code in a lower-privilege mode and in a first address space. In addition, the method can involve identifying one or more pointers in the executable code for at least some code to be compiled. Furthermore, the method can involve switching to a higher-privilege mode. Still further, the method can 10 involve compiling the at least some code in a different address space using a compiler operating in the higher-privilege mode. [0011al According to an example aspect there is provided in a computerised environment comprising a memory, as well as a Just-In-Time (JIT) compiler that is loaded in a kernel-mode address space of the memory and one or more application programs that 15 are loaded in a user-mode address space of the memory, a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within the user-mode address space of the memory by compiling the untrusted program code with the JIT compiler in the kernel-mode address space of the memory and subsequently executing the compiled untrusted program code in the user-mode address 20 space of the memory in a manner that does not threaten or otherwise compromise system security, comprising: an act of one or more kernel-mode components that are executing in a kernel-mode address space, maintaining and enforcing a memory page table, the memory page table mapping a plurality of memory locations with a plurality of address spaces, along with 25 access permissions for each address space with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with the kernel-mode address space and a lower privilege user-mode address space, and defining (i) read/write permissions with respect to the shared memory heap for 30 the kernel-mode address space and (ii) read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution location in which an application program is loaded for execution with the kernel-mode 4 C WRwrh\CC\FfS\3942574_L DOC-21/10/2011 address space and the user-mode address space, and defining (i) read/write permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the execution location for the user-mode address space; 5 an act of executing the application program in the user-mode address space, the application program having read/execute permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components, the application program comprising both compiled code as well as one or more pointers to intermediate language code stored in the kernel-mode address space and 10 which needs further compilation before execution, the intermediate language code accessible only from within the kernel-mode address space; an act of the application program encountering at least one of the one or more pointers to intermediate language code during execution and, as a result, the application program requesting compilation of intermediate language instructions 15 by a JIT compiler executing in the kernel-mode address space, the request including passing the at least one pointer to intermediate language code to a security component executing in the kernel-mode address space; an act of the security component receiving the request from the application program to compile intermediate language instructions, including receiving the at 20 least one pointer to intermediate language code; an act of the security component validating that the request is appropriate, including reviewing the request for any application instructions that could be used to compromise system security; an act of the security component determining that the request is appropriate 25 and passing one or more sets of intermediate language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the JIT compiler, the JIT compiler executing in the kernel-mode address space with read/write permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components; 30 an act of the JIT compiler compiling the one or more sets of intermediate language instructions into newly compiled code, wherein the JIT compiler executes within one or more type-safety restraints so that the JIT compiler honors the type safety restraints itself while compiling the one or more sets of intermediate 4A C :\RForbl\DCC\HFSu3942574_1 DOC-21110/2011 language instructions, but accepts and compiles the one or more sets of intermediate language instructions without checking for type-safety and while compiling at least one set of intermediate language instructions that are not type safe; 5 an act of the JIT compiler passing the newly compiled code to the shared memory heap; an act of the application program retrieving the newly compiled code from the shared memory heap; and an act of the application program executing the newly compiled code in the 10 user-mode address space. 10011b] According to another example aspect there is provided a computerised environment comprising a memory, a Just-In-Time (JIT) compiler that is operating in a kernel-mode level of operation, and one or more application programs that are operating in a user-mode level of operation, a computer program storage product having computer 15 executable instructions stored thereon that, when executed, cause one or more processors to perform a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within the user-mode level of operation by compiling the untrusted program code with the JIT compiler in the kernel-mode level of operation and subsequently executing the compiled untrusted program code in the user 20 mode level of operation in a manner that does not threaten or otherwise compromise system security, comprising: an act of one or more kernel-mode components operating in a kernel-mode level of operation, maintaining and enforcing a memory page table, the memory page table mapping a plurality of memory locations with a plurality of address spaces, along with 25 access permissions for each address space with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with a kernel-mode address space of the kernel-mode level of operation and a lower privilege user-mode address space of a user-mode level of operation, and defining 30 (i) read/write permissions with respect to the shared memory heap for the kernel mode address space and (ii) read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution location 4B C NRPortbI\DCC\HFS\3942574_1 DOC-21/10/2011 in which an application program is loaded for execution with the kernel-mode address space and the user-mode address space, and defining (i) read/write permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the execution location for the 5 user-mode address space; an act of executing the application program in the user-mode level of operation, the application program having read/execute permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components, the application program comprising both compiled code as well as one or more 10 pointers to intermediate language code stored in the kernel-mode address space and which needs further compilation before execution, the intermediate language code accessible only from within the kernel-mode address space; an act of the application program encountering at least one of the one or more pointers to intermediate language code during execution and, as a result, the 15 application program requesting compilation of intermediate language instructions by a JIT compiler operating in the kernel-mode level of operation, the request including passing the at least one pointer to intermediate language code to a kernel mode security component operating in the kernel-mode level of operation; an act of the kernel-mode security component receiving the request from the 20 application program to compile intermediate language instructions, including receiving that at least one pointer to intermediate language code; an act of the kernel-mode security component validating that the request is appropriate, and as a result of determining that the request is appropriate, an act of the kernel-mode security component passing one or more sets of intermediate 25 language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the kernel-mode JIT compiler, the kernel-mode JIT compiler executing with read/write permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components; 30 an act of the kernel-mode JIT compiler compiling the one or more sets of intermediate