US20160196426A1 - Ultra-low cost sandboxing for application appliances - Google Patents

Ultra-low cost sandboxing for application appliances Download PDF

Info

Publication number
US20160196426A1
US20160196426A1 US15/071,101 US201615071101A US2016196426A1 US 20160196426 A1 US20160196426 A1 US 20160196426A1 US 201615071101 A US201615071101 A US 201615071101A US 2016196426 A1 US2016196426 A1 US 2016196426A1
Authority
US
United States
Prior art keywords
os
application
isolated
services
system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
US15/071,101
Inventor
Galen C. Hunt
Donald Porter
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Technology Licensing LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority to US12/834,895 priority Critical patent/US9323921B2/en
Application filed by Microsoft Technology Licensing LLC filed Critical Microsoft Technology Licensing LLC
Priority to US15/071,101 priority patent/US20160196426A1/en
Assigned to MICROSOFT CORPORATION reassignment MICROSOFT CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PORTER, DANIEL, HUNT, GALEN C.
Assigned to MICROSOFT CORPORATION reassignment MICROSOFT CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: PORTER, DANIEL, HUNT, GALEN C.
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MICROSOFT CORPORATION
Publication of US20160196426A1 publication Critical patent/US20160196426A1/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.

Description

    BACKGROUND
  • Sandboxing is a security technique for isolating the execution of untested code and untrusted applications. The best prior sandboxing solutions used virtual machines to isolate one application from the rest of the applications on a system. With the application isolated in a virtual machine, the isolated application cannot compromise the state of the system or other applications. The isolated application can also be migrated from one computer to another computer by carrying the entire virtual machine container (both memory and storage). Finally, vendors can create application appliances by bundling an application and the required operating system components into a virtual machine that is distributed to customers.
  • Users seldom use isolated virtual machines for security in practice because the machines are too expensive in terms of computer resources because the virtual machines emulate low-level hardware interfaces, thus forcing the isolation container to contain a complete operating system. Furthermore, in common use, only the largest applications (such as server applications) are distributed in virtual machines, again, because the storage resource overheads of including a complete separate copy of the operating system are too high to justify for all but the largest applications.
  • Additionally, memory overhead for virtual machines is high because each virtual machine runs a complete (or nearly complete) operating system to abstract virtual hardware (within the virtual machine) to provide the type of environment expect by an application. For example, a standard application expects to run on the abstraction of virtual memory. However, a virtual machine typically provides an abstraction of physical memory with page tables, the mechanisms used by an operating system to create virtual memory. Likewise, an application expects to access a file system, whereas a virtual machine only provides the abstraction of disk blocks. Finally, where an application expects the abstraction of threads of execution, a virtual machine provides instead the hardware abstractions of processors, timers, and interrupts, out of which an operating system creates the abstraction of threads.
  • SUMMARY
  • The following presents a simplified summary in order to provide a basic understanding of some novel embodiments described herein. This summary is not an extensive overview, and it is not intended to identify key/critical elements or to delineate the scope thereof. Its sole purpose is to present some concepts in a simplified form as a prelude to the more detailed description that is presented later.
  • The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run outside the application process, and on which the application process depends on to run, and converting these core operating components to run within the application process. To reduce overheads, the architecture takes basic computing services already provided by the host operating system, such as virtual memory and threads, and safely isolates these abstractions for use by the sandbox environment.
  • More specifically, new operating system APIs (application program interfaces) are created that include only basic computation services, thus, separating the basic computation services from rich application APIs. The code providing the rich application APIs is moved out of the operating system and into the application isolation environment—the application process (or can be run external to the application process).
  • For example, in a Windows™ implementation, the entire Win32 subsystem and the relevant portions of the system registry are copied into the application sandbox so that the sandboxed application runs its own copy of the Win32 subsystem. Since the Win32 subsystem now provides services to only a single application, the Win32 subsystem need not be protected with security checks or other mechanisms, such as placing the Win32 subsystem in its own operating system process, from the application. Rather, the Win32 subsystem can be run in the same process as the application, further reducing the overheads of providing an isolated environment.
  • To accomplish this, a remote user I/O server is included in the application process as well. The operating system components, which would normally rely on device drivers to communicate to hardware such as display, keyboard, and mouse, instead use a remote user I/O server, to communicate with remote user I/O devices thereby creating an application appliance. By including all of the external operating system components with the application the standard system call interface can be disabled at the bottom of a process with an ultra-small operating system interface that provides only local compute capability.
  • To the accomplishment of the foregoing and related ends, certain illustrative aspects are described herein in connection with the following description and the annexed drawings. These aspects are indicative of the various ways in which the principles disclosed herein can be practiced and all aspects and equivalents thereof are intended to be within the scope of the claimed subject matter. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates a secure application execution system in accordance with the disclosed architecture.
  • FIG. 2 illustrates a secure application execution system that utilizes an isolation monitor for communications between the isolated application and the operating system.
  • FIG. 3 illustrates future proofing in which an isolated application runs on either a first operating system or a second operating system.
  • FIG. 4 illustrates future proofing in which a first isolated application written to run on a first operating system and a second isolated application written to run on a second operating system both run on the same operating system.
  • FIG. 5 illustrates a method of creating a secure application execution system in accordance with the disclosed architecture.
  • FIG. 6 illustrates further aspects of the method of FIG. 5.
  • FIG. 7 illustrates a method of factoring operating system code into components to be used in an application appliance environment.
  • FIG. 8 illustrates a block diagram of a computing system that executes application sandboxing in accordance with the disclosed architecture.
  • DETAILED DESCRIPTION
  • Operating systems (OSs) mix basic primitives of computation, such as threads, virtual memory, and file access, with rich APIs (application program interfaces) such as application configuration management, GUI (graphical user interface) services (e.g., the display of windows and direction of keyboard and mouse input to specific windows), and user interfaces components. It is the rich APIs that are desired to be isolated to provide a sandboxed application environment. The disclosed architecture takes the abstractions provided by the host operating system and converts (refactors) these abstractions for use in and by the sandbox environment. Basic APIs are refactored to expose only isolated computation abstractions to code in the sandbox environment. Rich APIs are refactored to run as user-space libraries isolated within the sandbox environment.
  • As applied to Microsoft Windows™ OSs, the disclosed architecture refactors a Windows OS and moves much of the functionality required by real applications out of the OS kernel and into user-space libraries. This includes, for example, the complete set of Windows GUI services and the registry—complex components with wide interfaces that traditional Windows implements as shared kernel services. This dramatically reduces the size of the architecture's system-call interface. Behind this narrow interface is a simple and robust TCB (trusted computing base) implementation.
  • Running applications according to the architecture provides at least the following benefits: isolation—by moving most of OS functionality out of the TCB, processes are much more robustly isolated than in the OS; migration—removing process' reliance on shared kernel state also allows process images to be easily moved from machine to machine; and, future proofing—each application can incorporate whatever version of the OS libraries it was written against. As the OS evolves, newer applications can be written against new features and use newer libraries on the same machine. This also supports legacy applications.
  • This isolation of program state enables the user to start a program and then move the program's running memory image from one device to another, such as from a desktop computer to a laptop computer, from a laptop computer to a mobile phone, from a mobile phone to a server in the cloud, etc. The significant reduction in resources and overhead provided by the disclosed architecture now makes it possible to sandbox every application.
  • When applied specifically to a Windows™ operating system environment, the rich operating system components on which the sandboxed application depends are converted to run within the application process. For the Windows implementation, a remote user I/O service is implemented using the remote desktop protocol (RDP) running within the application process as well. The operating system components, which normally rely on device drivers to communicate to hardware such as display, keyboard, and mouse, instead use the RDP server code, thus creating an application appliance. By including all of the external operating system components with the application the standard system call interface can be disabled at the bottom of a process with an ultra-small OS interface that provides only isolated basic compute capability.
  • Reference is now made to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding thereof. It may be evident, however, that the novel embodiments can be practiced without these specific details. In other instances, well known structures and devices are shown in block diagram form in order to facilitate a description thereof. The intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the claimed subject matter.
  • FIG. 1 illustrates a secure application execution system 100 in accordance with the disclosed architecture. The system 100 includes an isolation container 102 in which an isolated application 104 (denoted Isolated App) runs in isolation from a non-isolated application 106 (denoted NON-ISO App). The isolated application 104 and non-isolated application 106 both run in association with a single operating system (OS) 108. Isolated OS subsystems 110 (denoted Isolated OS subsystems) of the isolation container 102 provide services to the isolated application 104, and non-isolated OS subsystems 112 (denoted NON-ISO OS subsystems) of the OS 108 provide services to the non-isolated application 106. The isolated OS subsystems 110 and non-isolated OS subsystems 112 provide equivalent services to the corresponding isolated application 104 and non-isolated application 106.
  • The OS 108 includes hardware abstractions 114 available for both the isolated and non-isolated applications (104 and 106). Additionally, the OS 108 includes an isolation monitor 116 that provides the interface for services from the OS 108 to the isolation container 102. The separation of state related to the isolated application 104 from the state related to the non-isolated application 106 is represented by the black bar that extends between the isolated application 104 and the non-isolated application 106, and down into the OS 108 between the isolation monitor 116 and the non-isolated OS subsystem 112. The system 100 can also include in the isolation container 102 isolated application libraries 118 (denoted Isolated APP Libraries) for the isolated application 104, and non-isolated application libraries 120 (denoted NON-ISO APP Libraries) for the non-isolated application 106. The libraries (118 and 120) expose the services of the OS subsystems (110 and 112) to the respective applications (102 and 104).
  • The isolation container 102 may also contain a remote user I/O server 122 which increases the similarity between the isolated OS subsystems 110 and the non-isolated OS subsystems 112 by providing emulations of certain hardware components, such as video displays, keyboards, and mice.
  • Note that as illustrated, the isolated OS subsystem 110 and remote user I/O server 122 are external to the isolated application 104; however, it is to be understood that, alternatively, the isolated OS subsystem 110 and remote user I/O server 122 can be part of the isolated application 104.
  • Note that as illustrated, the isolation monitor 116 is a distinct, separate component from the other portions of the OS 108; however, it is to be understood that, alternatively, the isolation monitor 116 functionality can be implemented by modifying the other portions of the OS 108 to enable running of the isolating functions of the isolation monitor 116 for the isolated application 104 in addition to running non-isolated functions for the non-isolated application 106.
  • The equivalent services may include application configuration management services, GUI services, printer services, and/or audio services, for example. The equivalent services are exposed to the isolated application 104 and non-isolated application 106 accessed either directly or through user-space libraries (118 and 120). The libraries (118 and 120) are compatible with different versioned isolated and non-isolated applications (104 and 106). The operating system 108 further includes hardware abstraction components 114 available for both the isolated and non-isolated applications (104 and 106). The operating system 108 includes the isolation monitor 116 which employs a collection of rules that map the approval or denial of requests to access resources to an application manifest.
  • The isolated application 104 and the non-isolated application 106 use basic computation services provided by the OS. The basic computation services include one or more of virtual memory management, thread creation, and thread synchronization.
  • The manifest defines which resources are optionally available and which resources are available and required for correct execution of the application. The code within the isolation container 102—including the isolated application 104, the isolated application libraries 118, the isolated OS subsystems 110, and the remote user I/O server 122—interfaces to the kernel of the operating system 108 through the isolation monitor 116. The contents of the isolation container 102 may be migrated to a different computing environment by reproducing the address space on the different computing environment and then recreating the threads and other resource handles on the different computing environment using descriptions of those threads and resource handles saved in the address space of the isolation container 102. In other words, the isolated application can be migrated to a second computing environment by copying the address space of the isolation container or by reading the address space of the isolation container, which isolation container is in a first computing environment.
  • FIG. 2 illustrates in more detail the flow of communication through the isolation monitor 116 between the isolation container 102 (also called a sandbox environment) and the operating system 108 and external services such as the display and user I/O client 204. The isolated application 104, the isolated application libraries 118, the isolated OS subsystems 110, and the remote user I/O server 122 can all request services through the isolation monitor 116. Services are presented in at least two forms. Services on private virtual memory, threads, private files, and messages to remote services are presented as system calls by the isolation monitor 116 and executed through basic computation services 206 within the kernel. Other services, such as secured access to the video display and other user I/O devices including keyboard and mouse, are executed in a display and user I/O client 204 accessed using network protocols transported through communication pipes connected by the isolation monitor 116. This is described in greater detail infra.
