USRE44210E1 - Virtualizing super-user privileges for multiple virtual processes - Google Patents

Virtualizing super-user privileges for multiple virtual processes Download PDF

Info

Publication number
USRE44210E1
USRE44210E1 US12/467,137 US46713709A USRE44210E US RE44210 E1 USRE44210 E1 US RE44210E1 US 46713709 A US46713709 A US 46713709A US RE44210 E USRE44210 E US RE44210E
Authority
US
United States
Prior art keywords
user
call
operating system
virtual
super
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime, expires
Application number
US12/467,137
Inventor
Xun Wilson Huang
Cristian Estan, Jr.
Srinivasan Keshav
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alto Dynamics LLC
Original Assignee
Digital Asset Enterprises LLC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Digital Asset Enterprises LLC filed Critical Digital Asset Enterprises LLC
Priority to US12/467,137 priority Critical patent/USRE44210E1/en
Assigned to ENSIM CORPORATION reassignment ENSIM CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HUANG, XUN WILSON, KESHAV, SRINIVASAN
Assigned to ENSIM CORPORATION reassignment ENSIM CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ESTAN, CRISTIAN
Assigned to DIGITAL ASSET ENTERPRISES, L.L.C. reassignment DIGITAL ASSET ENTERPRISES, L.L.C. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ENSIM CORPORATION
Application granted granted Critical
Publication of USRE44210E1 publication Critical patent/USRE44210E1/en
Assigned to CUFER ASSET LTD. L.L.C. reassignment CUFER ASSET LTD. L.L.C. MERGER (SEE DOCUMENT FOR DETAILS). Assignors: DIGITAL ASSET ENTERPRISES, L.L.C.
Assigned to INTELLECTUAL VENTURES ASSETS 173 LLC reassignment INTELLECTUAL VENTURES ASSETS 173 LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CUFER ASSET LTD. L.L.C.
Adjusted expiration legal-status Critical
Assigned to ALTO DYNAMICS, LLC reassignment ALTO DYNAMICS, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTELLECTUAL VENTURES ASSETS 173 LLC
Expired - Lifetime legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/545Interprogram communication where tasks reside in different layers, e.g. user- and kernel-space
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/54Indexing scheme relating to G06F9/54
    • G06F2209/542Intercept

Definitions

  • the present invention relates generally to computer operating systems, and more particularly, to techniques for virtualizing super-user privileges in a computer operating system including multiple virtual processes, such as virtual private servers.
  • server technologies are of great commercial importance today.
  • An individual server application typically executes on a single physical host computer, servicing client requests.
  • providing a unique physical host for each server application is expensive and inefficient.
  • ISP Internet Service Provider
  • a customer purchasing hosting services will often neither require nor be amenable to paying for use of an entire host computer.
  • an individual customer will only require a fraction of the processing power, storage, and other resources of a host computer.
  • each server application would need to be isolated from every other server application running on the same physical host.
  • each server application program needs to be isolated, receiving requests only from its own clients, transmitting data only to its own clients, and being prevented from accessing data associated with other server applications.
  • each server application needs to be a “virtual private server,” simulating a server application executing on a dedicated physical host computer.
  • Resource ownership is typically used to implement access control. For example, a user can generally only kill a process or access a file that he or she owns (or for which permission has been granted by the owner). Thus, if a user attempts, for instance, to kill a process that he or she does not own, the attempt fails and an error is generated.
  • the super-user has access to all system resources and is typically a system administrator or the like. For example, the super-user can open, modify, or delete any system file and can terminate any system process.
  • the super-user is granted special privileges not available to other users.
  • the super-user can open, modify, or delete the files of other users, as well as terminate other users' processes.
  • the super-user can add and delete users, assign and change passwords, and insert modules into the operating system kernel.
  • each virtual process should be allowed to have a system administrator who has many of the privileges of a super-user, e.g., the ability to add and delete users of the virtual process, access files of any user of the virtual process, terminate processes associated with the virtual process, and the like.
  • a super-user of one virtual process could access the files of a user of another virtual process.
  • a super-user of one virtual process could terminate the processes associated with a user of another virtual process.
  • a super-user of one virtual process could obtain exclusive access to all system resources, effectively disabling the other virtual processes.
  • allowing a user of each virtual process full super-user privileges would seriously compromise system security, entirely removing the illusion that the virtual processes are running on dedicated host computers.
  • the present invention relates to virtualizing super-user privileges in a computer operating system including multiple virtual processes.
  • a plurality of virtual super-users are designated, each virtual super-user being associated with a separate virtual process.
  • a virtual super-user may be designated, in one embodiment, by assigning a virtual super-user identifier, which may comprise a super-user identifier and an indication of a virtual process.
  • a virtual super-user may be designated by assigning a regular user identifier and storing that identifier in a virtual super-user list.
  • a system call wrapper intercepts a system call for which actual super-user privileges are required, which is nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process.
  • the virtual super-user is temporarily granted actual super-user privileges.
  • the system call is then executed as though it were made by real super-user, after which the actual super-user privileges are withdrawn.
  • a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process, but is unable to interfere with other virtual processes or the underlying operating system.
  • each virtual process may have a virtual super-user, while preserving the illusion that the virtual processes are running on dedicated host machines.
  • FIG. 1 is a block diagram of a system for associating identifiers with virtual processes
  • FIG. 2 is a virtual process table
  • FIG. 3 is a block diagram of a plurality of virtual processes
  • FIG. 4 is a block diagram of a system for virtualizing resource ownership
  • FIG. 5 is a block diagram of a system for virtualizing resource ownership
  • FIG. 6 is a flowchart of a method for virtualizing resource ownership
  • FIG. 7 is a block diagram of a system for virtualizing resource ownership
  • FIG. 8 is a flowchart of a method for virtualizing resource ownership
  • FIG. 9 is a block diagram of a system for virtualizing resource ownership
  • FIG. 10 is a block diagram of a system for virtualizing resource ownership.
  • FIG. 11 is a block diagram of virtual processes and corresponding virtual super-users
  • FIG. 12 is a block diagram of a system for virtualizing super-user privileges
  • FIG. 13 is a block diagram of a system for virtualizing super-user privileges
  • FIG. 14 is a virtual super-user list
  • FIG. 15 is a flowchart of a method for virtualizing super-user privileges.
  • the present invention relates to virtualizing super-user privileges in a computer operating system including multiple virtual processes.
  • a virtual process is a virtual private server, which simulates a server running on a dedicated host machine.
  • implementing a virtual private server using traditional server technologies has been impossible because, rather than comprising a single, discrete process, a virtual private server must include a plurality of seemingly unrelated processes, each performing various elements of the sum total of the functionality required by a customer. Moreover, isolating virtual private servers from each other presents a number of difficulties related to resource ownership.
  • one aspect of the present invention relates to a system and method for associating identifiers with virtual processes, as described immediately below. Thereafter, a system and method are described for virtualizing resource ownership in a computer operating system including multiple virtual processes. Finally, there is provided a detailed description of a system and method for virtualizing super-user privileges in a computer operating system including multiple virtual processes.
  • FIG. 1 is a high-level schematic block diagram of a system 100 for associating identifiers with virtual processes 101 according to one embodiment of the present invention.
  • a computer memory 102 includes a user address space 103 and an operating system address space 105 .
  • Multiple initialization processes 107 execute in the user address space 103 .
  • FIG. 1 illustrates only two initialization processes 107 executing in the user address space 103 , those skilled in the art will understand that more than two initialization processes 107 can execute simultaneously within a given computer memory 102 .
  • a descendent process 108 is a child process of an initialization process 107 , or a child process thereof, extended to any number of generations of subsequent child processes.
  • FIG. 1 illustrates only two descendent processes 108 for each initialization process 107 , fewer or more than two descendent processes 108 per initialization process 107 can execute simultaneously within a given computer memory 102 .
  • a virtual process table 127 or other suitable data structure for storing associations 129 between executing processes 107 , 108 and virtual processes 101 is inserted into the operating system 117 .
  • other data structures may be used to store associations 129 , one example of which is a linked list.
  • the virtual process table 127 (or other data structure) is dynamically loaded into the operating system kernel 109 while the kernel 109 is active. In another embodiment, the virtual process table 127 is stored in the user address space 103 . The maintenance and use of the virtual process table 127 is discussed in detail below.
  • a virtual process 101 is not an actual process that executes in the computer memory 102 .
  • the term “virtual process” describes a collection of associated functionality.
  • a virtual process 101 is not actually a discrete process, but instead, comprises a plurality of actual processes that together provide the desired functionality, thereby simulating the existence of a single application executing on a dedicated physical host.
  • Each actual process that performs some of the functionality of the application is a part of the virtual process 101 .
  • initialization process 1 and descendent processes 1 and 2 together comprise one virtual process 101
  • initialization process 2 and descendent processes 3 and 4 together comprise another.
  • the virtual process table 127 stores, in one embodiment, an association 129 between a process identifier (PID) 201 and a virtual process identifier (VPID) 203 .
  • the virtual process table 127 may store an association between a PID 201 of initialization process 1 (e.g., 3942 ) and a VPID 203 (e.g., 1 ).
  • an association 129 b may be stored between a PID 201 of descendent process 1 (e.g., 6545 ), and the same VPID 203 (e.g., 1 ).
  • initialization process 1 and descendent process 1 are said to be members of the same virtual process 101 .
  • a separate system initialization process 107 is started for each virtual process 101 .
  • each process executing on a multitasking operating system such as UNIX® is descended from a single system initialization process 107 that is started when the operating system 117 is booted.
  • the system 100 uses techniques described in detail below to start a separate system initialization process 107 for each virtual process 101 .
  • an association 129 between the system initialization process 107 and the virtual process 101 is stored in the virtual process table 127 . All additional processes that are descended from a given initialization process are thus identified with the virtual process 101 associated with that initialization process.