language instructions into newly compiled code, wherein the kernel mode JIT compiler executes within one or more type-safety restraints so that the kernel-mode JIT compiler honors the type-safety restraints itself while compiling 4C C:\NRPrbl\DCC\HFS\3942574_L DOC-21/10/2011 the one or more sets of intermediate language instructions, but accepts and compiles the one or more sets of intermediate language instructions without checking for type-safety and while compiling at least one set of intermediate language instructions that are not type safe; 5 an act of the kernel-mode JIT compiler passing the newly compiled code to the shared memory heap; an act of the application program retrieving the newly compiled code from the shared memory heap; and an act of the application program executing the newly compiled code in the 10 user-mode level of operation. [0011c] According another example aspect there is provided a computer system, comprising: a least one processing device; a memory; and 15 one or more computer program storage products having computer executable instructions stored thereon that, when executed, cause the at least one processing device to perform a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within a user-mode address space of a memory by compiling the untrusted program code with the JIT compiler in a kernel-mode address 20 space of the memory and subsequently executing the compiled untrusted program code in the user-mode address space of the memory in a manner that does not threaten or otherwise compromise system security, comprising acts of: maintaining a memory page table with one or more kernel-mode components, the memory page table mapping a plurality of memory locations with 25 a plurality of address spaces, along with access permissions for each address space with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with the kernel-mode address space and a lower privilege user-mode address space, and defining (i) read/write permissions with respect to the 30 shared memory heap for the kemel-mode address space and (ii) read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution 4D C ANRPonb\DCC\HFS\3942574_) DOC-21110/201 I location in which an application program is loaded for execution with the kernel-mode address space and the user-mode address space, and defining (i) read/write permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the 5 execution location for the user-mode address space; executing the application program in a user-mode level of operation and in the user-mode address space, the application program having read/execute permissions with respect to the shared memory heap as defined by the memory page table, the application program comprising both compiled code as well as at 10 least one pointer to intermediate language code stored in the kernel-mode address space and which needs further compilation before execution, the intermediate language code accessible only from within the kernel-mode address space; the application program encountering the at least pointer to intermediate language code during execution and, as a result, the application program requesting 15 compilation of intermediate language instructions by a JIT compiler, the request including passing the at least one pointer to intermediate language code to a security component; switching to a kernel-mode level of operation in the kernel-mode address space subsequent to the application program requesting compilation of intermediate 20 language instructions; a security component, which is operating in the kernel-mode level of operation and in the kernel-mode address space, receiving the request from the application program to compile intermediate language instructions, including receiving that at least one pointer to intermediate language code, and in response: 25 the security component verifying that the request is appropriate; and the security component passing one or more sets of intermediate language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the JIT compiler; 30 the JIT compiler, which is operating in the kernel-mode level of operation and in the kernel-mode address space with read/write permissions with respect to the shared memory heap as defined by the memory page table, compiling the one or more sets of intermediate language instructions into newly compiled code, wherein 4E C .NRPtwbDCCVFS\3942574_ I DOC-21/10/2011 the JIT compiler executes within one or more type-safety restraints so that the JIT compiler honors the type-safety restraints itself while compiling the one or more sets of intermediate language instructions, but accepts and compiles the one or more sets of intermediate language instructions without checking for type-safety 5 and while compiling at least one set of intermediate instructions that are not type safe; the JIT compiler passing the newly compiled code to the shared memory heap; switching to the user-mode level of operation in the user-mode address 10 space subsequent to the JIT compiler passing the newly compiled code to the shared memory heap; the application program retrieving the newly compiled code from the shared memory heap; and the application program executing the newly compiled code with user-mode 15 permissions and in the user-mode address space. 10012] This Summary is provided to introduce a selection of concepts in a simplified form that are further described below in the Detailed Description. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the 20 claimed subject matter. [00131 Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention. The features and advantages of the invention may be realized and obtained be means of the instruments and combinations particularly 25 pointed out in the appended claims. These and other features of the present invention will become more fully apparent from the following description and appended claims, or may be learned by the practice of the invention as set forth hereinafter. BRIEF DESCRIPTION OF THE DRAWINGS [00141 In order to describe the manner in which the above-recited and other 30 advantages and features of the invention can be obtained, a more particular description of the invention briefly described above will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. Understanding that these drawings depict only typical embodiments of the 4F invention and are not therefore to be considered to be limiting of its scope, the invention will be described and explained with additional specificity and detail through the use of the accompanying drawings in which: [00151 Figure LA illustrates an overview schematic diagram of an 5 implementation in accordance with the present invention in which an application program running in a less trusted security mode invokes managed code, which is compiled by a JIT compiler in a trusted security mode; [00161 Figure lB illustrates a schematic diagram in which a memory location managed by the operating system is accessible by components in two different 10 address spaces, which have different permissions for accessing the memory location; [00171 Figure 2 illustrates a flowchart of a sequence of acts in accordance with an implementation of the present invention in which a JIT compiler receives and handles one or more requests for intermediate language instructions; and 15 [00181 Figure 3 illustrates a flowchart of an overview sequence of acts in which an operating system receives an application program that includes one or more references to managed code, and executes the application program in accordance with one or more security mechanisms. DETAILED DESCRIPTION 20 100191 Implementations of the present invention extend to systems, methods, and computer program products configured to allow for the use of managed code in an operating system, where the managed code may not necessarily conform to any particular code standard. In one implementation, for example, an operating system provides access to a memory location in two different address spaces, and sets the 25 permissions in the address spaces, such that the memory location is accessible with different permissions from the two different address spaces. In one implementation, a JIT compiler operating in one address space passes compiled code into a shared memory heap. Executable program code, in turn, accesses the compiled code from the memory heap, and executes it in the other memory address 30 space. 