  • The isolation monitor 116 defines new OS APIs that include just the basic computation services, thus separating the basic primitives from rich application APIs. Then, the code that provides the rich application APIs is copied out of the operating system, from the non-isolated OS subsystems 112 (of FIG. 1), and into the application process (or sandbox environment) to the isolated OS subsystems 110. For example, in a Windows implementation, the entire Win32 subsystem (e.g., Win32 , COM, shell, printing, etc.) is copied into the application sandbox so that each application runs its own copy of the Win32 subsystem. In a Linux (or Apple™ operating system) implementation, for example, the subsystem can include X-Windows, display postscript, printing (e.g., common Unix printing system) and audio (e.g., advanced Linux sound architecture). (Although described in great detail with respect to Windows, as indicated above the disclosed architecture applies to other operating systems implementations as well.)
  • Since the Win32 subsystem now provides services to only a single application, the subsystem need not be protected with security checks or other mechanisms, such as placing it in another operating system process, from the application. Instead, the Win32 subsystem can be run in the same process as the application. The minimal computation interface required for the sandboxed environment is shown below.
  • The technique uses a remote user I/O server (e.g., server 122) within the application appliance to provide a device driver interface to the Win32 subsystem, but then communicates (through a local communication channel) to the user interface services on the host OS via the display and user I/O client 204. Application compatibility is preserved by reproducing the functionality that Windows provides in the operating system 108 (primarily from the non-isolated OS subsystems 112) as components in the user-mode (as the isolated OS subsystems 110), in the isolated process.
  • Continuing with the context of a Windows operating system, these components (the isolated application libraries 118 which provide OS API components of FIG. 1 and FIG. 2) can include, but are not limited to, the Win OS API module (e.g., which includes kernel132.dll, user32.dll, gdi32.dll ), the “New Technology” NT API module (e.g., ntdll.dll ), RDP display interface (e.g., rdpvdd.dll), and an interface to the isolation monitor 116 for services and other processes outside the isolated environment. Note that the equivalent services mentioned above are a subset of the services that can be employed in the OS subsystem.
  • The disclosed architecture utilizes an isolation-optimized interface by providing at least virtual memory management, file access, thread creation, pipes, system time, and cryptographically strong random bits. These basic computation services are a sufficient kernel substrate upon which to implement higher-level process services as libraries, such as a registry for configuration management, thread worker factories, and more sophisticated thread synchronization operations. Isolation is enforced by a combination of virtual memory hardware and a highly restricted kernel API exposed by the isolation monitor 116. Communication is allowed only through pipes. Pipes may not be configured at runtime; instead, the pipes are declared in the application manifest that specifies the requisite files and pipes to other applications or system services (such as the desktop display).
  • The architecture application binary interface (ABI) exports the following abstractions (and each minimizes the OS state stored on behalf of the application, facilitating user-space process migration and future proofing).
  • File handles. Memory-mapped files are provided by which applications map in read-only text and data sections. Processes do not communicate through the file system. Following the principle of minimal OS state, the file handles have no cursor; sequential read( ) operations are managed by emulation in an isolation application library instead. Conceptually, file mapping can be implemented with a single map system call. Since Windows programs first open a file and then map it, file handles are provided to connect open to map without breaking error handling code in applications.
  • Pipes. Inter-process communication (IPC) and blocking synchronization are accomplished with ordered, reliable, message-based pipes, equivalent to PF UNIX-domain SOCK DGRAM pipes. When multiple threads attempt to read the same pipe concurrently, each message is delivered to a single reader. A DkPipeSelect( ) call is provided that returns when data is available. This is similar to the Posix (portable OS interface for Unix) convention, in which select and poll return when data is available. Standard Windows pipes have the convention that WaitForMultipleObjects( ) returns after data has been read, possibly on multiple channels. The return-on-read semantics makes simulating many NT™ (new technology) kernel functions needlessly complicated; therefore, return-on-available semantics are provided. Applications specify pipes to other applications or to the user interface, in the application manifest.
  • Threads and processes. ABIs are provided for thread creation and process creation. Creating a process is more than just creating a thread in a new address space; the kernel also evaluates a new manifest and creates new pipe and file relationships. As part of process creation, the parent may request a pipe to the child. To maintain isolation, a process or thread may only terminate itself; there is no ABI to terminate, change the memory mapping of, or otherwise change the state of a separate process or thread.
  • GUI access. A feature for enabling a narrow isolation boundary is the use of a minimal pixel-blitting interface. Conventional GUI (graphical user interface) APIs such as in Windows and X11 expose a variety of abstractions, for example, windows, widgets, fonts, menus, events, callbacks, and much more. In contrast, the disclosed architecture moves all of the rendering and event loop functionality into the application itself, exposing only simple pixel-blit access to the trusted display, and a one-way flow of low-level keyboard and mouse input messages.
  • RDP background. The remote user I/O server 122 and the display and user I/O client 204 exchange messages using the remote desktop protocol (RDP), a protocol designed to achieve bandwidth-efficient remote display access. Its application-side component is a video driver and frame buffer that absorbs the output of the rich GUI framework above it. RDP harvests pixmaps (pixel maps) off the frame buffer and transmits the pixmaps to the display component. Mouse click and keystroke events from the display component are sent to the application component and injected into the GUI framework as if from local devices. RDP encapsulates the complexity of the GUI framework on one side of the channel, exposing only a conceptually simple pixel-blitting interface.
  • RDP exploits this interface simplicity to insert a variety of compression and coding techniques, and even profile-driven adaptive meta-protocols. This is a simple display-side code base, and a simple protocol amenable to sanitization. Essentially, RDP minus compression is a simple blit interface; the work of converting the GUI API to pixels on the application side and the work of blitting pixels on the display side has been done.
  • The previous application-side implementation of RDP is a kernel-mode display driver: it provides a frame buffer target for the output of the lowest layers of the Windows GUI stack, identifies changed pixels, and ships buckets of pixels to the display side. The architecture, in repackaging the kernel-side layers of the Windows GUI stack as in-process application libraries, also links in the application-side components of RDP in the remote user I/O server 122.
  • The display-side component, the user I/O client 204, retains the task of asking the hardware abstracting components 114, such as the display, to render the pixels received from the application-side implementation of RDP in the remote user I/O server 122. The architecture uses the existing Windows-based RDP client implementation, stripped down to remove unneeded compression modules to maximize robustness.
  • A benefit of the blit-based approach, realized by the RDP protocol, is that it is stateless, isolated, and gracefully handles disconnection. This property is utilized to transparently decouple application logic from the user interface, which simplifies the task of process migration. Rather than serializing and migrating complex kernel data structures, these data structures travel in-place in the application's memory image, where the structures were created by the isolated OS subsystems 110.
  • With respect to refactoring Windows, the architecture moves code out of the kernel or re-implements services in user-level libraries. The kernel portion of the Windows subsystem (win32k) is ported from kernel modules to a user-level dynamically-linked library. A portion of the NT kernel API is also re-implemented in a user library on top of the application subsystem kernel API.
  • Following is background about the Windows OS. In a Windows system, an application and its libraries occupy a process along with system-supplied user-mode libraries that provide interfaces to the core system services (ntdll, similar to the Unix libc) and to the graphical user interface (user32 and gdi32, the equivalent of Unix l ibX11 and higher-level libraries such as libgtk). The NT kernel implements the core of a monolithic operating system: resource management, scheduling, device drivers, file system, and the registry, a key-value store for configuration data. The Windows subsystem (win32k) provides the analogue of an X server, a print server (e.g., the Common Unix Printing System), and audio support (e.g., Advanced Linux Sound Architecture).
  • There are two system daemons in Windows: csrss and wininit. Csrss (the Client/ServerRuntime SubSystem) is the first user mode process started during boot, the analogue of the Unix init daemon. Csrss' system initialization duties also include preloading kernel caches with public data to be shared among all processes, such as the default fonts, internationalization tables, and cursors. The wininit daemon launches the components of the user's desktop upon login, the analogue of gnome—session. Each new process contacts csrss, which establishes a shared-memory segment between the shared process and win32k used to save kernel-crossings for read-only GUI operations.
  • The disclosed architecture preserves application compatibility by reproducing the functionality Windows provides in the kernel as components of the user-mode, isolated process. The kernel GUI components, including both the general win32k library and the video driver implemented by the RDP server, are moved directly into the subsystem process (the former is part of the isolated OS subsystems 110 and the latter is the remote user I/O server 122). The ntdll interface library is preserved, but rather than calling into the kernel, it now calls an NT . shim library, an implementation that simulates the kernel features expected by most applications (part of the isolated OS subsystems 110).
  • The isolated process user interface is exposed to the real world via an RDP display client (the user I/O client 204) which accesses the Windows kernel through conventional APIs. In other words, the user I/O client 204 is a non-isolated application 106, which uses the non-isolated OS subsystems 112.
  • With respect to isolation, a well-isolated process is a useful mechanism. This is exploited by introducing policies in the form of the application firewall. Users specify simple, coarse rules that either protect sensitive data and applications (“allow only these two applications to touch this financial data”) or rules that confine untrusted applications (“disallow this downloaded game from touching any of my data”). A collection of such rules forms an application firewall. The rules map to approving or denying application manifest requests.
  • Applications specify requirements for external resources and communication pipes with the application manifest. The application manifest specifies which resources are required and which are optional; if an optional pipe is not available, the application loses non-critical functionality. An application's manifest requests a set of IPC pipes. For each pipe, the manifest gives the external name of the pipe, an internal identifier, and a flag indicating which pipes can tolerate disconnection for migration.
  • Since all inter-process communication goes through declared pipes, an application firewall can impose information flow rules, ruling out particular pipes, or specifying ALLOW or DENY lists of applications that may connect to a given pipe endpoint. The application firewall can be configured by the user during application installation.
  • In one implementation, each application (e.g., isolated application 104) is distributed with all of its requisite files, including supporting libraries, fonts, and internationalization tables. In an alternative implementation, an application's manifest may also specify access to “My Music” or “My Documents”, which the user's firewall may approve or deny.
  • FIG. 3 illustrates future proofing in which the isolated application 104 which runs in a first secure application execution system 300 can also be run in a second secure application execution system 301. As previously described in FIG. 1, the first secure application execution system 300 includes the first operation system 108 with the isolation monitor 116 (denoted here as a first application monitor). The second secure application execution system 301 includes a second operating system 308 with a second isolation monitor 316. The basic computation services exposed by the second isolation monitor 316 are compatible with the basic computation services exposed by the first isolation monitor 116.
  • When run on the second operating system 308, the isolated application 104 is placed in a different isolation container 302 as is compatible and provided by the second OS 308, and isolated application 104 uses the exact same application code and the same code for the same isolated application libraries 118, isolated OS subsystems 110, and remote user I/O server 122. Providing compatibility between the first operating system 108 and the second operating system 308 is straightforward with the disclosed architecture, because the rich APIs that are often large in number and have complex semantics which are captured in the isolated OS subsystems 110. The isolated application 104 runs with the same rich APIs in the isolated OS subsystems 110 whether it runs on the first operating system 108 or the second operating system 308.
  • Note that the isolation containers (102 and 302) can both be run on the same computer or each on a different computer. Note also that the operating systems (108 and 308) can be the same type (e.g., Win XP) of operating system each run on a different computer, the same single operating system (OS 108 is the same operating system as OS 308) running on a single computer, different type of operating systems (e.g., Win XP versus Win 7) running on the same computer (e.g., via virtual machines, multi-boot configuration, etc.), and so on.
  • For example, using the described architecture, a newer Windows operating system (e.g., Windows 7™) can be made to run applications written for the Windows XP operating systems when those applications are combined in an isolation container with Windows XP isolated OS subsystems, and the Windows 7 operating system runs an isolation monitor that exposes a set of basic computation services compatible with the isolation monitor targeted by the Windows XP isolated OS systems.
  • Conversely, using the described architecture, the Windows XP operating system can run applications written for the Windows 7 operating system when those applications are combined in an isolation container with Windows 7 isolated OS subsystems and the Windows XP operating system runs an isolation monitor that exposes a set of basic computation services compatible with the isolation monitor targeted by the Windows 7 isolated OS subsystems.
