| 发明名称 |
Operating system context isolation of application execution |
| 摘要 |
The resources needed by an application to execute are declared by the application. When the application is activated, only the declared resources are made available to the application because only the declared resources are connected to the execution environment. Accessibility to resources may be controlled by the operating system by making the resource visible or invisible to the executing software by mapping a local name used by the executing software to a global resource, possibly limiting the type of access allowed. Because the executing software relies on the mapping function performed by the operating system for access to resources, and the operating system only maps names declared by the software, the operating system can isolate the software, and prevent the application from accessing undeclared global resources. |
| 申请公布号 |
US9038071(B2) |
申请公布日期 |
2015.05.19 |
| 申请号 |
US200611393495 |
申请日期 |
2006.03.30 |
| 申请人 |
MICROSOFT TECHNOLOGY LICENSING, LLC |
发明人 |
Bernabeu-Auban Jose M.;Dossick Stephen E.;Peschel-Gallee Frank V.;Khalidi Yousef A.;Zachwieja Stephan J. |
| 分类号 |
G06F21/53;G06F9/46 |
主分类号 |
G06F21/53 |
| 代理机构 |
|
代理人 |
Jardine John;Drakos Kate;Minhas Micky |
| 主权项 |
1. A system comprising:
a hardware processor; and an operating system that is run by the hardware processor, wherein the operating system:
receives a software item comprising a manifest and a first software code, the manifest disclosing a set of resources needed by the first software code for executing an application, and further disclosing a resolution set comprising dependencies indicative of at least a second software code installed within a parent context installation store needed by the first software code for executing the application;catalogs the set of resources when the first software code is installed in the system;creates at least one context for controlling resource availability to the application, the at least one context comprising an activation service for creating an isolated execution environment for the application and for initiating execution of the first software code in the isolated execution environment in response to receiving an activation request, the activation request comprising a requestor argument;configures, using the requestor argument, the manifest, and the resolution set, the isolated execution environment; andexclusively loads the at least a second software code into the isolated execution environment and connects only the cataloged set of resources to the isolated execution environment while denying access to other software code and other resources that are not included in the manifest and the resolution set. |
| 地址 |
Redmond WA US |