5 [00201 As will be understood more fully herein, implementations of the present invention can provide a secure system without necessarily needing to verify that the generated code does not violate the security constraints of the system. This can be done at least partly by "sandboxing" the compiled code, as well as any other code 5 that is being executed. In particular, implementations of the present invention can define a "sandbox," which is essentially a predefined set of boundaries in which any type of code can be executed. Specifically, the sandbox boundaries described herein will result in malicious request(s) made by the executing code being either denied by the operating system (as coming from a user mode component), or 1o limited to actions or functions only within the predefined permissions (e.g., denying a write to a read/execute address space). [00211 As a result, code that is compiled by a JIT compiler (e.g., 105), or even the application program (e.g., 110) ultimately invoking the JIT compiler, can be executed within the sandbox without necessarily being "type-safe," or conforming 15 to some other security consideration. One will appreciate that this can free a given developer to write application program code in a manner that is potentially less constrained, and potentially faster and performance driven than previously possible. [00221 In addition to ensuring that code is executed properly, implementations of the present invention also provide mechanisms that ensure that the JIT compiler, 20 itself, cannot be "hijacked," such as when receiving and compiling intermediate language code. In particular, implementations of the present invention include a JIT compiler that is configured for type-safe execution, rather than necessarily checking incoming code for type-safety or compiling only type-safe code. As such, the JIT compiler in accordance with implementations of the present invention can 25 be protected against requests that would cause the JIT compiler itself to violate safety definitions (e.g., type-safe definitions). [00231 In one implementation, for example, the JIT compiler can be configured with type-safety definitions that restrict the JIT compiler from reaching outside of its own data structures, or the data structures that are defined as part of the system 30 100 runtime. For example, the JIT compiler can be configured to perform a series of checks to ensure that only valid casts are performed whenever performing casts 6 from one type to another. Similarly, the JIT compiler can be configured so that, whenever asked to read out of arrays, the JIT compiler performs one or more boundary checks to ensure that the JIT compiler is within the bounds of the array. With respect to use within the C programming language, for example, the JIT 5 compiler can also be configured to ensure that whenever using a "union," the JIT compiler reads or writes to the proper part of the union. Furthermore, the JIT compiler can be configured to ensure the JIT compiler never overflows or underflows while reading or writing the type-stack (the type-stack within the JIT compiler). 10 [00241 In general, the JIT compiler's type-stack is an internal data structure that is generally important to maintain correctness, etc. For example, intermediate language code is typically a stack-based system in which the JIT compiler operates on objects in a stack in order, and places results back into the stack in order. The JIT compiler in accordance with implementations of the present invention is thus 15 configured to simulate a stack to ensure that the JIT compiler is operating as expected. For example, the JIT compiler can perform stack simulation while compiling intermediate language code. If the simulated stack deviates significantly from what the JIT compiler is being fed, the JIT compiler can quit compilation or generate an error. This helps the JIT compiler ensure that it is operating within 20 prescribed boundaries, and thus protected from violating one or more security rules. [00251 Figure 1A illustrates an overview schematic diagram of a computerized system 100 (e.g., a video game operating system) in which an application program (i.e., 110) is being executed. In one implementation, application program 110 is a video game application, though one will appreciate that application program 110 25 can be any type of executable program code. In any event, Figure 1A also shows that application program 110 comprises one or more sets of executable instructions, such as compiled code 135, which includes a pointer 140 to intermediate language ("IL") code 120. Similarly, Figure 1A shows that application program 110 comprises compiled code 145, which includes pointer 150 to intermediate language 30 code 125. Intermediate language code 125, in turn, comprises several different 7 components or modules, such as code 120, 125 and 130, which need further compilation before they can be executed. [00261 There are any number of different ways that application program 110 will or can be executed in computer system 100. For example, a user might load a 5 storage device onto another device on which the system 100 is installed. The storage device may include binary executable code for application program 110, as well as managed code in the form of intermediate language code 115. Both the executable code and intermediate language code of application program 110 could then be loaded into computerized system 100. In other cases, a user, such as a 10 developer, may upload the application program 110, including intermediate language code 115 through a network connection. In such a case, the user might be executing application program 110 for testing newly developed application programs (e.g., 1 10). [0027] In any event, Figure 1A also illustrates that application program 110 is 15 being executed in a lower-privilege mode (e.g., "user" mode), while JIT compiler 105 is operating in a higher-privilege mode (e.g., "kernel" mode). For example, Figure 1 A shows that application program 110 is operating in user mode 113 with user privileges, while JIT compiler 105 is operating in kernel mode 103 with corresponding kernel privileges. In addition, Figure IA shows that intermediate 20 language code 115 is accessed by one or more components with kernel 103 level privileges. Conversely, and as will be understood more fully herein, executable code will only be executed by components operating with user 113 levels of privileges. 100281 Accordingly, as the runtime for application program 110 executes each 25 of the compiled instructions 135, 145 in user 113 mode, the runtime will come across any of one or more pointers to intermediate language code. For example, during execution, the runtime for application program 110 comes across pointer 140 to intermediate language code 120. Since pointer 140 references code that can only be accessed in kernel 103 mode, the runtime will break out of user mode and 30 system 100 will switch to kernel 103 mode. 8 100291 The request 143 will then be handled by security component 155, which operates in kernel 103 mode. In general, security component 155 can comprise any number or type of components or modules configured to receive a user mode 113 component request (e.g., 143), and then validate whether the request is appropriate. 