  • In yet another implementation, an application (e.g., isolated application 104) that normally runs on a Vendor A operating system (OS 108) can be made to run on a Vendor B operating system (OS 308, which is different than the Vendor A operating system) by configuring an isolation monitor (the isolation monitor 316) of the Vendor B operating system to interface to the Vendor B operating system, and also interface to the isolated OS subsystem (isolated subsystem 110) that facilitates running of the application on the Vendor B operating system.
  • In a more specific example of the above generalization using Windows and Apple programs (but also applies to any mix of programs and operating systems), the isolated application 104 of the secure application execution system 300 (e.g., Windows application running on a Window operating system) is now desired to be run in the second secure application execution system 301 of an Apple operating system (a Windows application on an Apple operating system).
  • To make this work, the second isolation monitor 316 is designed to interface to the Apple OS (the second OS 308) and expose a set of basic computation services compatible with the Windows-based isolated OS subsystem 110 (as used in the first isolation container 102, but now also used in the second isolation container 302). Those skilled in the art will recognize that creating a compatible isolation monitor is relatively straightforward because of the small number and simple semantics of the basic computation services (e.g., in one implementation, the isolation monitor is fewer than 5,000 lines of C++ code). This is in contrast with the large number and complex semantics of the rich APIs in the isolated OS subsystems (e.g., one implementation of the Windows Win32 subsystem is over one million lines of C and C++ code).
  • Put another way, a secure application execution system is provided that comprises an isolation container in which an application for a first OS runs in isolation, the isolation container formed in association with a second OS, an isolated OS subsystem that runs in the isolation container in association with and interfaces to the application to provide rich functionality to the application, and an isolation monitor of the second OS that interfaces basic computation services of the second OS to the isolated OS subsystem to enable the application to run in isolation on the second OS. The basic computation services include at least one of virtual memory management, thread creation, or thread synchronization. The isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside the isolation container.
  • The rich functionality provided by the isolated OS subsystem includes at least one of a graphical user interface service, an application configuration management service, a printer service, or an audio service. The isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside the isolation container. The isolated application is migrated to a second computing environment by reading from some or all of an address space of the isolation container, which is in a first computing environment. The isolation monitor employs a collection of rules that map from an application manifest to approval or denial of resource requests, the manifest defines which resources outside the isolation container are available to the isolated application.
  • FIG. 4 illustrates future proofing system 400 in which the operating system 108 and the isolation monitor 116 can run the first isolated application 104 with the first set of isolated OS subsystems 110 and can run a second isolated application 404 with a second set of isolated OS subsystems 410, and both isolated OS subsystems (110 and 410) use basic computation services exposed through the same isolation monitor 116. The set of rich APIs exposed by the first set of isolated OS subsystems 110 differs in number or semantics from the second set of isolated OS subsystems 410. The second isolated application 404 is run in a second isolation container 402 that includes the second isolated application 404, a set of second isolated application libraries 418, the second set of isolated OS subsystems 410, and a second remote user I/O server 422.
  • If the second set of OS subsystems 410 provides sufficient compatibility with the first set of OS subsystems 110, the second remote user I/O server 422 may be the same as the first remote user I/O server 122. Likewise, the second isolated application libraries 418 may be the same as the first isolated application libraries 118. Still further, the second isolated application 404 may be the same as the first isolated application 104.
  • For example, a Windows 7 operating system can be made to run applications written for the Windows XP, Windows Vista, or Windows 7 operating systems when those applications are combined in associated isolation containers with Windows XP, Windows Vista™, or Windows 7 isolated OS subsystems, respectively, and the Windows 7 operating runs an isolation monitor compatible with the isolation monitors targeted by the Windows XP isolated OS subsystems, the Windows Vista isolated OS subsystems, or the Windows 7 isolated OS subsystems. Those skilled in the art will recognize that the modifications made to make a first set of isolated OS subsystems, such as the Windows 7 isolated OS subsystems, run on an isolation monitor can be reused to make a second set of isolated OS subsystems, such as the Windows XP isolated OS subsystems, run on the same isolation monitor. This is the case because the basic computation services provided by an isolation monitor are not tailored to a specific isolated OS subsystem, but instead provide simple semantics general to many isolated OS subsystems.
  • Put another way, a secure application execution system is provided that comprises a first isolation container in which a first isolated application runs in isolation, and a second isolation container in which a second isolated application runs in isolation, the first isolated application and the second isolated application running in association with a single OS. The system further includes a first isolated OS subsystem of the first isolation container that provides services to the first isolated application, a second isolated OS subsystem of the second isolation container that provides services to the second isolated application, and an isolation monitor via which basic computation services are provided to each of the first isolated OS subsystem and the second isolated OS subsystem. The basic computation services include virtual memory management, threads creation, and thread synchronization.
  • The rich functionality includes at least one of the isolated OS subsystems, the isolated OS subsystems comprise at least one of a graphical user interface service, an application configuration management service, a printer service, or an audio service. At least one of the first isolated application or the second isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside of a corresponding isolation container. The first isolated application uses a first corresponding remote user I/O server and the second isolated application uses a second corresponding remote user I/O server, and the first corresponding remote user I/O server and the second corresponding remote user I/O server both communicate with a first user I/O client outside the isolation containers.
  • In yet another implementation, a secure application execution system is provided that comprises an isolated OS subsystem that runs in an isolation container and provides services to an isolated application equivalent to services provided by a non-isolated OS subsystem to an non-isolated application. The isolated OS subsystem receives basic computation services from an isolation monitor in an OS that provides similar basic computation services to the non-isolated OS subsystem. The basic computation services received include virtual memory management, thread creation, and thread synchronization. The equivalent services include at least one of GUI services, application configuration management services, printer services, or audio services.
  • With respect to process migration, the disclosed architecture uses a pipe disconnect able flag in the manifest to assess whether a process can be migrated. If every pipe from a process is either disconnectable, or the process on the other end can migrate along with the process, then the process may be migrated. By bundling the state and complexity of the GUI into the process itself, a large class of dependencies on the kernel that typically could make migration difficult, are eliminated and replaced with RDP's reconnectable protocol. Disruption by reconnections is tolerated, since many pipes will be to Internet services.
  • A challenge is plumbing isolated processes to the reference monitor, adapting the NT APIs, repackaging the win32k GUI library, replacing the registry, repackaging COM, and organizing the implementation to facilitate easy migration.
  • The architecture basic computation API is implemented inside of the isolation monitor 116 (called Dkmon in one implementation).
  • When Dkmon starts a new process, it creates a suspended Windows process, specifying the dkinit application loader as the binary. The Windows kernel then creates an address space, maps in dkinit and the system-wide ntdll library, and suspends execution at ntdll's entry point. ntdll is the analog of the Unix/lib/ld. so, but in Windows, the kernel installs a particular version of ntdll at the same virtual address in every process, and makes upcalls to functions at fixed offsets into the library. ntdll is modified to make calls. To that end, Dkmon maps DkNtdll into the new process' virtual memory, then patches the system-provided ntdll, overwriting its functions with jumps to DkNtdll; the system library is eviscerated to a jump table.
  • Dkmon writes a parameter block into the process, communicating initialization parameters such as the paths of the manifest and checkpoint file.
  • Dkmon resumes the suspended process, causing DkNtdll to set up initial library linkage, including the win32k library, and transfer control to dkinit. Dkinit invokes the loader (DkNtdll) dynamically to load the application and its imported libraries, and jumps to the application's entry point.
  • To avoid Time-Of-Check-To-Time-Of-Use concurrency vulnerabilities, Dkmon copies in system call arguments exactly once. By reducing the shared application state in the kernel, as well as enforcing coarse isolation policies, exposure to state inconsistency is minimized.
  • In order to provide binary compatibility with existing desktop applications, user space implementations of many NT kernel functions are provided in the isolated OS subsystems 110. In some cases, such as allocating virtual memory or opening a file, the NT function is a thin layer that calls the isolation monitor 116. In other cases, such as the synchronization mechanisms, the implementation can be more involved.
  • The NT kernel API exposes several blocking synchronization primitives with varying semantics, including events, mutants (mutexes), and semaphores. Basic features of these synchronization primitives can be implemented with non-blocking locks and user-level data structures. Functionally, synchronization in the user space using blocking semantics is facilitated by providing a wait queue inside the kernel when the user space lock is contended. The signaling mechanism is a pipe. When a process blocks on a synchronization handle, such as a mutant, the process blocks waiting for data to become available in a pipe associated with the event. When a process releases a mutant, the process writes a byte to the pipe and a blocked process is awakened and reads the byte. Only one process will read the byte, so only one process will acquire the mutant.
  • Several applications wait on one or more timer handles. Dkmon supplies only DkSystemTimeQuery and the ability to block on time via a timeout argument to DkPipeSelect. The application shim library uses DkSystemTimeQuery to normalize relative timeouts to absolute timeouts. The shim provides timer multiplexing by DkPipeSelecting on the earliest timeout among the application-specified handles.
  • A challenge in porting win32k from a kernel library to a user space DLL (dynamic linked library) is to reproduce its complicated, multi-process initialization sequence. First, the single, system-wide instance of the win32k module is initialized in kernel space. Second, a csrss-spawned user space process preloads win32k's caches with shared public objects such as fonts and bitmaps. To fetch an object into its cache, win32k makes upcalls to user32 and gdi32 DLLs, so the user-space process first loads those dlls before filling the cache. Third, when an ordinary user process starts, the process loads its own copies of user32 and gdi32, which connect to win32k and provide GUI service.
  • The architecture bootstrap first loads and initializes its copy of win32k, then loads user and gdi32 without calling the respective initializers, and then fills the win32k caches. Now win32k is completely initialized, so the bootstrap calls user32's and gdi32's real library initialization functions. Each DLL has been loaded by the standard loader, so at this point, the bootstrap can request the loader to load the user program, and the program's dependencies on user and gdi32 will be satisfied with the extant instances now bound to win32k.
  • The read-only shared-memory segment established by csrss is now established as a shared heap, since the two components that access it, win and user 32, share a protection domain. Synchronization code and shim code is provided to get win32k running in the user space.
  • Windows' kernel object manager manages a hierarchical namespace, mapping paths to drivers that implement the named objects (analogous to the vnodes that tie files, devices, and/proc together in Unix). The Windows registry is an object manager instance that provides a hierarchical key-value store. The disclosed architecture refactors the OS relationship to make applications self-contained. Thus, the NT shim supplies a registry implementation with no transactions and coarse locking. Each application has a private registry image generated by running the application in Windows. The instrumentation records the set of opened keys, snapshots the values in the Windows registry, and emits a registry image.
  • Refactoring the COM (component object model) subsystem follows the same basic pattern: application-side libraries expect to communicate with a separate server process. An instance of the server code is linked as isolated OS subsystems 110 library inside the process, and a thread is created to run it. The application-side library is linked directly to the server, cutting out the RPC (remote procedure call) stubs.
  • Migration can be implemented entirely in user space by tracking the layout of the address space, threads, and handles in user space. To checkpoint an application, the contents of the address space (including this bookkeeping) are written to a file. In order to initiate a checkpoint, the reference monitor writes a bit into the loader block. Each thread checks this bit before issuing a system call and periodically while waiting on input from a pipe. Each thread then checkpoints its register state and terminates without deleting its stack. The last thread to exit actually performs the copy of the address space into the file.
  • In order to resume from a checkpoint, the application performs basic loader initialization steps, then loads the checkpoint file. The resuming application then restores all anonymous (non-file backed) memory, followed by the private handles, and finally restores file mappings. Externally visible handles are loaded by the manifest as usual. The application then recreates the threads, forming thread execution blocks (TEB) to ensure thread identifiers match those in the checkpointed image. By moving process abstractions into the process itself, the architecture makes the migration task straightforward.
  • Again, with respect to inter-process communications, the application manifest specifies whether a channel can be broken; processes with unbreakable connections are migrated together. The disclosed architecture makes connections to hardware resources, such as the window manager, stateless and thereby supports disconnection and reconnection without loss of function, and allows independent migration of application logic and the graphical user interface.
  • In addition to migrating a process' address space and IPC connections, state stored inside the operating system is also migrated. The disclosed architecture migrates processes across disjoint operating systems with matching ABIs. This is made possible by making all inter-process communication channels explicit and minimizing OS state that needs to be tracked and restored, thereby enabling the migration of processes entirely at user-level.
  • A minimal exemplary computation interface utilized for the sandboxed environment is described as follows.