  • a custom initialization process is started.
  • all processes that are members of a specific virtual process 101 are descended from the associated custom initialization process, and are associated with the virtual process 101 with which the custom initialization process is associated.
  • the exact functionality included in the custom initialization process is a design choice that can be made by, for example, a system administrator.
  • System calls 115 that generate child processes are intercepted so that the child processes can be associated with the virtual process 101 with which the parent process is associated.
  • a system call wrapper 111 is used to intercept system calls 115 .
  • the wrapper 111 is dynamically loaded into the operating system kernel 109 while the kernel 109 is active.
  • the system call wrapper 111 is loaded into the user address space 103 .
  • Pointers 114 to the system calls 115 are located in an operating system call vector table 113 .
  • system call vector table denotes an area in the operating system address space 105 in which addresses of system calls are stored. In the UNIX® operating system, this part of the operating system is called the “system call vector table,” and that term is used throughout this description. Other operating systems employ different terminology to denote the same or similar system components.
  • the pointers 114 themselves, are sometimes referred to as “system call vectors.”
  • a copy 116 is made of a pointer 114 to each system call 115 to be intercepted.
  • These copies 116 of pointers 114 may be stored in the operating system address space 105 , but in an alternative embodiment, are stored in the user address space 103 .
  • the pointers 114 in the system call vector table 113 to the system calls 115 to be intercepted are replaced with pointers 118 to the system call wrapper 111 , such that when a system call 115 to be intercepted is made, the system call wrapper 111 executes instead.
  • the system call wrapper 111 performs the process of copying, storing, and replacing of pointers.
  • the process of copying, storing, and replacing of pointers is performed by a pointer management module (not shown) executing in either the operating system address space 105 or the user address space 103 , as desired.
  • the pointer management module may either be a stand alone program or a component of a larger application program.
  • system calls 115 that create child processes need be intercepted, and thus only the pointers 114 to the system calls 115 to be intercepted are replaced with the pointers 118 to the system call wrapper 111 .
  • the pointers 114 to the system calls 115 which are not to be intercepted are not replaced.
  • the actual system call 115 executes, not the system call wrapper 111 .
  • the various initialization processes 107 and descendent processes 108 execute in the user address space 103 under control of the operating system 117 and make system calls 115 .
  • the system call wrapper 111 reads the virtual process table 127 , and determines whether the process that made the system call (the parent of the child process being created) is associated with a virtual process 101 . If so, the system call wrapper 111 uses the saved copy of the pointer 116 to execute the system call 115 , allowing the creation of the child process.
  • the system call wrapper 111 then updates the virtual process table 127 , storing an association 129 between the newly created child process and the virtual process 101 with which the process that made the system call is associated. Thus, all descendent processes 108 are associated with the virtual process 101 with which their parent process is associated.
  • the initialization processes 107 are started by a virtual process manager program 131 executing in the user address space 103 .
  • the virtual process manager program 131 modifies the operating system 117 of the computer to include the virtual process table 127 .
  • the manager program 131 loads the virtual process table 127 into the kernel 109 of the operating system 117 while the kernel is active.
  • the manager program 131 For each virtual process 101 , the manager program 131 starts an initialization process 107 from which all other processes that are part of the virtual process 101 will originate as descendent processes 108 . Each time the manager program 131 starts an initialization process 107 for a virtual process 101 , the manager program 131 stores, in the virtual process table 127 , an association 129 between the initialization process 107 and the appropriate virtual process 101 . Subsequently, all additional processes that are part of the virtual process 101 will be originated from the initialization process, and thus associated with the appropriate virtual process 101 .
  • the manager program 131 can start a first virtual process 101 .
  • the manager program 131 starts an initialization process 107 for the virtual process 101 , storing an association 129 between the initialization process 107 , and a virtual process identifier for the virtual process 101 . Additional processes that are part of the virtual process 101 originate from the initialization process 107 , and are associated with the virtual process identifier of the virtual process 101 .
  • the manager program 131 can proceed to start a second virtual process 101 by starting a separate initialization process 107 , and associating the second initialization process 107 with a separate virtual process identifier for the second virtual process 101 . Consequently, all of the processes associated with the second virtual process 101 will be associated with the appropriate virtual process identifier. In this manner, multiple virtual processes 101 on the same physical computer are each associated with unique identifiers.
  • the virtual process manager program 131 can be implemented as a modified loader program.
  • a loader program is an operating system utility that is used to execute computer programs that are stored on static media.
  • a loader program loads an executable image from static media into the user address space 103 of the computer memory 102 , and then initiates execution of the loaded image by transferring execution to the first instruction thereof.
  • a modified loader program loads executable images (in this case, initialization processes 107 ) from static media into the user address space 103 . Additionally, the modified loader program stores, in the virtual process table 127 , an association 129 between the initialization process 107 being loaded and the appropriate virtual process 101 . Thus, for each virtual process 101 , an initialization process 107 is loaded by the modified loader program, and an association between the initialization process 107 and the virtual process 101 is stored in the virtual process table 127 . Subsequently, additional processes that are part of the virtual process 101 originate from the associated initialization process 107 , and are thus associated with the virtual process 101 , as described above.
  • executable images in this case, initialization processes 107
  • the modified loader program loads all processes that are part of each virtual process 101 .
  • the modified loader program also stores, in the virtual process table 127 , an association 129 between the loaded process and the appropriate virtual process 101 .
  • one of the difficulties in providing isolation between virtual processes 101 involves resource ownership.
  • certain system resources such as processes 301 and files 303 , are owned by users or groups of users.
  • Each user is assigned a user identifier (UID) 305 by which the user is identified in the operating system 117 .
  • UID user identifier
  • GID group identifier
  • the UID 305 and GID 307 are sometimes referred to herein as “owner identifiers.”
  • Resource ownership is typically used to implement access control. For example, a user can generally only kill a process 301 or access a file 303 that he or she owns (or for which permission has been granted by the owner). Thus, if a user attempts, for instance, to kill a process 301 that he or she does not own, the attempt fails and an error is generated.
  • Each virtual process 101 should be free to assign to an individual or group any UID 305 or GID 307 , respectively. Indeed, some applications require certain processes 301 or files 303 to be associated with a particular UID 305 or GID 307 in order to properly function.
  • one user could execute a “kill ⁇ 1” command, which terminates all of the processes 301 associated with the user's UID 305 .
  • a “kill ⁇ 1” command which terminates all of the processes 301 associated with the user's UID 305 .
  • another user on the same computer has the same UID 305 , all of that user's processes 301 will be terminated as well.
  • resource ownership is virtualized to allow a user of one virtual process 101 to appear to have the same UID 305 as a user of another virtual process 101 , although neither user is capable of interfering with the processes 301 or accessing the files 303 of the other.
  • a group of users of one virtual process 101 may appear to share the same GID 307 with a group of users of another virtual process 101 .
  • FIG. 4 illustrates a system 400 for virtualizing resource ownership.
  • a system call wrapper 111 intercepts a system call 115 for setting the UID 305 or GID 307 associated with a resource (such as a process 301 or file 303 ).
  • a resource such as a process 301 or file 303 .
  • the setuid( ) and setgid( ) functions are used to associate a UID 305 and GID 307 , respectively, with a calling process 301 .
  • the UNIX® chown( ) function is used to associate a UID 305 or GID 307 with a file 303 .
  • the invention is not restricted to any particular terminology or operating system.
  • a technique for intercepting system calls 115 was described above with reference to FIG. 1 .
  • pointers 114 to the system calls 115 to be intercepted can be copied and then replaced with pointers 118 to a system call wrapper 111 .
  • the system call wrapper 111 is executed instead.
  • the wrapper 111 determines a virtual process 101 corresponding to the calling process 301 .
  • the virtual process 101 is determined, in one implementation, by accessing the virtual process table 127 , as described above, which stores associations 129 between processes 301 (e.g., PID 201 ) and virtual processes 101 (e.g., VPID 203 ).
  • the wrapper 111 modifies the UID 305 specified in the intercepted call 115 .
  • the UID 305 is modified by encoding therein an indication of the virtual process (e.g., VPID 203 ).
  • the UID 305 is a 32 bit word.
  • the UID 305 is divided into two 16 bit portions.
  • the VPID 203 is encoded within the upper 16 bits of the UID 305 , while the lower 16 bits are used to store the original data from the UID 305 .
  • the system call wrapper 111 associates the resource with the modified UID 305 . This may be accomplished, in one embodiment, by executing the system call 115 by the wrapper 111 , specifying the modified UID 305 . In an alternative embodiment, the system call wrapper 111 can include its own code for setting the UID 305 .
  • the resource is associated with the UID 305 specified in the system call 115 . From a standpoint of the operating system 117 , however, the resource is actually associated with the modified UID 305 .
  • FIG. 4 provides an example of the above-described technique.
  • a process 301 having a PID 201 of 3942 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1.
  • the system call wrapper 111 uses the virtual process table 127 to determine the VPID 203 (e.g., 1) associated with the calling process 301 .
  • the VPID 203 is then encoded within UID 305 as described above, resulting in a modified UID 305 having a hexadecimal value of 0x00010001 (65537 in decimal). Accordingly, the calling process 301 is associated with a UID 305 of 65537 rather than the specified UID 305 of 1.
  • a different UID 305 will result from a different VPID 203 .
  • the VPID 203 of the virtual process 101 of FIG. 5 has a value of 3.
  • the resulting modified UID 305 has a hexadecimal value of 0x00030001 (196609 in decimal).
  • the calling process 301 is associated with a UID 305 of 196609 rather than the original UID 305 of 1 or the modified UID 305 of 65537 from the previous example.
  • a method 600 begins in one embodiment by loading 601 a system call wrapper 111 into the operating system 117 . Thereafter, copies are made 603 of pointers 114 to selected system calls 115 to be intercepted (e.g., setuid( ), setgid( ), and chown( )). The pointers 114 are then replaced 605 , in one implementation, by pointers 118 to the system call wrapper 111 . Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.