5 This is done since user mode 113 is untrusted, and since application program 110 may or may not represent (or otherwise include) dangerous or malicious code. [00301 Thus, to ensure that requests from user mode 113 execution will not damage system 100, security component 155 can perform any number or type of validation functions. For example, security component 155 can review message 10 143 for any number of handles, tokens, or the like. Furthermore, security component 155 can review request 143 for application instructions that could be used to compromise system 100, such as specific memory address requests, or requests that could result in a buffer overrun, etc. Upon validating request 143, security component 155 can initiate JIT compiler 105 in kernel mode. 15 100311 Once operating in kernel mode, JIT compiler can then be fed the requested code (i.e., 120) and begin compilation. For example, Figure 1A shows that security component 155 executes one or more requests 147 that cause JIT compiler 105 to receive and compile intermediate language code 120. After compiling code 120 into executable binary instructions (i.e., compiled code 123), 20 Figure IA also shows that JIT compiler 105 can then pass code 123 into memory heap 160. [00321 As will be understood more fully with respect to Figure 1B, memory heap 160 straddles the boundary between user mode 113 and kernel mode 103 operations. In effect, memory heap 160 acts as a cross-permission / cross-boundary 25 store that is accessible by components operating in kernel mode 103 and/or in user mode 113. Once compilation is completed, system 100 can switch back to user mode and continue execution of the application program 110. In particular, application 110 - operating in user mode - can pull the compiled code 123 as soon as it is available, and begin executing it in user mode 113. One will appreciate, 30 therefore, that memory heap 160 can be used to help maintain the security boundaries between the two security layers by allowing JIT compiler 105 and user 9 113 to function independently, in different privilege modes, without direct communication. 100331 Figure 1B illustrates additional details on how the security boundary between the JIT compiler 105 and application program 110 can be accomplished or 5 otherwise maintained. In particular, Figure lB illustrates an implementation in which JIT compiler 105 and application program 110 operate with respect to a particular same memory location, albeit with different permission sets. In particular, Figure IB illustrates an implementation in which the same memory location can be accessed by components in one address space with one set of 10 permissions in one address space, and accessed by different components in another address space with a different set of permissions. For example, Figure IB shows that memory location 160 is available in an address space 170 with read/write permissions, and an address space 165 with read/execute permission. [00341 In general, one or more kernel layer 103 components of operating system 15 100 will maintain a memory page table 180 for any given address location and corresponding address spaces. For example, Figure 1B shows that memory page table 180 is maintained in kernel 103 layer (i.e., one or more kernel mode components) of system 100. One reason this is maintained by a kernel 103 mode component is to ensure that an untrusted application program (i.e., operating in user 20 mode) cannot access or otherwise improperly manipulate the page table. [00351 In any event, Figure 1B shows that page table 180 correlates memory locations 160 and 165 with address spaces 170, 175, 190, and 195. For example, memory location 160 is the shared memory heap, while memory location 165 is a location in which application program 110 is loaded for execution. In addition, 25 page table 180 maps the access permissions of memory location 160 and 165, such that address spaces 170 and 190 have "read/write" access to locations 160 or 165, respectively. Similarly, page table 180 maps the permissions of memory location 160 and 165 for address spaces 175 or 195 as "read/execute," respectively. Accordingly, when security component 155 (Figure 1A) receives a request (e.g., 30 143) from a user mode 113 component, security component 155 can correlate the 10 address spaces of the component originating the request (e.g., 143) with the address space for JIT compiler output (e.g., 123). [00361 As previously mentioned, one of the ways that system 100 can enforce the permission and security layer boundaries is through memory heap 160, which 5 straddles the described security/permission boundaries. In general, a "memory heap" comprises a set of memory addresses set aside by system 100 during or just prior to runtime. In this particular example, system 100 can allocate and configure memory heap 160 so that only kernel layer components (e.g., JIT compiler 105) can write to memory heap 160 (e.g., via page table 180), while user layer components 10 can only read from memory heap 160. As a result, application program 110 cannot execute any compiled code from JIT compiler 105 in memory heap 160, but, rather, must do so only in address space 175. 100371 One will appreciate, therefore, that a "sandbox" can be set by requiring operation of an application only in user mode, and by requiring the application and 15 JIT compiler to access certain components or data structures from a memory address associated with different permission sets. Accordingly, Figures lA-1B and the corresponding text illustrate a number of different architectural components that can be used to access and/or execute virtually any type of executable code, including managed code, in a secure fashion. In particular, Figures 1 A-I B and the 20 corresponding text illustrate how an application can execute in a user 113 mode, and access a memory heap with only read or read/execute permissions for the JIT compiled code. In addition, the Figures and corresponding text illustrate how the application can invoke one or more kernel-layer components in different address space 170, which has read/write permissions for memory heap 160, and can thus 25 compile and pass managed code to memory heap 160 but not execute it. [00381 As previously mentioned, this type of distributed address space configuration can provide a number of different benefits to program execution and development. At the outset, for example, an application program developer can write virtually any type of code without worrying about safety considerations (e.g., 30 type-safety) In addition, an operating system developer need not speed exhaustive 11 resources developing the runtime verification code that would force all executing program code to be safe (e.g., type-safe). 100391 In addition to the foregoing, implementations of the present invention can also be described in terms of flow charts having one or more acts in a method 5 for accomplishing a particular result. In particular, Figures 2 and 3, and the corresponding text, illustrates flow charts one or more acts for executing managed code so that safe and unsafe application program code can be executed without threatening or compromising security. The methods illustrated in Figures 2 and 3 are described below with reference to the components and diagrams of Figures 1 A 10 1B. [00401 Accordingly, Figure 2 shows that a method from the perspective client computer system can comprise act 200 of executing an application in a first address space. Act 200 includes executing an application program in a first address space of a memory location. For example, Figure lB shows that application program 110 15 is executing from address space 175, which has read/execute permissions for accessing memory location 160 (i.e., where the JIT compiled code will be placed and thus designated as read/execute). [00411 Figure 2 also shows that the method can comprise an act 210 of receiving a request from the application for intermediate language instructions. Act 210 can 20 include receiving one or more requests from the application program to compile one or more sets of intermediate language instructions. For example, the runtime for application program 110 comes across pointer 140 to intermediate language code 120, which can only be accessed in kernel 103 mode. As such, the runtime passes the pointer 120 as message 143 to security component 155, which processes 25 the request in kernel mode. [00421 In addition, Figure 2 shows that the method can comprise an act 220 of compiling the intermediate language instructions in a second address space. Act 220 includes compiling one or more sets of intermediate language instructions into newly compiled code using a JIT compiler running in a second address space. For 30 example, upon validating request 143, security component 155 prepares and executes one or more requests 147 to pass the requested intermediate language code 12 to JIT compiler 105. JIT compiler 105 then compiles the intermediate language code 120 in the second address space 170, which in this illustration is provided with read/write permissions to the shared memory heap 160. 