  • // Virtual Memory DKSTATUS DkVirtualMemoryAllocate(   inout PVOID *BaseAddress,   inout PSIZE_T RegionSize,   in ULONG AllocationType,   in ULONG Protect); DKSTATUS DkVirtualMemoryFree(   in PVOID BaseAddress,   in SIZE_T RegionSize,   in ULONG FreeType); DKSTATUS DkVirtualMemoryProtect(   inout PVOID BaseAddress,   inout SIZE_T RegionSize,   in ULONG NewProtect,   out PULONG OldProtect); // IPC BOOL DkPipeFork(   in HANDLE Handle,   out PULONG64 Token,   out PHANDLE NewHandle); BOOL DkSelfPipeCreate(   out PHANDLE Handle1,   out PHANDLE Handle2,   out PULONG64 Token); ULONG DkPipeRead(   in HANDLE Handle,   in BOOL Async,   in PVOID AsyncToken,   inout PVOID *Buffer,   in ULONG Length,   in_opt PLONG64 Timeout); ULONG DkPipeWrite(   in HANDLE Handle,   in BOOL Async,   in PVOID AsyncToken,   in PVOID Buffer,   in ULONG Length); ULONG DkPipeSelect(   in ULONG Count,   in const HANDLE *Handles,   in_opt PLONG64 Timeout); ULONG DkPipePeek(   in HANDLE Handle); // Isolated File Access PVOID DkFileOpen(   in PUNICODE_STRING pUri,   in_opt PVOID DesiredAddress,   in ACCESS_MASK DesiredAccess,   in ULONG ShareMode,   in ULONG CreateDisposition,   in ULONG CreateOptions,   in SIZE_T Offset,   inout_opt PSIZE_T ViewSize); BOOL DkFileTruncate(   in PUNICODE_STRING Uri,   in SIZE_T Length); DKSTATUS DkFileUnmap(   in PVOID addr); BOOL DkFileSync(   in PVOID addr); BOOL DkFileUnlink(   in PUNICODE_STRING Uri); DKSTATUS DkFileAttributesQuery(   in PUNICODE_STRING Uri,   out PDK_FILE_ATTRIBUTES Attrs); // Threading BOOL DkThreadCreate(   in SIZE_T StackSize,   in PDK_THREAD_START Address,   in_opt PVOID Parameter,   in ULONG CreationFlags,   out_opt PHANDLE Pipe,   out_opt PULONG64 PipeToken); VOID DkThreadExit( ); BOOL DkProcessCreate(   in_opt PUNICODE_STRING Appl,   in_opt PUNICODE_STRING CmdLin,   out_opt PHANDLE Pipe,   out_opt PULONG64 PipeToken); VOID DkProcessExit( ); // Other BOOL DkSystemTimeQuery(   out PLONG64 SystemTime); BOOL DkRandomBitsRead(   in out PVOID Buf,   in SIZE_T BufSize); BOOL DkDebugOutput(   in PUNICODE_STRING Message);
  • Included herein is a set of flow charts representative of exemplary methodologies for performing novel aspects of the disclosed architecture. While, for purposes of simplicity of explanation, the one or more methodologies shown herein, for example, in the form of a flow chart or flow diagram, are shown and described as a series of acts, it is to be understood and appreciated that the methodologies are not limited by the order of acts, as some acts may, in accordance therewith, occur in a different order and/or concurrently with other acts from that shown and described herein. For example, those skilled in the art will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events, such as in a state diagram. Moreover, not all acts illustrated in a methodology may be required for a novel implementation.
  • FIG. 5 illustrates a method of creating secure application execution in accordance with the disclosed architecture. At 500, in an operating system kernel, identify rich (non-minimal) functionality from minimal requisite functionality (the basic computation services 206) associated with running an application. The minimal requisite functionality is identified and exposed to the applications through the isolation monitor. At 502, the rich functionality is moved from the kernel into user-space libraries (e.g., in the isolated OS subsystems). At 504, communications between the rich functionality and the kernel is implemented via an isolation monitor. At 506, the rich functionality is isolated from the kernel using an application firewall of rules that control interaction between the functionality and the kernel (and other components such as the user I/O client).
  • FIG. 6 illustrates further aspects of the method of FIG. 5 for converting additional non-isolated OS subsystems either into isolated OS subsystems or into external network service, such as the user I/O client. Note that the arrowing indicates that each block represents a step that can be included, separately or in combination with other blocks, as additional aspects of the method represented by the flow chart of FIG. 5. At 600, the rich functionality is run in an application process of the application or external to the application process. At 602, a network interface is provided between the application and the functionality for communicating with host operating system services via a server. At 604, optional external resources, requisite external resources, and communications pipes, to other applications and system services, are specified in an application manifest. At 606, an interface to host operating system services is via a kernel interface implemented inside the isolation monitor. At 608, rich functionality services are moved from the operating system kernel into an isolated OS subsystem, which services include windowing, access control, and user interfaces.
  • FIG. 7 illustrates a method of factoring operating system code into components to be used in an application appliance environment. At 700, a system component that exists outside the application process and which provides a required service for the application process is identified. At 702, a check is made if the resources managed by the component need to be shared. If so, flow is to 704 where a network protocol is chosen to be used to access the shared resource. Flow is then to 706, where the application appliance is augmented with code that implements the network protocol. At 708, the system component is then accessed as a network service.
  • If, at 702, the resources exposed by the system component do not need to be shared with other applications, then, flow is to 710, where the code is copied into the application appliance. For example, the physical keyboard, mouse, and video display are shared devices; thus, in one embodiment, the remote desktop protocol (RDP) can be employed to access the shared display at 704 and add RDP server support to the remote user I/O server in step 706 before modifying the Win32k part of the isolated OS subsystems to use the RDP server code introduced in step 704.
  • At 712, as the component is copied into the application appliance, any code that requests security authentication can be removed, disabled, or modified to grant access. At 714, as the component is copied into the application appliance, any code that provides enforcement of security isolation policies can be removed or disabled. The code can be removed or disabled (or modified to grant access), because the code is now inside the application appliance, and therefore, will not protect any other services from an errant or malicious application appliance.
  • As used in this application, the terms “component” and “system” are intended to refer to a computer-related entity, either hardware, a combination of software and tangible hardware, software, or software in execution. For example, a component can be, but is not limited to, tangible components such as a processor, chip memory, mass storage devices (e.g., optical drives, solid state drives, and/or magnetic storage media drives), and computers, and software components such as a process running on a processor, an object, an executable, a module, a thread of execution, and/or a program. By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers. The word “exemplary” may be used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs.
  • Referring now to FIG. 8, there is illustrated a block diagram of a computing system 800 that executes application sandboxing in accordance with the disclosed architecture. In order to provide additional context for various aspects thereof, FIG. 8 and the following description are intended to provide a brief, general description of the suitable computing system 800 in which the various aspects can be implemented. While the description above is in the general context of computer-executable instructions that can run on one or more computers, those skilled in the art will recognize that a novel embodiment also can be implemented in combination with other program modules and/or as a combination of hardware and software.
  • The computing system 800 for implementing various aspects includes the computer 802 having processing unit(s) 804, a computer-readable storage such as a system memory 806, and a system bus 808. The processing unit(s) 804 can be any of various commercially available processors such as single-processor, multi-processor, single-core units and multi-core units. Moreover, those skilled in the art will appreciate that the novel methods can be practiced with other computer system configurations, including minicomputers, mainframe computers, as well as personal computers (e.g., desktop, laptop, etc.), hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
  • The system memory 806 can include computer-readable storage (physical storage media) such as a volatile (VOL) memory 810 (e.g., random access memory (RAM)) and non-volatile memory (NON-VOL) 812 (e.g., ROM, EPROM, EEPROM, etc.). A basic input/output system (BIOS) can be stored in the non-volatile memory 812, and includes the basic routines that facilitate the communication of data and signals between components within the computer 802, such as during startup. The volatile memory 810 can also include a high-speed RAM such as static RAM for caching data.
  • The system bus 808 provides an interface for system components including, but not limited to, the system memory 806 to the processing unit(s) 804. The system bus 808 can be any of several types of bus structure that can further interconnect to a memory bus (with or without a memory controller), and a peripheral bus (e.g., PCI, PCIe, AGP, LPC, etc.), using any of a variety of commercially available bus architectures.
  • The computer 802 further includes machine readable storage subsystem(s) 814 and storage interface(s) 816 for interfacing the storage subsystem(s) 814 to the system bus 808 and other desired computer components. The storage subsystem(s) 814 (physical storage media) can include one or more of a hard disk drive (HDD), a magnetic floppy disk drive (FDD), and/or optical disk storage drive (e.g., a CD-ROM drive DVD drive), for example. The storage interface(s) 816 can include interface technologies such as EIDE, ATA, SATA, and IEEE 1394, for example.
  • One or more programs and data can be stored in the memory subsystem 806, a machine readable and removable memory subsystem 818 (e.g., flash drive form factor technology), and/or the storage subsystem(s) 814 (e.g., optical, magnetic, solid state), including an operating system 820 (e.g., OS 108 and OS 308), one or more application programs 822 (e.g., isolated application 104, non-isolated application 106, and isolated application 404), other program modules 824 (e.g., isolated application libraries 118 and non-isolated application libraries 120), and program data 826.
  • The one or more application programs 822, other program modules 824, and program data 826 can include the entities and components of the system 100 of FIG. 1, entities and components of the system 200 of FIG. 2, the entities and components of FIG. 3, the entities and components of the system 400 of FIG. 4, and the methods represented by the flowcharts of FIGS. 5-7, for example.
  • Generally, programs include routines, methods, data structures, other software components, etc., that perform particular tasks or implement particular abstract data types. All or portions of the operating system 820, applications 822, modules 824, and/or data 826 can also be cached in memory such as the volatile memory 810, for example. It is to be appreciated that the disclosed architecture can be implemented with various commercially available operating systems or combinations of operating systems (e.g., as virtual machines).
  • The storage subsystem(s) 814 and memory subsystems (806 and 818) serve as computer readable media for volatile and non-volatile storage of data, data structures, computer-executable instructions, and so forth. Such instructions, when executed by a computer or other machine, can cause the computer or other machine to perform one or more acts of a method. The instructions to perform the acts can be stored on one medium, or could be stored across multiple media, so that the instructions appear collectively on the one or more computer-readable storage media, regardless of whether all of the instructions are on the same media.
  • Computer readable media can be any available media that can be accessed by the computer 802 and includes volatile and non-volatile internal and/or external media that is removable or non-removable. For the computer 802, the media accommodate the storage of data in any suitable digital format. It should be appreciated by those skilled in the art that other types of computer readable media can be employed such as zip drives, magnetic tape, flash memory cards, flash drives, cartridges, and the like, for storing computer executable instructions for performing the novel methods of the disclosed architecture.
  • A user can interact with the computer 802, programs, and data using external user input devices 828 such as a keyboard and a mouse. Other external user input devices 828 can include a microphone, an IR (infrared) remote control, a joystick, a game pad, camera recognition systems, a stylus pen, touch screen, gesture systems (e.g., eye movement, head movement, etc.), and/or the like. The user can interact with the computer 802, programs, and data using onboard user input devices 830 such a touchpad, microphone, keyboard, etc., where the computer 802 is a portable computer, for example. These and other input devices are connected to the processing unit(s) 804 through input/output (I/O) device interface(s) 832 via the system bus 808, but can be connected by other interfaces such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, etc. The I/O device interface(s) 832 also facilitate the use of output peripherals 834 such as printers, audio devices, camera devices, and so on, such as a sound card and/or onboard audio processing capability.
  • One or more graphics interface(s) 836 (also commonly referred to as a graphics processing unit (GPU)) provide graphics and video signals between the computer 802 and external display(s) 838 (e.g., LCD, plasma) and/or onboard displays 840 (e.g., for portable computer). The graphics interface(s) 836 can also be manufactured as part of the computer system board.
  • The computer 802 can operate in a networked environment (e.g., IP-based) using logical connections via a wired/wireless communications subsystem 842 to one or more networks and/or other computers. The other computers can include workstations, servers, routers, personal computers, microprocessor-based entertainment appliances, peer devices or other common network nodes, and typically include many or all of the elements described relative to the computer 802. The logical connections can include wired/wireless connectivity to a local area network
  • (LAN), a wide area network (WAN), hotspot, and so on. LAN and WAN networking environments are commonplace in offices and companies and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network such as the Internet.
  • When used in a networking environment the computer 802 connects to the network via a wired/wireless communication subsystem 842 (e.g., a network interface adapter, onboard transceiver subsystem, etc.) to communicate with wired/wireless networks, wired/wireless printers, wired/wireless input devices 844, and so on. The computer 802 can include a modem or other means for establishing communications over the network. In a networked environment, programs and data relative to the computer 802 can be stored in the remote memory/storage device, as is associated with a distributed system. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
  • The computer 802 is operable to communicate with wired/wireless devices or entities using the radio technologies such as the IEEE 802.xx family of standards, such as wireless devices operatively disposed in wireless communication (e.g., IEEE 802.11 over-the-air modulation techniques) with, for example, a printer, scanner, desktop and/or portable computer, personal digital assistant (PDA), communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone. This includes at least Wi-Fi (or Wireless Fidelity) for hotspots, WiMax, and Bluetooth™ wireless technologies. Thus, the communications can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices. Wi-Fi networks use radio technologies called IEEE 802.11x (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to wire networks (which use IEEE 802.3-related media and functions).
  • What has been described above includes examples of the disclosed architecture. It is, of course, not possible to describe every conceivable combination of components and/or methodologies, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the novel architecture is intended to embrace all such alterations, modifications and variations that fall within the spirit and scope of the appended claims. Furthermore, to the extent that the term “includes” is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term “comprising” as “comprising” is interpreted when employed as a transitional word in a claim.