  • a system call 115 for setting the UID 305 of a resource is then intercepted 607 .
  • the system call wrapper 111 determines 609 the virtual process 101 corresponding to the calling process 301 . In one embodiment, this determination is made by referencing the virtual process table 127 , as described above.
  • the system call wrapper 111 encodes 611 an indication of the virtual process 101 (e.g., the VPID 203 ) within the UID 305 .
  • the wrapper 111 then associates 613 the resource with the modified UID 305 . In one implementation, this is accomplished by executing the system call 115 within the wrapper 111 , specifying the modified UID 305 .
  • Another aspect of virtualizing resource ownership involves intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a system resource.
  • the getuid( ) function returns the UID 305 associated with the calling process 301 .
  • the UNIX® getgid( ) function returns the GID 307 .
  • the UNIX® stat( ) function returns the UID 305 and/or GID 307 associated with a file 303 .
  • the invention is not limited to any particular terminology or operating system 117 .
  • a system call 115 for obtaining a UID 305 e.g., getuid( )
  • the calling process 301 would receive a “modified” UID 305 , such as a UID 305 including an indication of a virtual process 101 . From the standpoint of the calling process 301 , the UID 305 would be unexpected, with unpredictable results.
  • FIG. 7 illustrates a system 700 for virtualizing resource ownership.
  • the system call wrapper 111 After intercepting one of the above-identified system calls 115 , the system call wrapper 111 obtains the UID 305 from the standpoint of the operating system 117 .
  • the wrapper 111 obtains the UID 305 , in one embodiment, by executing the system call 115 .
  • the wrapper 111 may include its own code for obtaining the UID 305 .
  • the UID 305 obtained by the wrapper 111 includes an indication of the virtual process 101 (e.g., VPID 203 ).
  • the wrapper 111 removes the VPID 203 to restore the original, unmodified UID 305 , as described in greater detail below.
  • a UID 305 in Solaris® is a 32 bit word.
  • the upper 16 bits are used to encode the VPID 203
  • the lower 16 bits are used to store the UID data.
  • UID is the UID 305 and “&” is the logical “AND” operator.
  • the set of bits corresponding to the VPID 203 within the UID 305 are cleared.
  • the encoding of the VPID 203 may vary in alternative embodiments, necessitating a different equation.
  • FIG. 7 An example of the above-described process is shown in FIG. 7 .
  • a process 301 executes the UNIX® getuid( ) system call 115 , which is intercepted by the system call wrapper 111 .
  • the wrapper 111 obtains the UID 305 (e.g., 0x00010001) associated with the resource by executing, for example, the system call 115 .
  • the upper 16 bits of the UID 305 include an indication of a virtual process 101 (e.g., a VPID 203 of 1).
  • the wrapper 111 then removes the indication of the virtual process 101 by logically ANDing the UID 305 with a value configured to clear the bits associated with the VPID 203 , (e.g., 65535). As a result, a UID 305 of 1 is returned to the calling process 301 , rather than the UID 305 of 65537.
  • a method 800 begins in one embodiment by loading 801 a system call wrapper 111 into the operating system 117 . Thereafter, copies are made 803 of pointers 114 to selected system calls 115 to be intercepted (e.g., getuid( ), getgid( ), and stat ( )). The pointers 114 are then replaced 805 , in one implementation, by pointers 118 to the system call wrapper 111 . Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.
  • a system call 115 for obtaining the UID 305 associated with a resource is then intercepted 807 .
  • the system call wrapper 111 obtains 809 the UID 305 associated with the resource.
  • the wrapper 111 obtains the UID 305 by executing the system call 115 .
  • the UID 305 includes, as a consequence of the method 600 of FIG. 6 , an indication of a virtual process 101 (e.g., VPID 203 ).
  • the system call wrapper 111 removes 811 the VPID 203 by logically ANDing the UID 305 with an appropriate value, e.g., 65535.
  • the UID 305 is then returned 813 to the calling process 301 .
  • FIG. 9 illustrates an alternative system 900 for virtualizing resource ownership.
  • an indication of the virtual process 101 is not encoded within the UID 305 .
  • the system call wrapper 111 selects an alternative UID 901 from a set 903 of available (unused) UIDs 305 .
  • the set 903 may be implemented using any suitable data structure, such as a table or linked list.
  • the alternative UID 901 may be selected using any convenient method, such as selecting the next available UID 305 in the set 903 .
  • the wrapper 111 creates an association 905 in a translation data structure 907 between the UID 305 specified in the call 115 , the alternative UID 901 selected by the wrapper 111 , and an indication of the virtual process 101 (e.g., VPID 203 ), which may be obtained by the wrapper 111 from the virtual process table 127 .
  • an indication of the virtual process 101 e.g., VPID 203
  • the wrapper 111 associates the resource with the alternative UID 901 . This is accomplished, in one embodiment, by executing the system call 115 , specifying the alternative UID 901 .
  • FIG. 9 provides an example of the above-described technique.
  • a process 301 having a PID 201 of 1847 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1.
  • the system call wrapper 111 intercepts the call 115 and uses the virtual process table 127 to determine the virtual process 101 (e.g., VPID 203 ) associated with the calling process 301 .
  • the virtual process 101 e.g., VPID 203
  • the system call wrapper 111 selects an alternative UID 901 (e.g., 1003) from a set 903 of available UIDs 305 . Thereafter, the wrapper 111 creates an association 905 in the translation data structure 907 between the UID 305 specified in the call 115 (e.g., 1), the alternative UID 901 (e.g., 1003), and the VPID 203 (e.g., 2). Once the translation data structure 907 is updated, the wrapper 111 associates the calling process 301 with the alternative UID 901 by executing, for example, the system call 115 .
  • an alternative UID 901 e.g., 1003
  • the wrapper 111 creates an association 905 in the translation data structure 907 between the UID 305 specified in the call 115 (e.g., 1), the alternative UID 901 (e.g., 1003), and the VPID 203 (e.g., 2).
  • the wrapper 111 associates the calling process 301 with the
  • FIG. 10 illustrates a corresponding system 1000 for intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a resource.
  • the system call wrapper 111 intercepts the call 115 (e.g., getuid( ), getgid( ), and stat( )).
  • the wrapper 111 determines the virtual process 101 (e.g., VPID 203 ) associated with the calling process 301 using a virtual process table 127 or the like.
  • the virtual process 101 e.g., VPID 203
  • the system call wrapper 111 then obtains the alternative UID 901 associated with the resource by executing, for example, the system call 115 .
  • the alternative UID 901 is associated with the resource as a consequence of the system 900 illustrated in FIG. 9 .
  • the wrapper 111 accesses the translation data structure 907 , looking up the alternative UID 901 and the VPID 203 .
  • the corresponding UID 305 is retrieved from the translation data structure 907 and returned to the calling process 301 .
  • FIG. 10 An example of the above-described process is shown in FIG. 10 .
  • a process 301 executes the getuid( ) function, which is intercepted by the system call wrapper 111 .
  • the wrapper 111 executes the getuid( ) function, which returns an alternative UID 901 of 1003.
  • the wrapper 111 also determines the VPID 203 (e.g., 2) associated with the calling process 301 by accessing the virtual process table 127 .
  • the wrapper 111 then accesses the translation data structure 907 , looking up an alternative UID 901 of 1003 and a VPID 203 of 2. As illustrated, an association 905 exists, revealing a UID 305 of 1, which is subsequently returned to the calling process 301 .
  • the “super-user” is granted special privileges not available to other users.
  • the super-user can open, modify, or delete the files of other users, as well as terminate other users' processes.
  • the super-user can add and delete users, assign and change passwords, and insert modules into the operating system kernel 109 .
  • each virtual process 101 should be allowed to have a user who is granted super-user-like powers, e.g., the ability to add and delete users of the virtual process 101 , access files 303 of any user of the virtual process 101 , terminate processes 301 associated with the virtual process 101 , and the like.
  • a super-user of one virtual process 101 could access the files 303 of a user of another virtual process 101 .
  • a super-user of one virtual process 101 could terminate the processes 301 associated with a user of another virtual process 101 .
  • a super-user of one virtual process 101 could obtain exclusive access to all system resources, effectively disabling the other virtual processes 101 .
  • granting a user of each virtual process 101 full super-user privileges would seriously compromise system security, entirely removing the illusion that each virtual process 101 is running on a dedicated host computer.
  • the present invention solves the foregoing problems, in one embodiment, by designating a plurality of virtual super-users 1101 , typically one per virtual process 101 .
  • a virtual super-user 1101 has many of the privileges of an actual super-user with respect to his or her own virtual process 101 .
  • a virtual super-user 1101 can add and delete users of the virtual process 101 , access files 303 of any user of the virtual process 101 , terminate processes 301 associated with the virtual process 101 , and the like.
  • a virtual super-user 1101 cannot, for instance, add or delete users of other virtual processes 101 , access the files 303 of users of other virtual processes 101 , or terminate the processes 301 associated with other virtual processes 101 .
  • a virtual super-user 1101 is designated by assigning to a user a virtual super-user identifier (VSUID) 1103 .
  • the VSUID 1103 may be assigned by a virtual super-user designation module 1105 , which generates a VSUID 1103 for each virtual super-user 1101 , as described below.
  • a UID 305 of zero is interpreted by UNIX® and related operating systems as the super-user UID 305 .
  • assigning a UID 305 of zero to each virtual super-user 1101 would result in the problems discussed above, since an actual super-user has unfettered access to all system resources.
  • a VSUID 1103 comprises, in one embodiment, a super-user UID 305 (e.g., 0), which has been encoded with an indication of a virtual process 101 (e.g., VPID 203 ) using the techniques described with reference to FIGS. 5-6 .