100431 Furthermore, Figure 2 shows that the method can comprise an act 230 of 5 passing the compiled code to a shared memory heap. Act 230 includes passing the newly compiled code to a shared memory heap, wherein the application program can retrieve the newly compiled code into the first address space. For example, Figures IA and 1B shows that JIT compiler 105, as well as application program 110, have access to memory heap 160. In particular, JIT compiler 105 can write to 1o (but not execute in) memory heap 160, while application program 110 can only read and execute from memory heap 160. Thus, when JIT compiler 105 compiles and creates code 123, the runtime for application program 110 can retrieve compiled code 123 into address space 175, and execute the code in user mode. [00441 In addition to the foregoing, Figure 3 shows that a method in accordance 15 with an implementation of the present invention of generating computer-executable program code for a computer system in a manner that uses JIT compilation while avoiding security violations can comprise an act 300 of receiving executable code and code to be compiled. Act 300 includes receiving program code that includes executable code and code to be compiled. For example, operating system 100 20 receives one or more storage media, and/or receives a network-based upload of application program 110. Application program 110 includes executable program code, as well as intermediate language code 115, which is accessed separately by one or more kernel layer 103 components. [0045] Figure 3 also shows that the method can comprise an act 310 of 25 executing the executable code in a lower-privilege mode. Act 310 includes executing the executable code in a lower-privilege mode and in a first address space. For example, Figure 1A shows that the executable portion of application program 110 is accessed or otherwise executed only in user mode 113, whereas the intermediate language code 115 is only accessed by kernel mode components. 30 [00461 In addition, Figure 3 shows that the method can comprise an act 3 10 of receiving a pointer for code to be compiled. Act 310 includes receiving one or 13 more pointers in the executable code for at least some code to be compiled. For example, Figures 1A-lB shows application program 110, which is operating in user mode 113 and in/from address space 175, comprises compiled code 135, pointer 140 to intermediate language code 120, compiled code 145, and pointer 150 to s intermediate language code 125. While executing application program 110 in user mode, the pointers 140 and/or 150 will be identified in turn. [00471 Furthermore, Figure 3 shows that the method can comprise an act 330 of switching to a higher-privileged mode. For example, the runtime for application program 110 identifies pointer 140 during execution, and identifies that JIT io compiler 105 will need to be initiated. Since JIT compiler 105 will need to operate in kernel mode, system 100 momentarily pauses execution of application 110, switches from user mode to kernel mode, and then initiates JIT compiler 105 as a kernel mode 103 component. A message 143, which includes pointer 140, is then passed to a kernel mode 103 security component 155. Security component 155, 15 operating in kernel mode, then evaluates the request to ensure the request 143 is properly formed, and/or includes the appropriate handles, security identifiers, etc. [00481 Still further, Figure 3 shows that the method can comprise an act 340 of compiling the requested code in a higher-privilege mode. Act 340 includes compiling the requested code in a different address space using a compiler 20 operating in the higher-privilege mode. For example, Figures 1A and lB show that JIT compiler 105, which is operating in the higher-privilege kernel layer 103, can compile code 120 in one address space (address space 170), and further pass compiled code 123 to memory heap 160, where the JIT compiler has read/write access. Upon switching back to user mode, application program 110 can then 25 access the compiled code 123 and execute this code from an different address space (address space 175) which has read/execute permissions for the memory heap 160. [00491 As such, Figures 1A-2 and the corresponding text provide a number of components, modules, and mechanisms that can be used to execute untrusted code, including managed code, without sacrificing important security guarantees. As 30 previously described, this can be accomplished at least in part by separating compilation of intermediate language code and execution of binary code in separate 14 address spaces for the same program. In addition, this can be accomplished with a type-safe JIT compiler, which compiles intermediate code and passes the compiled code into a shared memory heap. The type-safe JIT compiler is configured so that, while it can accept and compile code that is not type-safe, the JIT compiler, itself, 5 is constrained from operating outside of certain prescribed type-safety boundaries. Still further, this can be accomplished by ensuring that executable code is only accessed by components operating in user mode, and that intermediate language code is only accessed by components operating in kernel mode in a read/write address space. 10 [00501 The embodiments of the present invention may comprise a special purpose or general-purpose computer including various computer hardware, as discussed in greater detail below. Embodiments within the scope of the present invention also include computer-readable media for carrying or having computer executable instructions or data structures stored thereon. Such computer-readable is media can be any available media that can be accessed by a general purpose or special purpose computer. [00511 By way of example, and not limitation, such computer-readable media can comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium 20 which can be used to carry or store desired program code means in the form of computer-executable instructions or data structures and which can be accessed by a general purpose or special purpose computer. When information is transferred or provided over a network or another communications connection (either hardwired, wireless, or a combination of hardwired or wireless) to a computer, the computer 25 properly views the connection as a computer-readable medium. Thus, any such connection is properly termed a computer-readable medium. Combinations of the above should also be included within the scope of computer-readable media. [00521 Computer-executable instructions comprise, for example, instructions and data which cause a general purpose computer, special purpose computer, or 30 special purpose processing device to perform a certain function or group of functions. Although the subject matter has been described in language specific to 15 structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims. 5 [00531 The present invention may be embodied in other specific forms without departing from its spirit or essential characteristics. The described embodiments are to be considered in all respects only as illustrative and not restrictive. The scope of the invention is, therefore, indicated by the appended claims rather than by the foregoing description. All changes which come within the meaning and range of equivalency of the 10 claims are to be embraced within their scope. [00541 Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" or "comprising", will be understood to imply the inclusion of a stated integer or step or group of integers or steps but not the exclusion of any other integer or step or group of integers or 15 steps. [00551 The reference in this specification to any prior publication (or information derived from it), or to any matter which is known, is not, and should not be taken as, an acknowledgement or admission. or any form of suggestion that that prior publication (or information derived from it) or known matter forms part of the common general 20 knowledge in the field of endeavour to which this specification relates. 16