Claims (22)

1-9. (canceled)
10. A computer-implemented secure application execution system having computer readable media that store executable instructions executed by a processor, comprising:
an isolation container in which an application for a first OS runs in isolation, the isolation container formed in association with a second OS;
an isolated OS subsystem that runs in the isolation container in association with and interfaces to the application to provide rich functionality to the application; and
an isolation monitor of the second OS that interfaces basic computation services of the second OS to the isolated OS subsystem to enable the application to run in isolation on the second OS.
11. The system of claim 10, wherein the basic computation services include at least one of virtual memory management, thread creation, or thread synchronization.
12. The system of claim 10, wherein the rich functionality provided by the isolated OS subsystem includes at least one of a graphical user interface (GUI) service, an application configuration management service, a printer service, or an audio service.
13. The system of claim 10, wherein the isolated application uses a corresponding remote user I/O server to communicate with a user I/O client outside the isolation container.
14. The system of claim 10, wherein the isolated application is migrated to a second computing environment by reading from some or all of an address space of the isolation container, which is in a first computing environment.
15. The system of claim 10, wherein the isolation monitor employs a collection of rules that map from an application manifest to approval or denial of resource requests, the manifest defines which resources outside the isolation container are available to the isolated application.
16-20. (canceled)
21. A system comprising:
one or more computer readable media storing executable instructions; and
one or more processing units configured to execute the executable instructions, wherein the executable instructions cause the one or more processing units to:
execute an isolated application in an isolation container on the system;
provide first operating system (OS) services to the isolated application using an isolated OS subsystem of the isolation container, wherein the isolated OS subsystem provides the first OS services via interfaces associated with a first OS; and
provide second OS services to the isolation container using a second OS other than the first OS.
22. The system of claim 21, wherein the second OS services comprise basic computation services.
23. The system of claim 22, wherein the basic computation services comprise virtual memory management, thread creation, and thread synchronization.
24. The system of claim 23, wherein the first OS services comprise rich functionality.
25. The system of claim 24, wherein the rich functionality comprises graphical user interface services, application configuration management services, printer services, and audio services.
26. The system of claim 25, wherein the first OS and the second OS are provided by different vendors.
27. The system of claim 25, wherein the first OS and the second OS are different OS versions provided by a single vendor.
28. A method performed on a computer system, the method comprising:
causing an isolated application to execute in an isolation container, the isolation container comprising an application process;
executing an isolated operating system (OS) subsystem in the application process with the isolated application, wherein the isolated OS subsystem provides first OS services associated with a first OS to the isolated application; and
providing second OS services to the isolated OS subsystem using a second OS other than the first OS.
29. The method of claim 28, further comprising:
migrating the application process to another computing system.
30. The method of claim 28, further comprising:
providing the second OS services in another process that is separate from the application process.
31. The method of claim 30, wherein the first OS services provided in the application process include graphical user interface services.
32. The method of claim 29, wherein the second OS services provided in the another process include virtual memory management services.
33. The method of claim 32, wherein the first OS services provided in the application process include graphical user interface services and the second OS services provided in the another process include thread creation or thread synchronization services.
34. The method of claim 28, wherein the computer system is a mobile phone.
US15/071,101 2010-07-13 2016-03-15 Ultra-low cost sandboxing for application appliances Pending US20160196426A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/834,895 US9323921B2 (en) 2010-07-13 2010-07-13 Ultra-low cost sandboxing for application appliances
US15/071,101 US20160196426A1 (en) 2010-07-13 2016-03-15 Ultra-low cost sandboxing for application appliances

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/071,101 US20160196426A1 (en) 2010-07-13 2016-03-15 Ultra-low cost sandboxing for application appliances

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US12/834,895 Division US9323921B2 (en) 2010-07-13 2010-07-13 Ultra-low cost sandboxing for application appliances

Publications (1)

Publication Number Publication Date
US20160196426A1 true US20160196426A1 (en) 2016-07-07

Family

ID=45467888

Family Applications (2)

Application Number Title Priority Date Filing Date
US12/834,895 Active 2031-08-27 US9323921B2 (en) 2010-07-13 2010-07-13 Ultra-low cost sandboxing for application appliances
US15/071,101 Pending US20160196426A1 (en) 2010-07-13 2016-03-15 Ultra-low cost sandboxing for application appliances

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US12/834,895 Active 2031-08-27 US9323921B2 (en) 2010-07-13 2010-07-13 Ultra-low cost sandboxing for application appliances

Country Status (1)

Country Link
US (2) US9323921B2 (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9495183B2 (en) 2011-05-16 2016-11-15 Microsoft Technology Licensing, Llc Instruction set emulation for guest operating systems
US9552495B2 (en) 2012-10-01 2017-01-24 The Research Foundation For The State University Of New York System and method for security and privacy aware virtual machine checkpointing
US9767271B2 (en) 2010-07-15 2017-09-19 The Research Foundation For The State University Of New York System and method for validating program execution at run-time
US9767284B2 (en) 2012-09-14 2017-09-19 The Research Foundation For The State University Of New York Continuous run-time validation of program execution: a practical approach
US20170329963A1 (en) * 2015-01-29 2017-11-16 Huawei International PTE., Ltd. Method for data protection using isolated environment in mobile device
US10375111B2 (en) 2016-11-12 2019-08-06 Microsoft Technology Licensing, Llc Anonymous containers

Families Citing this family (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9588803B2 (en) 2009-05-11 2017-03-07 Microsoft Technology Licensing, Llc Executing native-code applications in a browser
US8903705B2 (en) 2010-12-17 2014-12-02 Microsoft Corporation Application compatibility shims for minimal client computers
EP2663073A4 (en) * 2011-01-07 2015-04-15 Sharp Kk Reproduction device, method for controlling reproduction device, generation device, method for controlling generation device, recording medium, data structure, control program, and recording medium containing said program
US9389933B2 (en) 2011-12-12 2016-07-12 Microsoft Technology Licensing, Llc Facilitating system service request interactions for hardware-protected applications
US9413538B2 (en) 2011-12-12 2016-08-09 Microsoft Technology Licensing, Llc Cryptographic certification of secure hosted execution environments
US9626507B2 (en) * 2012-04-06 2017-04-18 Google Inc. Hosted application sandboxing
EP2696303B1 (en) * 2012-08-03 2017-05-10 Alcatel Lucent Mandatory access control (MAC) in virtual machines
US20140115606A1 (en) * 2012-10-24 2014-04-24 OpenMobile World Wide, Inc. Multi-platform mobile and other computing devices and methods
US9160422B2 (en) * 2012-11-22 2015-10-13 Asustek Computer Inc. Data capturing method of NFC protocol and NFC electronic device using the same
EP2746981A1 (en) * 2012-12-19 2014-06-25 ST-Ericsson SA Trusted execution environment access control rules derivation
US8972334B2 (en) * 2012-12-21 2015-03-03 International Business Machines Corporation Transparent data service suitable for modifying data storage capabilities in applications
US9438638B2 (en) * 2013-03-15 2016-09-06 Silicon Graphics International Corp. Method for transparently connecting augmented network socket operations
US9811364B2 (en) * 2013-06-13 2017-11-07 Microsoft Technology Licensing, Llc Thread operation across virtualization contexts
JP5713056B2 (en) * 2013-06-24 2015-05-07 横河電機株式会社 Process control apparatus and system and update method thereof
US20150143375A1 (en) * 2013-11-18 2015-05-21 Unisys Corporation Transaction execution in systems without transaction support
US20150278512A1 (en) * 2014-03-28 2015-10-01 Intel Corporation Virtualization based intra-block workload isolation
US10198883B2 (en) * 2014-06-12 2019-02-05 Wellfence Llc Access monitoring system for compliance
US9628279B2 (en) 2014-09-30 2017-04-18 Microsoft Technology Licensing, Llc Protecting application secrets from operating system attacks
TWI616770B (en) * 2015-02-03 2018-03-01 緯創資通股份有限公司 Cloud data management method, electronic apparatus and cloud server
GB2537814B (en) * 2015-04-14 2017-10-18 Avecto Ltd Computer device and method for controlling untrusted access to a peripheral device
US9986031B2 (en) * 2015-05-06 2018-05-29 International Business Machines Corporation Container provisioning based on communications patterns between software components
US9971622B2 (en) * 2015-06-25 2018-05-15 Intel Corporation Technologies for application migration using lightweight virtualization
US10013551B2 (en) * 2015-08-24 2018-07-03 Accenture Global Services Limited Isolated memory space
CN107533603A (en) * 2015-08-31 2018-01-02 华为技术有限公司 SMS processing method, device and terminal
RU2606877C1 (en) * 2015-09-28 2017-01-10 Общество С Ограниченной Ответственностью "Яндекс" System and method of processing data in executed on computer system
US9965412B2 (en) * 2015-10-08 2018-05-08 Samsung Electronics Co., Ltd. Method for application-aware interrupts management
CN105303122B (en) * 2015-10-13 2018-02-09 北京大学 The method that the locking of sensitive data high in the clouds is realized based on reconfiguration technique
US10243963B1 (en) * 2015-12-18 2019-03-26 Symantec Corporation Systems and methods for generating device-specific security policies for applications
US10055579B2 (en) * 2015-12-31 2018-08-21 Cybereason, Inc. System resources for sandboxing
US10192067B2 (en) 2016-05-26 2019-01-29 Microsoft Technology Licensing, Llc Self-described security model for resource access
US10417142B2 (en) 2016-06-17 2019-09-17 Red Hat Israel, Ltd. Operating system integrated application isolation
US10387686B2 (en) 2017-07-27 2019-08-20 International Business Machines Corporation Hardware based isolation for secure execution of virtual machines
US10296741B2 (en) 2017-07-27 2019-05-21 International Business Machines Corporation Secure memory implementation for secure execution of virtual machines