  • a UID 305 may be divided, in one implementation, into two 16 bit portions, with the upper 16 bits used to encode a VPID 203 , and the lower 16 bits used to store the original UID 305 .
  • a VPID 203 of 1 is encoded within the upper 16 bits of the VSUID 1103 , resulting in a VSUID 1103 of 0x00010000.
  • a VPID 203 of 2 results in a VSUID 1103 of 0x00020000.
  • a VPID 203 of 3 results in a VSUID 1103 of 0x00030000.
  • the VSUID 1103 may be encoded in various ways without departing from the spirit and scope of the invention.
  • the VSUID 1103 is not a super-user UID 305 , and does not convey any super-user privileges.
  • a VSUID 1103 of 0x00010000 has a decimal value of 65536, clearly not a UID 305 of zero.
  • a virtual super-user 1101 would have all of the limitations of a regular user.
  • system calls 115 are intercepted for performing operations requiring actual super-user privileges, which are nevertheless desirable for a virtual super-user 1101 to perform in the context of his or her own virtual process 101 .
  • system calls 115 are intercepted that operate on files 303 , e.g., open( ), creat( ), link( ), unlink( ), chdir( ), fchdir( ), symlink( ), readlink( ), readdir( ), access( ), rename( ), mkdir( ), rmdir( ), truncate( ), and ftruncate( ).
  • files 303 e.g., open( ), creat( ), link( ), unlink( ), chdir( ), fchdir( ), symlink( ), readlink( ), readdir( ), access( ), rename( ), mkdir( ), rmdir( ), truncate( ), and ft
  • a normal user is typically restricted from opening, deleting, renaming, etc., a file 303 owned by another user.
  • a virtual super-user 1101 should appear, in most respects, to be an actual super-user for operations pertaining to his or her own virtual process 101 .
  • a system call 115 is “made” by a virtual super-user 1101 (i.e., by a process 301 owned by a virtual super-user 1101 ) and pertains to the virtual process 101 of the virtual super-user 1101 , then actual super-user privileges are temporarily granted to the virtual super-user 1101 for purposes of the system call 115 .
  • This may be accomplished, in one embodiment, by executing an appropriate function, e.g., setuid( ), to assign a UID 305 of zero or other designation of super-user privileges to the calling process 301 .
  • the super-user privileges may be withdrawn by executing the same function to restore the VSUID 1103 .
  • Whether the system call 115 was made by a virtual super-user 1101 may be determined by checking whether the owner of the calling process 301 has a VSUID 1103 .
  • the wrapper 111 preferably disallows execution of the system call 115 .
  • the wrapper 111 may generate an error message, indicating a privilege violation.
  • the wrapper 111 may simply allow the system call 115 to proceed without granting actual super-user privileges, resulting in the operating system 117 disallowing execution of the system call 115 , since the VSUID 1103 does not convey actual super-user privileges.
  • Whether the system call 115 pertains to the virtual process 101 of the virtual super-user 1101 may be determined by checking whether the system resource(s) affected by the system call 115 relate to the virtual process 101 of the virtual super-user 1101 . For example, with respect to system calls 115 that affect processes 301 (such as kill( )), the virtual process table 127 may be checked to determine whether the process 301 has an association 129 with the virtual process 101 of the virtual super-user 1101 . Similarly, in one embodiment, each virtual process 101 has a distinct file system, allowing the wrapper 111 to easily determine whether a file 303 referenced by the call 115 is associated with the virtual process 101 of the virtual super-user 1101 .
  • the virtual process 101 (e.g., VPID 203 ) may be determined, in one embodiment, by referencing the virtual process table 127 using the PID 201 of “3942.”
  • the system call wrapper 111 temporarily grants actual super-user privileges to the virtual super-user 1101 .
  • this is accomplished by executing an appropriate system call 1201 (e.g., in UNIX®, the setuid( ) function with a UID 305 of zero).
  • the system call 115 is then executed, after which the wrapper 111 withdraws the actual super-user privileges 1101 by executing, for example, an appropriate system call 1203 (e.g., in UNIX®, the setuid( ) function with the original VSUID 1103 of the virtual super-user 1101 ).
  • This approach grants super-user privileges on a call-by-call basis.
  • a virtual super-user 1101 may perform an operation for which actual super-user privileges are required, without granting the virtual super-user 1101 unfettered access to all of the system's resources. This allows each virtual process 101 to have at least one system administrator with limited super-user-like powers, while maintaining the illusion that each virtual process 101 is running on a dedicated host computer.
  • Other system calls 115 that may be intercepted include system calls 115 for terminating a process 301 .
  • the kill( ) system call 115 allows a user to terminate one or more processes 301 .
  • executing the kill( ) system call 115 with a specified process 301 e.g., PID 201
  • Executing the kill( ) system call 115 with an argument of ⁇ 1 results in the termination of all of the user's processes 301 .
  • An argument of less than ⁇ 1 results in the termination of all of the processes 301 associated with a group (e.g., GID 307 , where the GID value is equal to the absolute value of the argument).
  • a super-user may terminate any system process 301 .
  • the super-user specifies a PID 201
  • the corresponding process 301 will be terminated.
  • the super-user specifies a negative GID 307 , the processes 301 belonging to the specified group are terminated. If, however, the super-user specifies an argument of ⁇ 1, all processes 301 other than those with PID 201 of 0 or 1 are terminated.
  • system call wrapper 111 intercepts system calls 115 for terminating processes 301 (e.g., kill( )).
  • the wrapper 111 proceeds as discussed above with reference to FIG. 12 . In other words, the wrapper 111 grants temporary actual super-user privileges to the calling process 301 and allows execution of the system call 115 .
  • a kill( ) system call 115 with an argument of ⁇ 1 results only in the termination of processes 301 associated with the virtual process 101 .
  • a kill( ⁇ 1) system call 115 “pertains” to the virtual process 101 by definition.
  • the system call wrapper 111 iterates through the virtual process table 127 , terminating all processes 301 associated with the virtual process 101 .
  • a kill( ⁇ 1) system call 115 operates in the manner expected, maintaining the illusion that the virtual process 101 of the virtual super-user 1101 is executing on a dedicated host machine.
  • the wrapper 111 cycles through all of the processes 301 associated with the virtual process 101 of the virtual super-user 1101 and determines whether each such process 301 corresponds to the specified group (e.g., GID 307 ). If so, those processes 301 are terminated in the manner discussed above.
  • a process 301 is associated with a virtual process 1 (e.g., having a VPID 203 of 1).
  • the process 301 is owned by a virtual super-user 1101 by virtue of the VSUID 1103 (e.g., 0x00010000), and pertains to the virtual process 101 by definition.
  • the wrapper 111 grants temporary actual super-user privileges to the calling process 301 by executing the system call 1201 .
  • the wrapper 111 iterates through the virtual process table 127 , identifying each process 301 (e.g., PIDs 3942 and 4400 ) associated with a VPID 203 of 1.
  • System calls 115 e.g., kill(3942), kill (4400) are then made to terminate each of the identified processes 301 , after which the actual super-user privileges are withdrawn by executing the system call 1203 .
  • a variety of other system calls 115 may be intercepted within the scope of the invention in order to grant limited super-user privileges to a virtual super-user 1101 .
  • Those skilled in the art will know how to apply the above-described techniques in the context of these other system calls 115 .
  • a virtual super-user 1101 it is desirable to prevent a virtual super-user 1101 from executing certain system calls 115 altogether.
  • the insmod( ) and rmmod( ) functions allow a super-user to insert modules into, and remove modules from, the operating system kernel 109 . Giving such powers to a virtual super-user 1101 could seriously compromise system security, allowing the virtual super-user 1101 to alter the basic functionality of the operating system 117 .
  • a virtual super-user 1101 is prevented from executing a system call 115 for which actual super-user privileges are required by simply not intercepting the call 115 . Since the VSUID 1103 is not a super-user UID 305 , the operating system 117 will automatically reject an attempt by a virtual super-user 1101 to execute, for example, the insmod( ) call 115 .
  • a virtual super-user 1101 is not designated by assigning a VSUID 1103 , as discussed above. Rather, a virtual super-user 1101 is simply assigned a UID 305 as in the case of other users. Thereafter, the assigned UID 305 is stored in a virtual super-user list 1401 or other suitable data structure, as illustrated in FIG. 14 , together with an indication of the virtual process 101 (e.g., VPID 203 ). Accordingly, when selected system calls 115 are intercepted for which actual super-user privileges are required, a user may be identified as a virtual super-user 1101 by consulting the virtual super-user list 1401 .
  • FIG. 15 summarizes the above-described techniques.
  • a method 1500 for virtualizing super-user privileges has two phases, preparation and operation.
  • the preparation phase begins by loading 1501 a system call wrapper 111 into the operating system 117 . Thereafter, copies are made 1503 of pointers 114 to selected system calls 115 for performing operations for which actual super-user privileges are required, which are nevertheless desirable to be performed by a virtual super-user 1101 with respect to his or her own virtual process 101 (e.g., open( ), kill( ), etc.).
  • the pointers 114 are then replaced 1505 , in one implementation, by pointers 118 to the system call wrapper 111 .
  • the system call wrapper 111 is executed instead
  • a system call 115 is intercepted 1507 by the system call wrapper 111 . Thereafter, the wrapper 111 determines 1509 whether the call 115 was “made” by a virtual super-user 1101 (i.e. by a process 301 owned by a virtual super-user 1101 ). If not, the system call 115 is disallowed 1511 , and the method 1500 ends.
  • a determination 1513 is made whether the call 115 pertains to the virtual process 101 of the virtual super-user 1101 . If not, the call 115 is disallowed, and the method 1500 ends.
  • the present invention offers numerous advantages not available in conventional approaches.
  • super-user privileges are virtualized in an operating system 117 including multiple virtual processes 101 , such that a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process 101 , but is unable to interfere with other virtual processes 101 or the underlying operating system 117 .