Claims (18)

1. In a computerised environment comprising a memory, as well as a Just-In-Time (JIT) compiler that is loaded in a kernel-mode address space of the memory and one or 5 more application programs that are loaded in a user-mode address space of the memory, a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within the user-mode address space of the memory by compiling the untrusted program code with the JIT compiler in the kernel-mode address space of the memory and subsequently executing the compiled untrusted program code in 10 the user-mode address space of the memory in a manner that does not threaten or otherwise compromise system security, comprising: an act of one or more kernel-mode components that are executing in a kernel-mode address space, maintaining and enforcing a memory page table, the memory page table mapping a plurality of memory locations with a plurality of address spaces, along with 15 access permissions for each address space with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with the kernel-mode address space and a lower privilege user-mode address space, and defining (i) read/write permissions with respect to the shared memory heap for 20 the kernel-mode address space and (ii) read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution location in which an application program is loaded for execution with the kernel-mode address space and the user-mode address space, and defining (i) read/write 25 permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the execution location for the user-mode address space; an act of executing the application program in the user-mode address space, the application program having read/execute permissions with respect to the shared 30 memory heap as enforced by the one or more kernel-mode components, the application program comprising both compiled code as well as one or more pointers to intermediate language code stored in the kernel-mode address space and which needs further compilation before execution, the intermediate language code 17 C \NRPortbI\DCC\HFS942574_1 DOC-21/10/2011 accessible only from within the kernel-mode address space; an act of the application program encountering at least one of the one or more pointers to intermediate language code during execution and, as a result, the application program requesting compilation of intermediate language instructions 5 by a JIT compiler executing in the kernel-mode address space, the request including passing the at least one pointer to intermediate language code to a security component executing in the kernel-mode address space; an act of the security component receiving the request from the application program to compile intermediate language instructions, including receiving the at 10 least one pointer to intermediate language code; an act of the security component validating that the request is appropriate, including reviewing the request for any application instructions that could be used to compromise system security; an act of the security component determining that the request is appropriate 15 and passing one or more sets of intermediate language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the JIT compiler, the JIT compiler executing in the kernel-mode address space with read/write permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components; 20 an act of the JIT compiler compiling the one or more sets of intermediate language instructions into newly compiled code, wherein the JIT compiler executes within one or more type-safety restraints so that the JIT compiler honors the type safety restraints itself while compiling the one or more sets of intermediate language instructions, but accepts and compiles the one or more sets of 25 intermediate language instructions without checking for type-safety and while compiling at least one set of intermediate language instructions that are not type safe; an act of the JIT compiler passing the newly compiled code to the shared memory heap; 30 an act of the application program retrieving the newly compiled code from the shared memory heap; and an act of the application program executing the newly compiled code in the user-mode address space. 18
2. The method as recited in claim 1, wherein no component operating in the user mode address space can write to the shared memory heap. 5
3. The method as recited in claim 1, wherein no component operating in the kernel mode address space can execute code from the memory heap.
4. The method as recited in claim 1, wherein the JIT compiler performs the acts of: receiving one or more requests to perform a function that violates a security 10 restraint for the JIT compiler; and rejecting the one or more requests to perform the function, or discontinuing compiling the one or more sets of intermediate language instructions.
5. The method as recited in claim 1, further comprising an act of, upon receiving the 15 security component receiving the from the application program to compile intermediate language instructions, activating a kernel mode level of operation corresponding to the kernel-mode address space.
6. The method as recited in claim 1, wherein the act of activating the kernel mode 20 level of operation includes an act of initiating the security component.
7. The method as recited in claim 1, wherein the act of the security component validating that the request is appropriate comprises an act of determining whether a handle included in the one or more requests is valid. 25
8. In a computerised environment comprising a memory, a Just-In-Time (JIT) compiler that is operating in a kernel-mode level of operation, and one or more application programs that are operating in a user-mode level of operation, a computer program storage product having computer executable instructions stored thereon that, when executed, cause 30 one or more processors to perform a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within the user-mode level of operation by compiling the untrusted program code with the JIT compiler in the kernel-mode level of operation and subsequently executing the compiled untrusted 19 C 4RPothlDCCIHFSU942574_1 DOC-21/10/201I program code in the user-mode level of operation in a manner that does not threaten or otherwise compromise system security, comprising: an act of one or more kernel-mode components operating in a kernel-mode level of operation, maintaining and enforcing a memory page table, the memory page table 5 mapping a plurality of memory locations with a plurality of address spaces, along with access permissions for each address space with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with a kernel-mode address space of the kernel-mode level of operation and a lower 10 privilege user-mode address space of a user-mode level of operation, and defining (i) read/write permissions with respect to the shared memory heap for the kernel mode address space and (ii) read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution location 15 in which an application program is loaded for execution with the kernel-mode address space and the user-mode address space, and defining (i) read/write permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the execution location for the user-mode address space; 20 an act of executing the application program in the user-mode level of operation, the application program having read/execute permissions with respect to the shared memory heap as enforced by the one or more kernel-mode components, the application program comprising both compiled code as well as one or more pointers to intermediate language code stored in the kernel-mode address space and 25 which needs further compilation before execution, the intermediate language code accessible only from within the kernel-mode address space; an act of the application program encountering at least one of the one or more pointers to intermediate language code during execution and, as a result, the application program requesting compilation of intermediate language instructions 30 by a JIT compiler operating in the kernel-mode level of operation, the request including passing the at least one pointer to intermediate language code to a kernel mode security component operating in the kernel-mode level of operation; an act of the kernel-mode security component receiving the request from the 20 C \NRPonbI\DCCuI\FS\3942574_ I DOC-21/10/20I I application program to compile intermediate language instructions, including receiving that at least one pointer to intermediate language