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090210871A1 (en) * 2008-02-20 2009-08-20 Zak Dechovich System and method for software application migration

Family Cites Families (219)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4874164A (en) 1986-07-18 1989-10-17 Commodore-Amiga, Inc. Personal computer apparatus for block transfer of bit-mapped image data
US5220956A (en) 1992-01-24 1993-06-22 Texas Instruments Incorporated Multiple device fixture used in conjunction with a standard temperature forcing unit
WO1994011812A1 (en) 1992-11-16 1994-05-26 Microsoft Corporation Method for loading device drivers
US5819091A (en) 1994-12-22 1998-10-06 Arendt; James Wendell User level control of degree of client-side processing
US5689626A (en) 1995-04-17 1997-11-18 Apple Computer, Inc. System and method for linking a file to a document and selecting the file
US5732282A (en) 1995-06-30 1998-03-24 Sun Microsystems, Inc. Virtual device driver registry having a globally unique identifier supplying virtual driver call information to the requesting program
US5754830A (en) 1996-04-01 1998-05-19 Openconnect Systems, Incorporated Server and web browser terminal emulator for persistent connection to a legacy host system and method of operation
US5815686A (en) 1996-09-12 1998-09-29 Silicon Graphics, Inc. Method and apparatus for address space translation using a TLB
US5922056A (en) 1997-03-03 1999-07-13 International Business Machines Corporation Computer system with peripheral device characteristic sensing and automatic communications speed setting
US5926631A (en) 1997-08-15 1999-07-20 International Business Machines Corporation Network computer emulator systems, methods and computer program products for personal computers
JP2002501251A (en) 1998-01-22 2002-01-15 イナリ、インコーポレイテッド Method and apparatus for a universal data exchange gateway
US6721288B1 (en) 1998-09-16 2004-04-13 Openwave Systems Inc. Wireless mobile devices having improved operation during network unavailability
US7293107B1 (en) 1998-10-09 2007-11-06 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US7882247B2 (en) 1999-06-11 2011-02-01 Netmotion Wireless, Inc. Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments
US8060656B2 (en) 1998-10-09 2011-11-15 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US7136645B2 (en) 1998-10-09 2006-11-14 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US6546425B1 (en) 1998-10-09 2003-04-08 Netmotion Wireless, Inc. Method and apparatus for providing mobile and other intermittent connectivity in a computing environment
US6357003B1 (en) 1998-10-21 2002-03-12 Silicon Graphics, Inc. Advanced firmware boot sequence x86 computer system that maintains legacy hardware and software compatibility
US6578054B1 (en) 1999-10-04 2003-06-10 Microsoft Corporation Method and system for supporting off-line mode of operation and synchronization using resource state information
US6668376B1 (en) 2000-01-07 2003-12-23 Ricoh Company, Ltd. System and method for automatically loading a device driver
US7287259B2 (en) 2000-04-24 2007-10-23 Microsoft Corporation Isolating assembly versions for binding to application programs
US6665731B1 (en) 2000-05-16 2003-12-16 Intel Corporation Method for remotely accessing component management information
US6760815B1 (en) 2000-06-02 2004-07-06 Sun Microsystems, Inc. Caching mechanism for a virtual heap
US6986052B1 (en) 2000-06-30 2006-01-10 Intel Corporation Method and apparatus for secure execution using a secure memory partition
US6865591B1 (en) 2000-06-30 2005-03-08 Intel Corporation Apparatus and method for building distributed fault-tolerant/high-availability computed applications
US6813670B1 (en) 2000-09-26 2004-11-02 Microsoft Corporation Automatic server-side plug-and-play without user intervention
US6694428B2 (en) 2000-11-29 2004-02-17 Palm One, Inc. System for indentifying a peripheral device by sending an inquiry thereto after receiving an interrupt notification message if the interrupt and communication port meet predetermined conditions
US6832273B2 (en) 2000-12-21 2004-12-14 Microsoft Corporation System and method to specify extended configuration descriptor information in USB devices
US6931429B2 (en) 2001-04-27 2005-08-16 Left Gate Holdings, Inc. Adaptable wireless proximity networking
US20050198379A1 (en) 2001-06-13 2005-09-08 Citrix Systems, Inc. Automatically reconnecting a client across reliable and persistent communication sessions
US8214849B2 (en) 2001-07-13 2012-07-03 Advanced Micro Devices, Inc. System for loading device-specific code and method thereof
US6876996B2 (en) 2001-11-14 2005-04-05 Sun Microsystems, Inc. Method and apparatus for using a shared library mechanism to facilitate sharing of metadata
US6981268B2 (en) 2001-12-05 2005-12-27 Microsoft Corporation System and method for persisting and resolving application assembly binds
US7185359B2 (en) 2001-12-21 2007-02-27 Microsoft Corporation Authentication and authorization across autonomous network systems
US7275105B2 (en) 2002-01-16 2007-09-25 Laszlo Systems, Inc. Enabling online and offline operation
KR100444996B1 (en) 2002-02-08 2004-08-21 삼성전자주식회사 Method for installing method and mending device driver automatically through internet and system thereof
US7577722B1 (en) 2002-04-05 2009-08-18 Vmware, Inc. Provisioning of computer systems using virtual machines
US6954852B2 (en) 2002-04-18 2005-10-11 Ardence, Inc. System for and method of network booting of an operating system to a client computer using hibernation
US7676538B2 (en) 2002-05-02 2010-03-09 Bea Systems, Inc. Systems and methods for application view transactions
US8255501B2 (en) 2002-05-15 2012-08-28 Motorola Mobility Llc Establishing an IP session between a host using SIP and a device without an IP address
US8255548B2 (en) 2002-06-13 2012-08-28 Salesforce.Com, Inc. Offline web services API to mirror online web services API
US9171049B2 (en) 2002-06-13 2015-10-27 Salesforce.Com, Inc. Offline simulation of online session between client and server
US7421579B2 (en) 2002-06-28 2008-09-02 Microsoft Corporation Multiplexing a secure counter to implement second level secure counters
US7065607B2 (en) 2002-06-28 2006-06-20 Microsoft Corporation System and method for implementing a counter
US20040015537A1 (en) 2002-07-15 2004-01-22 Richard Doerksen Handheld client framework system
US7484208B1 (en) 2002-12-12 2009-01-27 Michael Nelson Virtual machine migration
US7536688B2 (en) 2003-02-28 2009-05-19 Azul Systems Segmented virtual machine
US7509644B2 (en) 2003-03-04 2009-03-24 Secure 64 Software Corp. Operating system capable of supporting a customized execution environment
US8463951B1 (en) 2003-03-27 2013-06-11 Nvidia Corporation Unified driver architecture device identifier strategy
US7493626B2 (en) 2003-04-02 2009-02-17 Apple Inc. Method and apparatus for communicating between device drivers in a computer system
US7788669B2 (en) 2003-05-02 2010-08-31 Microsoft Corporation System for isolating first computing environment from second execution environment while sharing resources by copying data from first portion to second portion of memory
US7640009B2 (en) 2003-06-30 2009-12-29 Motorola, Inc. Method and apparatus to provide a selectable caller identification
US7530103B2 (en) 2003-08-07 2009-05-05 Microsoft Corporation Projection of trustworthiness from a trusted environment to an untrusted environment
US7383537B2 (en) * 2003-08-20 2008-06-03 Microsoft Corporation Debugging an application that employs rights-managed content
US20080222160A1 (en) 2003-09-15 2008-09-11 Macdonald Craig Method and system for providing a program for execution without requiring installation
US7774762B2 (en) 2003-09-15 2010-08-10 Trigence Corp. System including run-time software to enable a software application to execute on an incompatible computer platform
US7519814B2 (en) 2003-09-15 2009-04-14 Trigence Corp. System for containerization of application sets
US20050076186A1 (en) 2003-10-03 2005-04-07 Microsoft Corporation Systems and methods for improving the x86 architecture for processor virtualization, and software systems and methods for utilizing the improvements
US20050091226A1 (en) 2003-10-23 2005-04-28 Yun Lin Persistent caching directory level support
US7441011B2 (en) 2003-10-23 2008-10-21 Microsoft Corporation Truth on client persistent caching
US7496768B2 (en) * 2003-10-24 2009-02-24 Microsoft Corporation Providing secure input and output to a trusted agent in a system with a high-assurance execution environment
US20050108171A1 (en) * 2003-11-19 2005-05-19 Bajikar Sundeep M. Method and apparatus for implementing subscriber identity module (SIM) capabilities in an open platform
US20050177635A1 (en) 2003-12-18 2005-08-11 Roland Schmidt System and method for allocating server resources
US7272782B2 (en) 2003-12-19 2007-09-18 Backweb Technologies, Inc. System and method for providing offline web application, page, and form access in a networked environment
US7444621B2 (en) 2004-02-20 2008-10-28 Microsoft Corporation Method and system for providing a common operating system
US7444337B2 (en) 2004-03-09 2008-10-28 Ntt Docomo, Inc. Framework and associated apparatus for the adaptive replication of applications with server side code units
US7940932B2 (en) 2004-04-08 2011-05-10 Texas Instruments Incorporated Methods, apparatus, and systems for securing SIM (subscriber identity module) personalization and other data on a first processor and secure communication of the SIM data to a second processor
US7574709B2 (en) 2004-04-30 2009-08-11 Microsoft Corporation VEX-virtual extension framework
US7584502B2 (en) 2004-05-03 2009-09-01 Microsoft Corporation Policy engine and methods and systems for protecting data
US7769720B2 (en) 2004-06-16 2010-08-03 Hewlett-Packard Development Company, L.P. Systems and methods for migrating a server from one physical platform to a different physical platform
US20060005047A1 (en) 2004-06-16 2006-01-05 Nec Laboratories America, Inc. Memory encryption architecture
US7587755B2 (en) 2004-07-02 2009-09-08 Citrix Systems, Inc. System and method for executing interactive applications with minimal privileges
US9083765B2 (en) 2004-07-02 2015-07-14 Oracle International Corporation Systems and methods of offline processing
US8914522B2 (en) 2004-07-23 2014-12-16 Citrix Systems, Inc. Systems and methods for facilitating a peer to peer route via a gateway
US20090024757A1 (en) 2004-07-30 2009-01-22 Proctor David W Automatic Protocol Determination For Portable Devices Supporting Multiple Protocols
US7613862B2 (en) 2004-08-10 2009-11-03 Intel Corporation Embedded driver for bus-connected device
JP4811271B2 (en) 2004-08-25 2011-11-09 日本電気株式会社 Information communication apparatus and program execution environment control method
US20060161563A1 (en) 2004-11-18 2006-07-20 Besbris David G Service discovery
US9450966B2 (en) 2004-11-29 2016-09-20 Kip Sign P1 Lp Method and apparatus for lifecycle integrity verification of virtual machines
US7568619B2 (en) 2004-12-15 2009-08-04 Alcon, Inc. System and method for identifying and controlling ophthalmic surgical devices and components
US7721138B1 (en) 2004-12-28 2010-05-18 Acronis Inc. System and method for on-the-fly migration of server from backup
US20060156418A1 (en) 2005-01-10 2006-07-13 Ibm Corporation Method and apparatus for preventing unauthorized access to data
US20060161982A1 (en) 2005-01-18 2006-07-20 Chari Suresh N Intrusion detection system
US7996493B2 (en) 2005-03-10 2011-08-09 Microsoft Corporation Framework for managing client application data in offline and online environments
US7496495B2 (en) 2005-05-12 2009-02-24 Microsoft Corporation Virtual operating system device communication relying on memory access violations
US7685593B2 (en) 2005-05-12 2010-03-23 Microsoft Corporation Systems and methods for supporting multiple gaming console emulation environments
US7363463B2 (en) 2005-05-13 2008-04-22 Microsoft Corporation Method and system for caching address translations from multiple address spaces in virtual machines
US20060294518A1 (en) 2005-06-28 2006-12-28 Richmond Michael S Method, apparatus and system for a lightweight virtual machine monitor
US7844442B2 (en) * 2005-08-16 2010-11-30 Exent Technologies, Ltd. System and method for providing a remote user interface for an application executing on a computing device
US8347063B2 (en) 2005-08-19 2013-01-01 Intel Corporation Method and system for device address translation for virtualization
US20070074191A1 (en) 2005-08-30 2007-03-29 Geisinger Nile J Software executables having virtual hardware, operating systems, and networks
US20070283324A1 (en) 2005-08-30 2007-12-06 Geisinger Nile J System and method for creating programs that comprise several execution layers
JP4820415B2 (en) 2005-09-13 2011-11-24 ドレーガー メディカル システムズ インコーポレイテッドDraeger Medical Systems Inc. System that monitors network cable interface connections
US7523323B2 (en) 2005-09-15 2009-04-21 Intel Corporation Method and apparatus for quick resumption
US7703081B1 (en) 2005-09-22 2010-04-20 Symantec Corporation Fast system call hooking on x86-64 bit windows XP platforms
US8074231B2 (en) 2005-10-26 2011-12-06 Microsoft Corporation Configuration of isolated extensions and device drivers
US7836303B2 (en) 2005-12-09 2010-11-16 University Of Washington Web browser operating system
US7447896B2 (en) * 2005-12-12 2008-11-04 Microsoft Corporation OS mini-boot for running multiple environments
US8539481B2 (en) * 2005-12-12 2013-09-17 Microsoft Corporation Using virtual hierarchies to build alternative namespaces
US20070174910A1 (en) 2005-12-13 2007-07-26 Zachman Frederick J Computer memory security platform
WO2007073353A1 (en) 2005-12-20 2007-06-28 Creative Technology Ltd Simultaneous sharing of system resources by multiple input devices
US20090307781A1 (en) 2005-12-27 2009-12-10 Nec Corporation Program execution control method, its device, and execution control program for same
US7627728B1 (en) 2005-12-29 2009-12-01 Symantec Operating Corporation System and method for efficient generation of application snapshots
US20070169116A1 (en) 2006-01-18 2007-07-19 Dell Products L.P. Method and system for automated installation of system specific drivers
US20070174429A1 (en) 2006-01-24 2007-07-26 Citrix Systems, Inc. Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment
US7743026B2 (en) 2006-01-31 2010-06-22 Microsoft Corporation Redirection to local copies of server-based files
US7725613B2 (en) 2006-02-27 2010-05-25 Microsoft Corporation Device installation with host controller consideration