  • each virtual process 101 can have a virtual super-user 1101 , while preserving the illusion that the virtual processes 101 are running on dedicated host machines.

Abstract

Super-user privileges are virtualized by designating a virtual super-user for each of a plurality of virtual processes and intercepting system calls for which actual super-user privileges are required, which are nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In one embodiment, a computer operating system includes multiple virtual processes, such as virtual private servers. Each virtual process can be associated with one or more virtual super-users. When an actual process makes a system call that requires actual super-user privileges, the call is intercepted by a system call wrapper.

Description

CROSS-REFERENCE TO RELATED APPLICATION
This patent application is a reissue application for commonly assigned U.S. Pat. No. 7,219,354, issued from U.S. patent application Ser. No. 09/747,687, filed on May 15, 2007.
BACKGROUND
1. Field of the Invention
The present invention relates generally to computer operating systems, and more particularly, to techniques for virtualizing super-user privileges in a computer operating system including multiple virtual processes, such as virtual private servers.
2. Description of the Background Art
With the popularity and success of the Internet, server technologies are of great commercial importance today. An individual server application typically executes on a single physical host computer, servicing client requests. However, providing a unique physical host for each server application is expensive and inefficient.
For example, commercial hosting services are often provided by an Internet Service Provider (ISP), which generally provides a separate physical host computer for each customer on which to execute a server application. However, a customer purchasing hosting services will often neither require nor be amenable to paying for use of an entire host computer. In general, an individual customer will only require a fraction of the processing power, storage, and other resources of a host computer.
Accordingly, hosting multiple server applications on a single physical computer would be desirable. In order to be commercially viable, however, every server application would need to be isolated from every other server application running on the same physical host. Clearly, it would be unacceptable to customers of an ISP to purchase hosting services, only to have another server application program (perhaps belonging to a competitor) access the customer's data and client requests. Thus, each server application program needs to be isolated, receiving requests only from its own clients, transmitting data only to its own clients, and being prevented from accessing data associated with other server applications.
Furthermore, it is desirable to allocate varying specific levels of system resources to different server applications, depending upon the needs of, and amounts paid by, the various customers of the ISP. In effect, each server application needs to be a “virtual private server,” simulating a server application executing on a dedicated physical host computer.
Such functionality is unavailable on traditional server technology because, rather than comprising a single, discrete process, a virtual private server must include a plurality of seemingly unrelated processes, each performing various elements of the sum total of the functionality required by the customer. Because each virtual private server includes a plurality of processes, it has been impossible using traditional server technology for an ISP to isolate the processes associated with one virtual private server from those processes associated with other virtual private servers.
Accordingly, what is needed is a technique for associating a plurality of processes with a virtual process. What is also needed is a technique for associating an identifier with a virtual process.
One of the difficulties in providing isolation between virtual private servers within a single host computer involves resource ownership. In UNIX® and related operating systems, certain system resources, such as processes and files, are owned by users or groups of users. Each user is assigned a user identifier (UID) by which the user is identified in the operating system. In some cases, a group of users may be assigned a group identifier (GID).
Resource ownership is typically used to implement access control. For example, a user can generally only kill a process or access a file that he or she owns (or for which permission has been granted by the owner). Thus, if a user attempts, for instance, to kill a process that he or she does not own, the attempt fails and an error is generated.
An exception to the above is a special user, known as a “super-” or “root-” user. The super-user has access to all system resources and is typically a system administrator or the like. For example, the super-user can open, modify, or delete any system file and can terminate any system process.
Implementing resource ownership in the context of multiple virtual private servers presents a number of difficulties. Each virtual private server should be free to assign to an individual or group any UID or GID, respectively. Indeed, some applications require certain files or processes to be associated with a particular UID or GID in order to properly function.
Unfortunately, if two users of different virtual private servers share the same UID, one user could potentially kill the other user's processes and read, modify, or delete the other user's files. The same possibility is true for two groups sharing the same GID.
For example, one user could execute a “kill −1” command, which terminates all of =the processes associated with the user's UID. Unfortunately, if another user on the same computer shares the same UID, all of that user's processes will be terminated as well. Clearly, this is unacceptable in the context of a virtual private server, where each server should appear to be running on a dedicated host machine.
Accordingly, what is needed is a technique for virtualizing resource ownership in a computer operating system including multiple virtual private servers. Indeed, what is needed is a technique for allowing a virtual private server to assign any UID or GID to a user or group, without creating an unacceptable security risk or removing the appearance that the virtual private server is running on a dedicated host.
As noted above, in UNIX® and related operating systems, the super-user is granted special privileges not available to other users. For example, the super-user can open, modify, or delete the files of other users, as well as terminate other users' processes. Indeed, the super-user can add and delete users, assign and change passwords, and insert modules into the operating system kernel.
Implementing super-user privileges in a computer operating system including multiple virtual processes presents numerous difficulties. For example, each virtual process should be allowed to have a system administrator who has many of the privileges of a super-user, e.g., the ability to add and delete users of the virtual process, access files of any user of the virtual process, terminate processes associated with the virtual process, and the like.
However, if a user of each virtual process were given full super-user privileges, a super-user of one virtual process could access the files of a user of another virtual process. Similarly, a super-user of one virtual process could terminate the processes associated with a user of another virtual process. Indeed, a super-user of one virtual process could obtain exclusive access to all system resources, effectively disabling the other virtual processes. Clearly, allowing a user of each virtual process full super-user privileges would seriously compromise system security, entirely removing the illusion that the virtual processes are running on dedicated host computers.
Accordingly, what is needed is a technique for virtualizing super-user privileges in a computer operating system including multiple virtual processes. Moreover, what is needed is a technique for virtualizing super-user privileges, such that a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process, but is unable to interfere with other virtual processes or the underlying operating system.
SUMMARY OF THE INVENTION
The present invention relates to virtualizing super-user privileges in a computer operating system including multiple virtual processes. In one aspect of the invention, a plurality of virtual super-users are designated, each virtual super-user being associated with a separate virtual process. A virtual super-user may be designated, in one embodiment, by assigning a virtual super-user identifier, which may comprise a super-user identifier and an indication of a virtual process. In an alternative embodiment, a virtual super-user may be designated by assigning a regular user identifier and storing that identifier in a virtual super-user list.
In another aspect of the invention, a system call wrapper intercepts a system call for which actual super-user privileges are required, which is nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In response to a determination that the intercepted system call was made by a virtual super-user and pertains to the virtual process of the virtual super-user, the virtual super-user is temporarily granted actual super-user privileges. The system call is then executed as though it were made by real super-user, after which the actual super-user privileges are withdrawn.
Thus, a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process, but is unable to interfere with other virtual processes or the underlying operating system. Moreover, each virtual process may have a virtual super-user, while preserving the illusion that the virtual processes are running on dedicated host machines.
The features and advantages described in this summary and the following detailed description are not all-inclusive, and particularly, many additional features and advantages will be apparent to one of ordinary skill in the art in view of the drawings, specification, and claims hereof. Moreover, it should be noted that the language used in the specification has been principally selected for readability and instructional purposes, and may not have been selected to delineate or circumscribe the inventive subject matter, resort to the claims being necessary to determine such inventive subject matter.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a system for associating identifiers with virtual processes;
FIG. 2 is a virtual process table;
FIG. 3 is a block diagram of a plurality of virtual processes;
FIG. 4 is a block diagram of a system for virtualizing resource ownership;
FIG. 5 is a block diagram of a system for virtualizing resource ownership;
FIG. 6 is a flowchart of a method for virtualizing resource ownership;
FIG. 7 is a block diagram of a system for virtualizing resource ownership;
FIG. 8 is a flowchart of a method for virtualizing resource ownership;
FIG. 9 is a block diagram of a system for virtualizing resource ownership;
FIG. 10 is a block diagram of a system for virtualizing resource ownership.
FIG. 11 is a block diagram of virtual processes and corresponding virtual super-users;
FIG. 12 is a block diagram of a system for virtualizing super-user privileges;
FIG. 13 is a block diagram of a system for virtualizing super-user privileges;
FIG. 14 is a virtual super-user list; and
FIG. 15 is a flowchart of a method for virtualizing super-user privileges.
The Figures depict embodiments of the present invention for purposes of illustration only. Those skilled in the art will readily recognize from the following discussion that alternative embodiments of the illustrated structures and methods may be employed without departing from the principles of the invention described herein.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
The present invention relates to virtualizing super-user privileges in a computer operating system including multiple virtual processes. One example of a virtual process is a virtual private server, which simulates a server running on a dedicated host machine.
As previously noted, implementing a virtual private server using traditional server technologies has been impossible because, rather than comprising a single, discrete process, a virtual private server must include a plurality of seemingly unrelated processes, each performing various elements of the sum total of the functionality required by a customer. Moreover, isolating virtual private servers from each other presents a number of difficulties related to resource ownership.
Accordingly, one aspect of the present invention relates to a system and method for associating identifiers with virtual processes, as described immediately below. Thereafter, a system and method are described for virtualizing resource ownership in a computer operating system including multiple virtual processes. Finally, there is provided a detailed description of a system and method for virtualizing super-user privileges in a computer operating system including multiple virtual processes.
I. Associating Identifiers with Virtual Processes
FIG. 1 is a high-level schematic block diagram of a system 100 for associating identifiers with virtual processes 101 according to one embodiment of the present invention. A computer memory 102 includes a user address space 103 and an operating system address space 105. Multiple initialization processes 107 execute in the user address space 103. Although FIG. 1 illustrates only two initialization processes 107 executing in the user address space 103, those skilled in the art will understand that more than two initialization processes 107 can execute simultaneously within a given computer memory 102.