code; an act of the kernel-mode security component validating that the request is appropriate, and as a result of determining that the request is appropriate, an act of 5 the kernel-mode security component passing one or more sets of intermediate language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the kernel-mode JIT compiler, the kernel-mode JIT compiler executing with read/write permissions with respect to the shared memory heap as enforced by the one or 10 more kernel-mode components; an act of the kernel-mode JIT compiler compiling the one or more sets of intermediate language instructions into newly compiled code, wherein the kernel mode JIT compiler executes within one or more type-safety restraints so that the kernel-mode JIT compiler honors the type-safety restraints itself while compiling 15 the one or more sets of intermediate language instructions, but accepts and compiles the one or more sets of intermediate language instructions without checking for type-safety and while compiling at least one set of intermediate language instructions that are not type safe; an act of the kernel-mode JIT compiler passing the newly compiled code to 20 the shared memory heap; an act of the application program retrieving the newly compiled code from the shared memory heap; and an act of the application program executing the newly compiled code in the user-mode level of operation. 25
9. The method as recited in claim 1, wherein the one or more type-safety restraints comprise: a casting check, an array boundary check, a union check, a type stack overflow check, or a type stack underflow check. 30
10. The method as recited in claim 1, wherein the JIT compiler honouring the type safety restraints comprises performing a type stack simulation and detecting whether the type stack simulation deviates from input to the JIT compiler. 21 C:\NRPonbt\DCC\HFSXU942574 DOC-21110/201I
11. A computer system, comprising: a least one processing device; a memory; and one or more computer program storage products having computer executable 5 instructions stored thereon that, when executed, cause the at least one processing device to perform a method for sandboxing the execution of untrusted program code that is called by the one or more application programs within a user-mode address space of a memory by compiling the untrusted program code with the JIT compiler in a kernel-mode address space of the memory and subsequently executing the compiled untrusted program code in 10 the user-mode address space of the memory in a manner that does not threaten or otherwise compromise system security, comprising acts of: maintaining a memory page table with one or more kernel-mode components, the memory page table mapping a plurality of memory locations with a plurality of address spaces, along with access permissions for each address space 15 with respect to access to each memory location, including: mapping a first memory location corresponding to a shared memory heap with the kernel-mode address space and a lower privilege user-mode address space, and defining (i) read/write permissions with respect to the shared memory heap for the kernel-mode address space and (ii) 20 read/execute permissions with respect to the shared memory heap for the user-mode address space; and mapping a second memory location corresponding to an execution location in which an application program is loaded for execution with the kernel-mode address space and the user-mode address space, and defining 25 (i) read/write permissions with respect to the execution location for the kernel-mode address space and (ii) read only permissions with respect to the execution location for the user-mode address space; executing the application program in a user-mode level of operation and in the user-mode address space, the application program having read/execute 30 permissions with respect to the shared memory heap as defined by the memory page table, the application program comprising both compiled code as well as at least one pointer to intermediate language code stored in the kernel-mode address space and which needs further compilation before execution, the intermediate 22 C \NRPobl\DCC\HFSW942574_1 DOC-2111012011 language code accessible only from within the kernel-mode address space; the application program encountering the at least pointer to intermediate language code during execution and, as a result, the application program requesting compilation of intermediate language instructions by a JIT compiler, the request 5 including passing the at least one pointer to intermediate language code to a security component; switching to a kernel-mode level of operation in the kernel-mode address space subsequent to the application program requesting compilation of intermediate language instructions; 10 a security component, which is operating in the kernel-mode level of operation and in the kernel-mode address space, receiving the request from the application program to compile intermediate language instructions, including receiving that at least one pointer to intermediate language code, and in response: the security component verifying that the request is appropriate; and 15 the security component passing one or more sets of intermediate language instructions stored within the kernel-mode address space and corresponding to the at least one pointer to intermediate language code to the JIT compiler; the JIT compiler, which is operating in the kernel-mode level of operation 20 and in the kernel-mode address space with read/write permissions with respect to the shared memory heap as defined by the memory page table, compiling the one or more sets of intermediate language instructions into newly compiled code, wherein the JIT compiler executes within one or more type-safety restraints so that the JIT compiler honors the type-safety restraints itself while compiling the one or more 25 sets of intermediate language instructions, but accepts and compiles the one or more sets of intermediate language instructions without checking for type-safety and while compiling at least one set of intermediate instructions that are not type safe; the JIT compiler passing the newly compiled code to the shared memory 30 heap; switching to the user-mode level of operation in the user-mode address space subsequent to the JIT compiler passing the newly compiled code to the shared memory heap; 23 the application program retrieving the newly compiled code from the shared memory heap; and the application program executing the newly compiled code with user-mode permissions and in the user-mode address space. 5
12. The computer system of claim 11, wherein the application program comprises part of a video game application.
13. The method as recited in claim 1, wherein the act of the security component 10 validating that the request is appropriate comprises reviewing the request for application instructions that could be used to compromise system security.
14. The method as recited in claim 1, further comprising an act of the security component using the memory page table to correlate the user-mode address space with the 15 address space for JIT compiler output.
15. The method as recited in claim 1, wherein executing the newly compiled code in the user-mode address space comprises executing the at least one set of intermediate language instructions that are not type safe, and wherein executing the at least one set of 20 intermediate language instructions that are not type safe within the user-mode address space protects system security.
16. A method for sandboxing the execution of untrusted program code that is called by one or more application programs, substantially as hereinbefore described with reference 25 to the accompanying figures.
17. A computer program storage product having computer executable instructions stored thereon that, when executed, cause one or more processors to perform a method for sandboxing the execution of untrusted program code that is called by one or more 30 application programs, substantially as hereinbefore described with reference to the accompanying figures.
18. A computer system, substantially as hereinbefore described with reference to the accompanying figures. 24
AU2011239288A 2006-11-28 2011-10-24 Compiling executable code into a less-trusted address space Withdrawn AU2011239288A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US11/564,249 2006-11-28
AU2011239288A AU2011239288A1 (en) 2006-11-28 2011-10-24 Compiling executable code into a less-trusted address space