WO2007109921A1 (en) 2006-03-28 2007-10-04 Intel Corporation Methods and apparatus to implement annotation based thunking
US7913252B2 (en) 2006-04-11 2011-03-22 Installfree, Inc. Portable platform for executing software applications in a virtual environment
US7747785B2 (en) 2006-04-14 2010-06-29 Microsoft Corporation Instant messaging plug-ins
US8104041B2 (en) 2006-04-24 2012-01-24 Hewlett-Packard Development Company, L.P. Computer workload redistribution based on prediction from analysis of local resource utilization chronology data
US8117554B1 (en) 2006-04-25 2012-02-14 Parallels Holdings, Ltd. Seamless integration of non-native widgets and windows with dynamically scalable resolution into native operating system
US7725305B2 (en) 2006-06-08 2010-05-25 Microsoft Corporation Partial virtualization on computing device
US7812985B2 (en) 2006-06-09 2010-10-12 Kabushiki Kaisha Toshiba System and method for rerouting of document processing jobs
US20080016339A1 (en) 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware
US20080005472A1 (en) * 2006-06-30 2008-01-03 Microsoft Corporation Running applications from removable media
US8429654B2 (en) 2006-07-06 2013-04-23 Honeywell International Inc. Apparatus and method for guaranteed batch event delivery in a process control system
US20080127348A1 (en) 2006-08-31 2008-05-29 Kenneth Largman Network computer system and method using thin user client and virtual machine to provide immunity to hacking, viruses and spy ware
US7644264B1 (en) 2006-10-17 2010-01-05 Symantec Corporation Method and system for creating and deploying disk images
US20080127182A1 (en) 2006-11-29 2008-05-29 Newport William T Managing Memory Pages During Virtual Machine Migration
US8171502B2 (en) 2006-11-29 2012-05-01 Sony Ericsson Mobile Communications Ab Methods, devices and computer program products for automatically installing device drivers from a peripheral device onto a host computer
US8196153B1 (en) 2007-01-07 2012-06-05 Apple Inc. Method and apparatus for associating device drivers via a device tree
US7694187B2 (en) 2007-02-07 2010-04-06 Honeywell International Inc. Method of peripheral type identification in a system of circumvention and recovery
US8010710B2 (en) 2007-02-13 2011-08-30 Mosaid Technologies Incorporated Apparatus and method for identifying device type of serially interconnected devices
US8452853B2 (en) 2007-03-05 2013-05-28 International Business Machines Corporation Browser with offline web-application architecture
WO2008111048A2 (en) 2007-03-09 2008-09-18 Ghost, Inc. System and method for browser within a web site and proxy server
US8037039B2 (en) 2007-04-20 2011-10-11 Microsoft Corporation Runtime class database operation
US20080276012A1 (en) 2007-05-04 2008-11-06 Joe Mesa Driver Loading via a PnP Device
JP5079084B2 (en) 2007-05-09 2012-11-21 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation Method and data processing system for preventing operation of a computer system
US8875266B2 (en) 2007-05-16 2014-10-28 Vmware, Inc. System and methods for enforcing software license compliance with virtual machines
ITRM20070347A1 (en) 2007-06-21 2008-12-22 Space Software Italia S P A Method and system for interaction and co-operation of sensors, actuators and robots
US20090064196A1 (en) 2007-08-31 2009-03-05 Microsoft Corporation Model based device driver code generation
US20090094337A1 (en) 2007-10-08 2009-04-09 Eric Wilfred Bruno Dias Method of accessing web e-mail off-line
KR101235859B1 (en) 2007-10-10 2013-02-20 삼성전자주식회사 Method and apparatus for operating a printer driver corresponding to a application, method and apparatus for installing a printer driver
CN100498816C (en) * 2007-11-19 2009-06-10 南京大学 Reference monitor implementing method of high safety grade operating system
US8505029B1 (en) 2007-11-26 2013-08-06 Adobe Systems Incorporated Virtual machine communication
JP4740926B2 (en) * 2007-11-27 2011-08-03 フェリカネットワークス株式会社 Service providing system, service providing server, and information terminal device
WO2009085977A2 (en) 2007-12-20 2009-07-09 Virtual Computer, Inc. Virtual computing management systems and methods
US8131919B1 (en) 2007-12-21 2012-03-06 Emc Corporation Techniques for controlling storage device use by performing a storage device location assessment operation based on a current storage device identifier
US8156503B2 (en) 2008-02-12 2012-04-10 International Business Machines Corporation System, method and computer program product for accessing a memory space allocated to a virtual machine
US8671404B2 (en) 2008-02-12 2014-03-11 Red Hat, Inc. Distributing and managing virtual machines
US8538811B2 (en) 2008-03-03 2013-09-17 Yahoo! Inc. Method and apparatus for social network marketing with advocate referral
US7971049B2 (en) * 2008-03-31 2011-06-28 Symantec Corporation Systems and methods for managing user configuration settings
US8782604B2 (en) 2008-04-11 2014-07-15 Oracle International Corporation Sandbox support for metadata in running applications
US8359593B2 (en) 2008-04-21 2013-01-22 Vmware, Inc. Computer machine migration of file system images using a redo-log file
JP2009271637A (en) 2008-05-01 2009-11-19 Hitachi Ltd Storage device and its drive startup method
US8364983B2 (en) 2008-05-08 2013-01-29 Microsoft Corporation Corralling virtual machines with encryption keys
US8424082B2 (en) 2008-05-08 2013-04-16 Google Inc. Safely executing an untrusted native code module on a computing device
US8195774B2 (en) 2008-05-23 2012-06-05 Vmware, Inc. Distributed virtual switch for virtualized computer systems
WO2009147468A2 (en) 2008-05-27 2009-12-10 Telefonaktiebolaget L M Ericsson (Publ) System and method for backwards compatible multi-access with proxy mobile internet protocol
US8276145B2 (en) * 2008-06-27 2012-09-25 Microsoft Corporation Protected mode scheduling of operations
US9176754B2 (en) 2008-07-16 2015-11-03 Google Inc. Method and system for executing applications using native code modules
US8285670B2 (en) 2008-07-22 2012-10-09 International Business Machines Corporation Dynamically maintaining coherency within live ranges of direct buffers
US20100211663A1 (en) * 2008-07-28 2010-08-19 Viewfinity Inc. Management of pool member configuration
CN101640589B (en) 2008-07-29 2012-11-07 华为技术有限公司 Method and device for sharing license between safe and removable media
CN101645020A (en) 2008-08-04 2010-02-10 优诺威讯国际有限公司 Virtual operating system creation method
US7886183B2 (en) 2008-08-07 2011-02-08 Symantec Operating Corporation Providing fault tolerant storage system to a cluster
JP2010044579A (en) 2008-08-12 2010-02-25 Brother Ind Ltd Peripheral device, program, and driver installation system
TW201007574A (en) 2008-08-13 2010-02-16 Inventec Corp Internet server system and method of constructing and starting a virtual machine
CN101655798B (en) 2008-08-18 2013-03-27 联想(北京)有限公司 Method for deployment and operation of application in computer and virtual machine environments
US8381288B2 (en) 2008-09-30 2013-02-19 Intel Corporation Restricted component access to application memory
JP4966942B2 (en) 2008-10-01 2012-07-04 株式会社日立製作所 Virtual PC management method, virtual PC management system, and virtual PC management program
US8291261B2 (en) 2008-11-05 2012-10-16 Vulcan Technologies Llc Lightweight application-level runtime state save-and-restore utility
US8103837B2 (en) 2008-12-17 2012-01-24 Hewlett-Packard Development Company, L.P. Servicing memory read requests
US9185208B2 (en) 2008-12-23 2015-11-10 At&T Mobility Ii Llc Calendar-callback voicemail
TWI384378B (en) 2008-12-29 2013-02-01 Ind Tech Res Inst Web application execution method
US8117317B2 (en) 2008-12-31 2012-02-14 Sap Ag Systems and methods for integrating local systems with cloud computing resources
US8230121B2 (en) 2009-01-05 2012-07-24 Sierra Wireless, Inc. Method and apparatus for identifying a device handle in a computer system
US8214829B2 (en) 2009-01-15 2012-07-03 International Business Machines Corporation Techniques for placing applications in heterogeneous virtualized systems while minimizing power and migration cost
US8112480B2 (en) 2009-01-16 2012-02-07 Microsoft Corporation Signaling support for sharer switching in application sharing
US8019861B2 (en) 2009-01-29 2011-09-13 Vmware, Inc. Speculative virtual machine resource scheduling
US10203993B2 (en) 2009-02-18 2019-02-12 International Business Machines Corporation Method and system for continuous optimization of data centers by combining server and storage virtualization
CA2753312A1 (en) 2009-02-23 2010-08-26 Provo Craft And Novelty, Inc. Controller device
US8769068B2 (en) 2009-02-24 2014-07-01 Telcordia Technologies, Inc. System and method for policy based management for a high security MANET
US8782670B2 (en) * 2009-04-10 2014-07-15 Open Invention Network, Llc System and method for application isolation
US8418236B1 (en) * 2009-04-10 2013-04-09 Open Invention Network Llc System and method for streaming application isolation
JP5289153B2 (en) 2009-04-14 2013-09-11 キヤノン株式会社 Information processing apparatus, control method therefor, and computer program
US8751627B2 (en) 2009-05-05 2014-06-10 Accenture Global Services Limited Method and system for application migration in a cloud
US8429647B2 (en) 2009-05-06 2013-04-23 Vmware, Inc. Virtual machine migration across network by publishing routes to the associated virtual networks via virtual router after the start of migration of the virtual machine
US9588803B2 (en) 2009-05-11 2017-03-07 Microsoft Technology Licensing, Llc Executing native-code applications in a browser
JP2010267135A (en) 2009-05-15 2010-11-25 Toshiba Corp Memory controller
US8150971B2 (en) 2009-05-31 2012-04-03 Red Hat Israel, Ltd. Mechanism for migration of client-side virtual machine system resources
US20100332629A1 (en) 2009-06-04 2010-12-30 Lauren Ann Cotugno Secure custom application cloud computing architecture
CN101923521B (en) 2009-06-09 2012-06-20 鸿富锦精密工业(深圳)有限公司 Electronic device with function of protecting universal serial bus ports thereof and method
CN102656562B (en) 2009-06-30 2015-12-09 思杰系统有限公司 For selecting the method and system of desktop executing location
WO2011027191A1 (en) 2009-09-02 2011-03-10 Telenor Asa A method, system, and computer readable medium for controlling access to a memory in a memory device
US8436944B2 (en) 2009-10-01 2013-05-07 Panasonic Corporation Wireless communications system, adaptor apparatus for video apparatus, video apparatus and control method for wireless communications system
US8285987B1 (en) 2009-12-04 2012-10-09 The United States Of America As Represented By The Secretary Of The Air Force Emulation-based software protection
US8479286B2 (en) * 2009-12-15 2013-07-02 Mcafee, Inc. Systems and methods for behavioral sandboxing
US8645977B2 (en) * 2010-02-04 2014-02-04 Microsoft Corporation Extensible application virtualization subsystems
US8301856B2 (en) 2010-02-16 2012-10-30 Arm Limited Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag
US20110257992A1 (en) 2010-02-19 2011-10-20 Covermymeds, Llc Apparatus and method for processing prior authorizations for prescription drugs
US20110231670A1 (en) 2010-03-16 2011-09-22 Shevchenko Oleksiy Yu Secure access device for cloud computing
US8880773B2 (en) 2010-04-23 2014-11-04 Red Hat, Inc. Guaranteeing deterministic bounded tunable downtime for live migration of virtual machines over reliable channels
EP2569693B1 (en) 2010-05-09 2015-08-12 Citrix Systems, Inc. Methods and systems for forcing an application to store data in a secure storage location
EP2569705A4 (en) 2010-05-09 2014-05-14 Citrix Systems Inc Systems and methods for creation and delivery of encrypted virtual disks
US8640187B2 (en) * 2010-05-28 2014-01-28 Red Hat, Inc. Systems and methods for providing an fully functional isolated execution environment for accessing content
WO2011152910A1 (en) 2010-06-02 2011-12-08 Vmware, Inc. Securing customer virtual machines in a multi-tenant cloud
US8166211B2 (en) 2010-06-07 2012-04-24 Vmware, Inc. Safely sharing USB devices
US8935317B2 (en) 2010-06-23 2015-01-13 Microsoft Corporation Dynamic partitioning of applications between clients and servers
CN102314450B (en) 2010-06-30 2014-11-26 国际商业机器公司 Method for enhancing webpage browse and equipment
US8972995B2 (en) 2010-08-06 2015-03-03 Sonics, Inc. Apparatus and methods to concurrently perform per-thread as well as per-tag memory access scheduling within a thread and across two or more threads
US9058577B2 (en) 2010-08-09 2015-06-16 Epmod, Inc. Network centric structured communications network
US20120084545A1 (en) 2010-10-04 2012-04-05 Ralph Rabat Farina Methods and systems for implementing a secure boot device using cryptographically secure communications across unsecured networks
US9436502B2 (en) 2010-12-10 2016-09-06 Microsoft Technology Licensing, Llc Eventually consistent storage and transactions in cloud based environment
US8972746B2 (en) 2010-12-17 2015-03-03 Intel Corporation Technique for supporting multiple secure enclaves
US8903705B2 (en) 2010-12-17 2014-12-02 Microsoft Corporation Application compatibility shims for minimal client computers
US8832452B2 (en) 2010-12-22 2014-09-09 Intel Corporation System and method for implementing a trusted dynamic launch and trusted platform module (TPM) using secure enclaves
US20120179485A1 (en) 2011-01-07 2012-07-12 Independa, Inc. Systems and methods for integrated care management
US20120203932A1 (en) 2011-02-08 2012-08-09 Microsoft Corporation Multi-master media metadata synchronization
US9483284B2 (en) 2011-02-25 2016-11-01 Red Hat, Inc. Version compatibility determination
US9891939B2 (en) 2011-03-03 2018-02-13 Microsoft Technology Licensing, Llc Application compatibility with library operating systems
US8745434B2 (en) 2011-05-16 2014-06-03 Microsoft Corporation Platform for continuous mobile-cloud services
US9495183B2 (en) 2011-05-16 2016-11-15 Microsoft Technology Licensing, Llc Instruction set emulation for guest operating systems
US20130031371A1 (en) 2011-07-25 2013-01-31 Alcatel-Lucent Usa Inc. Software Run-Time Provenance
US20130036431A1 (en) 2011-08-02 2013-02-07 Microsoft Corporation Constraining Execution of Specified Device Drivers
US20130054734A1 (en) 2011-08-23 2013-02-28 Microsoft Corporation Migration of cloud applications between a local computing device and cloud
US9413538B2 (en) 2011-12-12 2016-08-09 Microsoft Technology Licensing, Llc Cryptographic certification of secure hosted execution environments
US9389933B2 (en) 2011-12-12 2016-07-12 Microsoft Technology Licensing, Llc Facilitating system service request interactions for hardware-protected applications