Also executing in the user address space 103 are one or more descendent processes 108 originating from the initialization processes 107. A descendent process 108 is a child process of an initialization process 107, or a child process thereof, extended to any number of generations of subsequent child processes. Although FIG. 1 illustrates only two descendent processes 108 for each initialization process 107, fewer or more than two descendent processes 108 per initialization process 107 can execute simultaneously within a given computer memory 102.
In one embodiment, a virtual process table 127 or other suitable data structure for storing associations 129 between executing processes 107, 108 and virtual processes 101 is inserted into the operating system 117. Of course, other data structures may be used to store associations 129, one example of which is a linked list.
In various embodiments, the virtual process table 127 (or other data structure) is dynamically loaded into the operating system kernel 109 while the kernel 109 is active. In another embodiment, the virtual process table 127 is stored in the user address space 103. The maintenance and use of the virtual process table 127 is discussed in detail below.
Those skilled in the art will recognize that a virtual process 101 is not an actual process that executes in the computer memory 102. Instead, the term “virtual process” describes a collection of associated functionality. For example, a virtual process 101 is not actually a discrete process, but instead, comprises a plurality of actual processes that together provide the desired functionality, thereby simulating the existence of a single application executing on a dedicated physical host. Each actual process that performs some of the functionality of the application is a part of the virtual process 101. As shown in FIG. 1, for example, initialization process 1 and descendent processes 1 and 2 together comprise one virtual process 101, whereas initialization process 2 and descendent processes 3 and 4 together comprise another.
As illustrated in FIG. 2, the virtual process table 127 stores, in one embodiment, an association 129 between a process identifier (PID) 201 and a virtual process identifier (VPID) 203. For example, the virtual process table 127 may store an association between a PID 201 of initialization process 1 (e.g., 3942) and a VPID 203 (e.g., 1). Likewise, an association 129b may be stored between a PID 201 of descendent process 1 (e.g., 6545), and the same VPID 203 (e.g., 1). Thus, initialization process 1 and descendent process 1 are said to be members of the same virtual process 101.
In order to associate a specific identifier with each actual process that is a member of a virtual process 101, a separate system initialization process 107 is started for each virtual process 101. Normally, each process executing on a multitasking operating system such as UNIX® is descended from a single system initialization process 107 that is started when the operating system 117 is booted. However, the system 100 uses techniques described in detail below to start a separate system initialization process 107 for each virtual process 101. When each system initialization process 107 is started, an association 129 between the system initialization process 107 and the virtual process 101 is stored in the virtual process table 127. All additional processes that are descended from a given initialization process are thus identified with the virtual process 101 associated with that initialization process.
In one embodiment, rather than starting a separate system initialization process 107 for each virtual process 101, a custom initialization process is started. In this embodiment, all processes that are members of a specific virtual process 101 are descended from the associated custom initialization process, and are associated with the virtual process 101 with which the custom initialization process is associated. The exact functionality included in the custom initialization process is a design choice that can be made by, for example, a system administrator.
System calls 115 that generate child processes (e.g., the UNIX® fork( ) and clone( ) functions) are intercepted so that the child processes can be associated with the virtual process 101 with which the parent process is associated. In one embodiment, a system call wrapper 111 is used to intercept system calls 115. In one embodiment, the wrapper 111 is dynamically loaded into the operating system kernel 109 while the kernel 109 is active. In another embodiment, the system call wrapper 111 is loaded into the user address space 103.
Pointers 114 to the system calls 115 are located in an operating system call vector table 113. Those skilled in the art will recognize that the term “system call vector table,” as used herein, denotes an area in the operating system address space 105 in which addresses of system calls are stored. In the UNIX® operating system, this part of the operating system is called the “system call vector table,” and that term is used throughout this description. Other operating systems employ different terminology to denote the same or similar system components. The pointers 114, themselves, are sometimes referred to as “system call vectors.”
A copy 116 is made of a pointer 114 to each system call 115 to be intercepted. These copies 116 of pointers 114 may be stored in the operating system address space 105, but in an alternative embodiment, are stored in the user address space 103. Once the copies 116 have been made and saved, the pointers 114 in the system call vector table 113 to the system calls 115 to be intercepted are replaced with pointers 118 to the system call wrapper 111, such that when a system call 115 to be intercepted is made, the system call wrapper 111 executes instead.
In one embodiment, the system call wrapper 111 performs the process of copying, storing, and replacing of pointers. In other embodiments, the process of copying, storing, and replacing of pointers is performed by a pointer management module (not shown) executing in either the operating system address space 105 or the user address space 103, as desired. The pointer management module may either be a stand alone program or a component of a larger application program.
By intercepting a system call 115, alternative code is executed. The steps of inserting a system call wrapper 111 into the operating system 117, making a copy 116 of an operating system pointer 114 to a system call 115, and replacing the operating system pointer 114 with a pointer 118 to the system call wrapper 111 facilitate interception of a system call 115. When a system call 115 to be intercepted is made, the operating system 117 uses the pointer 118 in the system call vector table 113 to the system call wrapper 111 to execute the system call wrapper 111.
In one embodiment, only the system calls 115 that create child processes need be intercepted, and thus only the pointers 114 to the system calls 115 to be intercepted are replaced with the pointers 118 to the system call wrapper 111. The pointers 114 to the system calls 115 which are not to be intercepted are not replaced. Thus, when a non-intercepted system call 115 is made, the actual system call 115 executes, not the system call wrapper 111.
The various initialization processes 107 and descendent processes 108 execute in the user address space 103 under control of the operating system 117 and make system calls 115. When a process makes a system call 115 that creates a child process, the system call wrapper 111 reads the virtual process table 127, and determines whether the process that made the system call (the parent of the child process being created) is associated with a virtual process 101. If so, the system call wrapper 111 uses the saved copy of the pointer 116 to execute the system call 115, allowing the creation of the child process.
The system call wrapper 111 then updates the virtual process table 127, storing an association 129 between the newly created child process and the virtual process 101 with which the process that made the system call is associated. Thus, all descendent processes 108 are associated with the virtual process 101 with which their parent process is associated.
In one embodiment, the initialization processes 107 are started by a virtual process manager program 131 executing in the user address space 103. The virtual process manager program 131 modifies the operating system 117 of the computer to include the virtual process table 127. In one embodiment, the manager program 131 loads the virtual process table 127 into the kernel 109 of the operating system 117 while the kernel is active.
For each virtual process 101, the manager program 131 starts an initialization process 107 from which all other processes that are part of the virtual process 101 will originate as descendent processes 108. Each time the manager program 131 starts an initialization process 107 for a virtual process 101, the manager program 131 stores, in the virtual process table 127, an association 129 between the initialization process 107 and the appropriate virtual process 101. Subsequently, all additional processes that are part of the virtual process 101 will be originated from the initialization process, and thus associated with the appropriate virtual process 101.
For example, in this embodiment, the manager program 131 can start a first virtual process 101. To do so, the manager program 131 starts an initialization process 107 for the virtual process 101, storing an association 129 between the initialization process 107, and a virtual process identifier for the virtual process 101. Additional processes that are part of the virtual process 101 originate from the initialization process 107, and are associated with the virtual process identifier of the virtual process 101. The manager program 131 can proceed to start a second virtual process 101 by starting a separate initialization process 107, and associating the second initialization process 107 with a separate virtual process identifier for the second virtual process 101. Consequently, all of the processes associated with the second virtual process 101 will be associated with the appropriate virtual process identifier. In this manner, multiple virtual processes 101 on the same physical computer are each associated with unique identifiers.
In an alternative embodiment, the virtual process manager program 131 can be implemented as a modified loader program. A loader program is an operating system utility that is used to execute computer programs that are stored on static media. Typically, a loader program loads an executable image from static media into the user address space 103 of the computer memory 102, and then initiates execution of the loaded image by transferring execution to the first instruction thereof.
Like a standard loader program, a modified loader program loads executable images (in this case, initialization processes 107) from static media into the user address space 103. Additionally, the modified loader program stores, in the virtual process table 127, an association 129 between the initialization process 107 being loaded and the appropriate virtual process 101. Thus, for each virtual process 101, an initialization process 107 is loaded by the modified loader program, and an association between the initialization process 107 and the virtual process 101 is stored in the virtual process table 127. Subsequently, additional processes that are part of the virtual process 101 originate from the associated initialization process 107, and are thus associated with the virtual process 101, as described above.
In another embodiment, the modified loader program loads all processes that are part of each virtual process 101. In that embodiment, whenever the modified loader program loads a process, the modified loader program also stores, in the virtual process table 127, an association 129 between the loaded process and the appropriate virtual process 101.
II. Virtualizing Resource Ownership
As illustrated in FIG. 3, one of the difficulties in providing isolation between virtual processes 101 (e.g., virtual private servers) within a single host system 300 involves resource ownership. In UNIX® and related operating systems 117, certain system resources, such as processes 301 and files 303, are owned by users or groups of users. Each user is assigned a user identifier (UID) 305 by which the user is identified in the operating system 117. In some cases, a group of users may be assigned a group identifier (GID) 307. The UID 305 and GID 307 are sometimes referred to herein as “owner identifiers.”
Resource ownership is typically used to implement access control. For example, a user can generally only kill a process 301 or access a file 303 that he or she owns (or for which permission has been granted by the owner). Thus, if a user attempts, for instance, to kill a process 301 that he or she does not own, the attempt fails and an error is generated.
A difficulty arises, however, in implementing resource ownership for multiple virtual processes 101 running on the same host system 300. Each virtual process 101 should be free to assign to an individual or group any UID 305 or GID 307, respectively. Indeed, some applications require certain processes 301 or files 303 to be associated with a particular UID 305 or GID 307 in order to properly function.
However, if two users of different virtual processes 101 share the same UID 305, those users could potentially kill each other's processes 301 and read, modify, or delete each other's files 303. The same is true for two groups sharing the same GID 307.
For instance, one user could execute a “kill −1” command, which terminates all of the processes 301 associated with the user's UID 305. Unfortunately, if another user on the same computer has the same UID 305, all of that user's processes 301 will be terminated as well. Clearly, this poses an unacceptable security risk and removes the appearance that the virtual process 101 is running on a dedicated physical host.
In accordance with the present invention, resource ownership is virtualized to allow a user of one virtual process 101 to appear to have the same UID 305 as a user of another virtual process 101, although neither user is capable of interfering with the processes 301 or accessing the files 303 of the other. Likewise, in accordance with the present invention, a group of users of one virtual process 101 may appear to share the same GID 307 with a group of users of another virtual process 101.
FIG. 4 illustrates a system 400 for virtualizing resource ownership. In one embodiment, a system call wrapper 111 intercepts a system call 115 for setting the UID 305 or GID 307 associated with a resource (such as a process 301 or file 303). In the case of UNIX®, for instance, the setuid( ) and setgid( ) functions are used to associate a UID 305 and GID 307, respectively, with a calling process 301. Similarly, the UNIX® chown( ) function is used to associate a UID 305 or GID 307 with a file 303. Of course, the invention is not restricted to any particular terminology or operating system.
A technique for intercepting system calls 115 was described above with reference to FIG. 1. As noted, pointers 114 to the system calls 115 to be intercepted can be copied and then replaced with pointers 118 to a system call wrapper 111. Thus, when the calls 115 are made, the system call wrapper 111 is executed instead.
For clarity, the following description often refers simply to the UID 305. However, the techniques and structures disclosed herein may also be used for system calls 115 involving GIDs 307, e.g., the UNIX® setgid( ) and chown( ) functions.
After the system call 115 is intercepted, the wrapper 111 determines a virtual process 101 corresponding to the calling process 301. The virtual process 101 is determined, in one implementation, by accessing the virtual process table 127, as described above, which stores associations 129 between processes 301 (e.g., PID 201) and virtual processes 101 (e.g., VPID 203).
Next, the wrapper 111 modifies the UID 305 specified in the intercepted call 115. In one implementation, the UID 305 is modified by encoding therein an indication of the virtual process (e.g., VPID 203). For instance, in the case of Solaris®, a version of UNIX®, the UID 305 is a 32 bit word. In one embodiment, the UID 305 is divided into two 16 bit portions. As described in detail below, the VPID 203 is encoded within the upper 16 bits of the UID 305, while the lower 16 bits are used to store the original data from the UID 305.
In the illustrated embodiment, the VPID 203 is encoded within UID 305 according to the equation:
UID=VPID<<16|UID  Eq. 1
where UID is the UID 305, VPID is the VPID 203 (from the table 127), and “<<” and “|” are the left shift and logical “OR” operators, respectively. In other words, the VPID 203 is left shifted 16 bits and then logically ORed with the UID 305.
Those skilled in the art will recognize that the above-described technique limits the number of unique UIDs 305 and virtual processes 101 to 65536, respectively. In alternative embodiments, however, the relative location and/or number of bits allocated to the VPID 203 within the UID 305 may vary, resulting in different limitations.
After the UID 305 is modified, the system call wrapper 111 associates the resource with the modified UID 305. This may be accomplished, in one embodiment, by executing the system call 115 by the wrapper 111, specifying the modified UID 305. In an alternative embodiment, the system call wrapper 111 can include its own code for setting the UID 305.
Consequently, from a standpoint of the calling process 301, the resource is associated with the UID 305 specified in the system call 115. From a standpoint of the operating system 117, however, the resource is actually associated with the modified UID 305.
FIG. 4 provides an example of the above-described technique. Suppose that a process 301 having a PID 201 of 3942 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1. As shown, the system call wrapper 111 uses the virtual process table 127 to determine the VPID 203 (e.g., 1) associated with the calling process 301. The VPID 203 is then encoded within UID 305 as described above, resulting in a modified UID 305 having a hexadecimal value of 0x00010001 (65537 in decimal). Accordingly, the calling process 301 is associated with a UID 305 of 65537 rather than the specified UID 305 of 1.
As shown in FIG. 5, a different UID 305 will result from a different VPID 203. For instance, suppose that the VPID 203 of the virtual process 101 of FIG. 5 has a value of 3. Applying the above-described equation, the resulting modified UID 305 has a hexadecimal value of 0x00030001 (196609 in decimal). Accordingly, the calling process 301 is associated with a UID 305 of 196609 rather than the original UID 305 of 1 or the modified UID 305 of 65537 from the previous example.
The above-described technique for virtualizing resource ownership is summarized in FIG. 6. A method 600 begins in one embodiment by loading 601 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 603 of pointers 114 to selected system calls 115 to be intercepted (e.g., setuid( ), setgid( ), and chown( )). The pointers 114 are then replaced 605, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.
A system call 115 for setting the UID 305 of a resource is then intercepted 607. Next, the system call wrapper 111 determines 609 the virtual process 101 corresponding to the calling process 301. In one embodiment, this determination is made by referencing the virtual process table 127, as described above.
After the virtual process 101 is determined, the system call wrapper 111 encodes 611 an indication of the virtual process 101 (e.g., the VPID 203) within the UID 305. The wrapper 111 then associates 613 the resource with the modified UID 305. In one implementation, this is accomplished by executing the system call 115 within the wrapper 111, specifying the modified UID 305.
Another aspect of virtualizing resource ownership involves intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a system resource. In the case of UNIX®, the getuid( ) function returns the UID 305 associated with the calling process 301. Similarly, the UNIX® getgid( ) function returns the GID 307. Additionally, the UNIX® stat( ) function returns the UID 305 and/or GID 307 associated with a file 303. Of course, the invention is not limited to any particular terminology or operating system 117.
Consequently, if a system call 115 for obtaining a UID 305 (e.g., getuid( )) were allowed to execute without modification, the calling process 301 would receive a “modified” UID 305, such as a UID 305 including an indication of a virtual process 101. From the standpoint of the calling process 301, the UID 305 would be unexpected, with unpredictable results.
Thus, FIG. 7 illustrates a system 700 for virtualizing resource ownership. After intercepting one of the above-identified system calls 115, the system call wrapper 111 obtains the UID 305 from the standpoint of the operating system 117. The wrapper 111 obtains the UID 305, in one embodiment, by executing the system call 115. In alternative embodiments, the wrapper 111 may include its own code for obtaining the UID 305.
In one embodiment, the UID 305 obtained by the wrapper 111 includes an indication of the virtual process 101 (e.g., VPID 203). Thus, the wrapper 111 removes the VPID 203 to restore the original, unmodified UID 305, as described in greater detail below.
As previously explained, a UID 305 in Solaris® is a 32 bit word. In one implementation, the upper 16 bits are used to encode the VPID 203, while the lower 16 bits are used to store the UID data. Thus, the VPID 203 may be removed from the UID 305 by applying the equation:
UID=0x0000FFFF & UID  Eq. 2
where UID is the UID 305 and “&” is the logical “AND” operator. In other words, the set of bits corresponding to the VPID 203 within the UID 305 are cleared. Of course, the encoding of the VPID 203 may vary in alternative embodiments, necessitating a different equation.
An example of the above-described process is shown in FIG. 7. Suppose that a process 301 executes the UNIX® getuid( ) system call 115, which is intercepted by the system call wrapper 111. The wrapper 111 obtains the UID 305 (e.g., 0x00010001) associated with the resource by executing, for example, the system call 115. As illustrated, the upper 16 bits of the UID 305 include an indication of a virtual process 101 (e.g., a VPID 203 of 1).
The wrapper 111 then removes the indication of the virtual process 101 by logically ANDing the UID 305 with a value configured to clear the bits associated with the VPID 203, (e.g., 65535). As a result, a UID 305 of 1 is returned to the calling process 301, rather than the UID 305 of 65537.
The above-described technique for virtualizing resource ownership is summarized in FIG. 8. A method 800 begins in one embodiment by loading 801 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 803 of pointers 114 to selected system calls 115 to be intercepted (e.g., getuid( ), getgid( ), and stat ( )). The pointers 114 are then replaced 805, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.
A system call 115 for obtaining the UID 305 associated with a resource is then intercepted 807. Next, the system call wrapper 111 obtains 809 the UID 305 associated with the resource. In one embodiment, the wrapper 111 obtains the UID 305 by executing the system call 115. As noted, the UID 305 includes, as a consequence of the method 600 of FIG. 6, an indication of a virtual process 101 (e.g., VPID 203).
After the UID 305 is obtained, the system call wrapper 111 removes 811 the VPID 203 by logically ANDing the UID 305 with an appropriate value, e.g., 65535. The UID 305 is then returned 813 to the calling process 301.
FIG. 9 illustrates an alternative system 900 for virtualizing resource ownership. In an alternative embodiment, an indication of the virtual process 101 is not encoded within the UID 305. Rather, after a system call 115 for setting a UID 305 is intercepted, the system call wrapper 111 selects an alternative UID 901 from a set 903 of available (unused) UIDs 305. The set 903 may be implemented using any suitable data structure, such as a table or linked list. The alternative UID 901 may be selected using any convenient method, such as selecting the next available UID 305 in the set 903.
Once the alternative UID 901 is selected, the wrapper 111 creates an association 905 in a translation data structure 907 between the UID 305 specified in the call 115, the alternative UID 901 selected by the wrapper 111, and an indication of the virtual process 101 (e.g., VPID 203), which may be obtained by the wrapper 111 from the virtual process table 127.
After the translation data structure 907 is updated, the wrapper 111 associates the resource with the alternative UID 901. This is accomplished, in one embodiment, by executing the system call 115, specifying the alternative UID 901.
FIG. 9 provides an example of the above-described technique. Suppose that a process 301 having a PID 201 of 1847 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1. As illustrated, the system call wrapper 111 intercepts the call 115 and uses the virtual process table 127 to determine the virtual process 101 (e.g., VPID 203) associated with the calling process 301.