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2011239288A AU2011239288A1 (en) 2006-11-28 2011-10-24 Compiling executable code into a less-trusted address space

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
AU2007325237A Division AU2007325237B2 (en) 2006-11-28 2007-11-27 Compiling executable code into a less-trusted address space

Publications (1)

Publication Number Publication Date
AU2011239288A1 true AU2011239288A1 (en) 2011-11-17

Family

ID=45465428

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2011239288A Withdrawn AU2011239288A1 (en) 2006-11-28 2011-10-24 Compiling executable code into a less-trusted address space

Country Status (1)

Country Link
AU (1) AU2011239288A1 (en)

Similar Documents

Publication Publication Date Title
AU2007325237B2 (en) Compiling executable code into a less-trusted address space
JP6248153B2 (en) Activate trust level
JP5420734B2 (en) Software system with controlled access to objects
AU2012352754B2 (en) Facilitating system service request interactions for hardware-protected applications
AU2012200181B2 (en) System and method for supporting JIT in a secure system with randomly allocated memory ranges
US8443188B2 (en) Using code access security for runtime accessibility checks
US20050172133A1 (en) Cross assembly call interception
RU2584507C1 (en) Method of providing safe execution of script file
US7076557B1 (en) Applying a permission grant set to a call stack during runtime
US9516032B2 (en) Methods and systems for using derived user accounts
US20190050558A1 (en) System, method and apparatus for automatic program compartmentalization
US8321668B2 (en) Control of data access by dynamically verifying legal references
US10656885B2 (en) Using object flow integrity to improve software security
AU2011239288A1 (en) Compiling executable code into a less-trusted address space
Bouffard et al. Hardening a Java Card Virtual Machine Implementation with the MPU
Bijlani et al. A lightweight and fine-grained file system sandboxing framework
Yang et al. Lbac web: a lattice-based access control model for mobile thin client based on web oses
US8011008B2 (en) Application security model
Cude Wayless: a Capability-Based Microkernel
AU2013202876B2 (en) System and method for supporting JIT in a secure system with randomly allocated memory ranges
Zhu et al. The Formal Functional Specification of DeltaUNITY: An Industrial Software Engineering Practice
Lu Java Mobile Code Dynamic Verification by Bytecode Modification

Legal Events

Date Code Title Description
MK12 Application lapsed section 141(1)/reg 8.3(2) - applicant filed a written notice of withdrawal