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090210871A1 (en) * 2008-02-20 2009-08-20 Zak Dechovich System and method for software application migration

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Hiltgen et al US Pub 2009/0113423 *
Lorch et al US Pub 2008/0127355 *
Spertus US Patent 8,180,893 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9767271B2 (en) 2010-07-15 2017-09-19 The Research Foundation For The State University Of New York System and method for validating program execution at run-time
US9495183B2 (en) 2011-05-16 2016-11-15 Microsoft Technology Licensing, Llc Instruction set emulation for guest operating systems
US10289435B2 (en) 2011-05-16 2019-05-14 Microsoft Technology Licensing, Llc Instruction set emulation for guest operating systems
US9767284B2 (en) 2012-09-14 2017-09-19 The Research Foundation For The State University Of New York Continuous run-time validation of program execution: a practical approach
US9552495B2 (en) 2012-10-01 2017-01-24 The Research Foundation For The State University Of New York System and method for security and privacy aware virtual machine checkpointing
US10324795B2 (en) 2012-10-01 2019-06-18 The Research Foundation for the State University o System and method for security and privacy aware virtual machine checkpointing
US20170329963A1 (en) * 2015-01-29 2017-11-16 Huawei International PTE., Ltd. Method for data protection using isolated environment in mobile device
US10375111B2 (en) 2016-11-12 2019-08-06 Microsoft Technology Licensing, Llc Anonymous containers

Also Published As

Publication number Publication date
US9323921B2 (en) 2016-04-26
US20120017213A1 (en) 2012-01-19

Similar Documents

Publication Publication Date Title
Arnautov et al. {SCONE}: Secure Linux Containers with Intel {SGX}
US20180045189A1 (en) System and Method for Processor-Based Security
US10289435B2 (en) Instruction set emulation for guest operating systems
US9817580B2 (en) Secure migratable architecture having improved performance features
US20170293491A1 (en) Intelligent boot device selection and recovery
US8832692B2 (en) Cluster-based operating system-agnostic virtual computing system
US9652273B2 (en) Method and system for creating a hierarchy of virtual machine templates in a virtualized computing system
US9390286B2 (en) Enforcing restrictions related to a virtualized computer environment
US9678780B2 (en) Redirection of information from secure virtual machines to unsecure virtual machines
US20190187969A1 (en) Method for virtualizing software applications
US8914575B2 (en) SCSI protocol emulation for virtual storage device stored on NAS device
US8539515B1 (en) System and method for using virtual machine for driver installation sandbox on remote system
Tsai et al. Cooperation and security isolation of library OSes for multi-process applications
US9110701B1 (en) Automated identification of virtual machines to process or receive untrusted data based on client policies
US9116733B2 (en) Automated provisioning of secure virtual execution environment using virtual machine templates based on requested activity
EP2622490B1 (en) Cross-environment communication framework
US20160048677A1 (en) Method and System for Executing Applications Using Native Code Modules
KR101232558B1 (en) Automated modular and secure boot firmware update
EP2622459B1 (en) Virtual desktop configuration and operation techniques
JP6083097B2 (en) Method for facilitating system service request interaction of hardware protection applications
US10331466B2 (en) Extension point declarative registration for virtualization
US8910163B1 (en) Seamless migration of non-native application into a virtual machine
US8677351B2 (en) System and method for delivering software update to guest software on virtual machines through a backdoor software communication pipe thereof
McDougall et al. Solaris Internals: Solaris 10 and OpenSolaris Kernel Architecture (paperback)
Yu et al. A feather-weight virtual machine for windows applications

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUNT, GALEN C.;PORTER, DANIEL;SIGNING DATES FROM 20100709 TO 20100710;REEL/FRAME:037991/0046

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUNT, GALEN C.;PORTER, DANIEL;SIGNING DATES FROM 20100709 TO 20100710;REEL/FRAME:037991/0001

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:037991/0050

Effective date: 20141014

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS