Virtual mode execution manager
US-12118376-B2 · Oct 15, 2024 · US
System and method for managing code isolation
US9582302B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9582302-B2 |
| Application number | US-201313788259-A |
| Country | US |
| Kind code | B2 |
| Filing date | Mar 7, 2013 |
| Priority date | Sep 22, 2006 |
| Publication date | Feb 28, 2017 |
| Grant date | Feb 28, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
A computing system is configured to use a trampoline to isolate sensitive code in a virtual environment and in other applications. An import table may describe the entry points of a privileged code module or driver that generates privileged code. A system and method loads a shadow kernel to facilitate isolating the linkage between drivers and the rest of the system. The shadow kernel may be a copy of the operating system kernel that does not have the same integral position in the operation of the computing device. The shadow kernel may be used as a template for creating a jump table to redirect more critical privileged resource access requests from specially loaded kernel mode drivers to the PVM. All requests may pass through the PVM, which redirects non-critical functions to the original kernel. Multiple copies of a given driver or code module may be loaded in a given session.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising: instantiating a first kernel in a host environment of a computer, wherein the host environment comprises a second kernel with an export table generated according to operating system rules of the computer, and wherein the host environment comprises a process virtual machine (PVM); configuring the first kernel to transmit one or more privileged resource requests received by the first kernel to the PVM; and configuring the first kernel to transmit one or more non-privileged resource requests received by the first kernel to the second kernel. 2. The method of claim 1 , wherein the second kernel is an operating system (OS) kernel and the first kernel is a copy of the OS kernel. 3. The method of claim 1 , wherein the one or more privileged resource requests comprise a request associated with a privileged space of the host environment that is isolated from non-privileged space of the host environment. 4. The method of claim 3 , wherein the PVM is located in the privileged space of the host environment. 5. The method of claim 1 , further comprising: configuring the PVM to modify the one or more privileged resource requests and transmit the one or more privileged resource requests to the second kernel. 6. The method of claim 1 , further comprising: configuring the PVM to create an export table based on a table of rules specified in the second kernel and instructions comprised in the one or more privileged resource requests. 7. The method of claim 1 , wherein the one or more privileged resource requests comprise a request to an isolated application programming interface (API) associated with a privileged driver. 8. The method of claim 1 , wherein the one or more privileged resource requests comprise a blocking call to a resource. 9. The method of claim 1 , wherein the one or more privileged resource requests comprise a non-blocking call to a resource. 10. A computer comprising: at least one processor; and memory storing executable instructions configured to, when executed by the at least one processor, cause the computer to: instantiate a first kernel in a host environment of a computer, wherein the host environment comprises a second kernel with an export table generated according to operating system rules of the computer, and wherein the host environment comprises a process virtual machine (PVM); configure the first kernel to transmit one or more privileged resource requests received by the first kernel to the PVM; and configure the first kernel to transmit one or more non-privileged resource requests received by the first kernel to the second kernel. 11. The computer of claim 10 , wherein the second kernel is an operating system (OS) kernel and the first kernel is a copy of the OS kernel. 12. The computer of claim 10 , wherein the one or more privileged resource requests comprise a request associated with a privileged space of the host environment that is isolated from non-privileged space of the host environment. 13. The computer of claim 12 , wherein the PVM is located in the privileged space of the host environment. 14. The computer of claim 10 , wherein the memory further stores executable instructions configured to, when executed by the at least one processor, cause the computer to: configure the PVM to modify the one or more privileged resource requests and transmit the one or more privileged resource requests to the second kernel. 15. The computer of claim 10 , wherein the memory further stores executable instructions configured to, when executed by the at least one processor, cause the computer to: configure the PVM to create an export table based on a table of rules specified in the second kernel and instructions comprised in the one or more privileged resource requests. 16. The computer of claim 10 , wherein the one or more privileged resource requests comprise a request to an isolated application programming interface (API) associated with a privileged driver. 17. The computer of claim 10 , wherein the one or more privileged resource request comprise a blocking call to a resource or a non-blocking call to a resource. 18. A method comprising: instantiating a first kernel in a host environment of a computer, wherein the host environment comprises a second kernel with an export table generated according to operating system rules of the computer, and wherein the host environment comprises a process virtual machine (PVM); configuring the first kernel to transmit one or more non-privileged resource requests received by the first kernel to the PVM; and configuring the first kernel to transmit one or more privileged resource requests received by the first kernel to the second kernel. 19. The method of claim 18 , wherein the PVM is located in a privileged space of the host environment. 20. The method of claim 18 further comprising: configuring the PVM to modify the one or more non-privileged resource requests and transmit the one or more non-privileged resource requests to the second kernel.
Assignees
Inventors
Classifications
Restricted operating environment · CPC title
- G06F9/45533Primary
Hypervisors; Virtual machine monitors · CPC title
Access rights, e.g. capability lists, access control lists, access tables, access matrices · CPC title
Dual mode as a secondary aspect · CPC title
in a hierarchical protection system, e.g. privilege levels, memory rings · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9582302B2 cover?
- A computing system is configured to use a trampoline to isolate sensitive code in a virtual environment and in other applications. An import table may describe the entry points of a privileged code module or driver that generates privileged code. A system and method loads a shadow kernel to facilitate isolating the linkage between drivers and the rest of the system. The shadow kernel may be a c…
- Who is the assignee on this patent?
- Citrix Systems Inc
- What technology area does this patent fall under?
- Primary CPC classification G06F9/45533. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Feb 28 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 8 related publications on this page (citations in our corpus or others sharing the same primary CPC).