The system call wrapper 111 then selects an alternative UID 901 (e.g., 1003) from a set 903 of available UIDs 305. Thereafter, the wrapper 111 creates an association 905 in the translation data structure 907 between the UID 305 specified in the call 115 (e.g., 1), the alternative UID 901 (e.g., 1003), and the VPID 203 (e.g., 2). Once the translation data structure 907 is updated, the wrapper 111 associates the calling process 301 with the alternative UID 901 by executing, for example, the system call 115.
FIG. 10 illustrates a corresponding system 1000 for intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a resource. Initially, the system call wrapper 111 intercepts the call 115 (e.g., getuid( ), getgid( ), and stat( )). Thereafter, the wrapper 111 determines the virtual process 101 (e.g., VPID 203) associated with the calling process 301 using a virtual process table 127 or the like.
The system call wrapper 111 then obtains the alternative UID 901 associated with the resource by executing, for example, the system call 115. As described above, the alternative UID 901 is associated with the resource as a consequence of the system 900 illustrated in FIG. 9.
After the alternative UID 901 is obtained, the wrapper 111 accesses the translation data structure 907, looking up the alternative UID 901 and the VPID 203. When an association 905 is found, the corresponding UID 305 is retrieved from the translation data structure 907 and returned to the calling process 301.
An example of the above-described process is shown in FIG. 10. Suppose that a process 301 executes the getuid( ) function, which is intercepted by the system call wrapper 111. In one embodiment, the wrapper 111 executes the getuid( ) function, which returns an alternative UID 901 of 1003. The wrapper 111 also determines the VPID 203 (e.g., 2) associated with the calling process 301 by accessing the virtual process table 127.
The wrapper 111 then accesses the translation data structure 907, looking up an alternative UID 901 of 1003 and a VPID 203 of 2. As illustrated, an association 905 exists, revealing a UID 305 of 1, which is subsequently returned to the calling process 301.
III. Virtualizing Super-User Privileges
As noted above, in UNIX® and related operating systems, the “super-user” is granted special privileges not available to other users. For example, the super-user can open, modify, or delete the files of other users, as well as terminate other users' processes. Indeed, the super-user can add and delete users, assign and change passwords, and insert modules into the operating system kernel 109.
Implementing super-user privileges in an operating system 117 including multiple virtual processes 101 presents numerous challenges. For example, each virtual process 101 should be allowed to have a user who is granted super-user-like powers, e.g., the ability to add and delete users of the virtual process 101, access files 303 of any user of the virtual process 101, terminate processes 301 associated with the virtual process 101, and the like.
However, if a user of each virtual process 101 were given full super-user privileges, a super-user of one virtual process 101 could access the files 303 of a user of another virtual process 101. Similarly, a super-user of one virtual process 101 could terminate the processes 301 associated with a user of another virtual process 101. Indeed, a super-user of one virtual process 101 could obtain exclusive access to all system resources, effectively disabling the other virtual processes 101. Clearly, granting a user of each virtual process 101 full super-user privileges would seriously compromise system security, entirely removing the illusion that each virtual process 101 is running on a dedicated host computer.
As illustrated in FIG. 11, the present invention solves the foregoing problems, in one embodiment, by designating a plurality of virtual super-users 1101, typically one per virtual process 101. A virtual super-user 1101 has many of the privileges of an actual super-user with respect to his or her own virtual process 101. For example, a virtual super-user 1101 can add and delete users of the virtual process 101, access files 303 of any user of the virtual process 101, terminate processes 301 associated with the virtual process 101, and the like. However, a virtual super-user 1101 cannot, for instance, add or delete users of other virtual processes 101, access the files 303 of users of other virtual processes 101, or terminate the processes 301 associated with other virtual processes 101.
In one embodiment, a virtual super-user 1101 is designated by assigning to a user a virtual super-user identifier (VSUID) 1103. The VSUID 1103 may be assigned by a virtual super-user designation module 1105, which generates a VSUID 1103 for each virtual super-user 1101, as described below.
A UID 305 of zero is interpreted by UNIX® and related operating systems as the super-user UID 305. However, assigning a UID 305 of zero to each virtual super-user 1101 would result in the problems discussed above, since an actual super-user has unfettered access to all system resources.
Accordingly, a VSUID 1103 comprises, in one embodiment, a super-user UID 305 (e.g., 0), which has been encoded with an indication of a virtual process 101 (e.g., VPID 203) using the techniques described with reference to FIGS. 5-6. As explained above, a UID 305 may be divided, in one implementation, into two 16 bit portions, with the upper 16 bits used to encode a VPID 203, and the lower 16 bits used to store the original UID 305.
For instance, as shown in FIG. 11, a VPID 203 of 1 is encoded within the upper 16 bits of the VSUID 1103, resulting in a VSUID 1103 of 0x00010000. Likewise, a VPID 203 of 2 results in a VSUID 1103 of 0x00020000. Finally, a VPID 203 of 3 results in a VSUID 1103 of 0x00030000. Of course, those skilled in the art will recognize that the VSUID 1103 may be encoded in various ways without departing from the spirit and scope of the invention.
From the standpoint of the operating system 117, however, the VSUID 1103 is not a super-user UID 305, and does not convey any super-user privileges. For example, a VSUID 1103 of 0x00010000 has a decimal value of 65536, clearly not a UID 305 of zero. Thus, without more, a virtual super-user 1101 would have all of the limitations of a regular user.
Consequently, as shown in FIG. 12, selected system calls 115 are intercepted for performing operations requiring actual super-user privileges, which are nevertheless desirable for a virtual super-user 1101 to perform in the context of his or her own virtual process 101. For example, system calls 115 are intercepted that operate on files 303, e.g., open( ), creat( ), link( ), unlink( ), chdir( ), fchdir( ), symlink( ), readlink( ), readdir( ), access( ), rename( ), mkdir( ), rmdir( ), truncate( ), and ftruncate( ). Of course, those skilled in the art will recognize that the invention is not limited to any particular operating system 117 or terminology.
As noted above, a normal user is typically restricted from opening, deleting, renaming, etc., a file 303 owned by another user. However, a virtual super-user 1101 should appear, in most respects, to be an actual super-user for operations pertaining to his or her own virtual process 101.
Thus, in one embodiment, if a system call 115 is “made” by a virtual super-user 1101 (i.e., by a process 301 owned by a virtual super-user 1101) and pertains to the virtual process 101 of the virtual super-user 1101, then actual super-user privileges are temporarily granted to the virtual super-user 1101 for purposes of the system call 115. This may be accomplished, in one embodiment, by executing an appropriate function, e.g., setuid( ), to assign a UID 305 of zero or other designation of super-user privileges to the calling process 301. After the system call 115 is executed, the super-user privileges may be withdrawn by executing the same function to restore the VSUID 1103.
Whether the system call 115 was made by a virtual super-user 1101 may be determined by checking whether the owner of the calling process 301 has a VSUID 1103. Of course, if the system call 115 was not made by a virtual super-user 1101, the wrapper 111 preferably disallows execution of the system call 115. For instance, the wrapper 111 may generate an error message, indicating a privilege violation. Alternatively, the wrapper 111 may simply allow the system call 115 to proceed without granting actual super-user privileges, resulting in the operating system 117 disallowing execution of the system call 115, since the VSUID 1103 does not convey actual super-user privileges.
Whether the system call 115 pertains to the virtual process 101 of the virtual super-user 1101 may be determined by checking whether the system resource(s) affected by the system call 115 relate to the virtual process 101 of the virtual super-user 1101. For example, with respect to system calls 115 that affect processes 301 (such as kill( )), the virtual process table 127 may be checked to determine whether the process 301 has an association 129 with the virtual process 101 of the virtual super-user 1101. Similarly, in one embodiment, each virtual process 101 has a distinct file system, allowing the wrapper 111 to easily determine whether a file 303 referenced by the call 115 is associated with the virtual process 101 of the virtual super-user 1101.
As shown in FIG. 12, suppose that a process 301 owned by a virtual super-user 1101 attempts to execute the open( ) system call 115 in order to open another user's file 303, which is nevertheless associated with the virtual process 101 of the virtual super-user 1101. The virtual process 101 (e.g., VPID 203) may be determined, in one embodiment, by referencing the virtual process table 127 using the PID 201 of “3942.”
Since the file 303 pertains to the virtual process 101 of the virtual super-user 1101, the system call wrapper 111 temporarily grants actual super-user privileges to the virtual super-user 1101. In the illustrated embodiment, this is accomplished by executing an appropriate system call 1201 (e.g., in UNIX®, the setuid( ) function with a UID 305 of zero). The system call 115 is then executed, after which the wrapper 111 withdraws the actual super-user privileges 1101 by executing, for example, an appropriate system call 1203 (e.g., in UNIX®, the setuid( ) function with the original VSUID 1103 of the virtual super-user 1101). This approach grants super-user privileges on a call-by-call basis.
Thus, a virtual super-user 1101 may perform an operation for which actual super-user privileges are required, without granting the virtual super-user 1101 unfettered access to all of the system's resources. This allows each virtual process 101 to have at least one system administrator with limited super-user-like powers, while maintaining the illusion that each virtual process 101 is running on a dedicated host computer.
Other system calls 115 that may be intercepted include system calls 115 for terminating a process 301. In UNIX®, the kill( ) system call 115 allows a user to terminate one or more processes 301. For example, executing the kill( ) system call 115 with a specified process 301 (e.g., PID 201) terminates that process 301. Executing the kill( ) system call 115 with an argument of −1 results in the termination of all of the user's processes 301. An argument of less than −1 results in the termination of all of the processes 301 associated with a group (e.g., GID 307, where the GID value is equal to the absolute value of the argument).
As noted above, a super-user may terminate any system process 301. Thus, if the super-user specifies a PID 201, the corresponding process 301 will be terminated. Likewise, if the super-user specifies a negative GID 307, the processes 301 belonging to the specified group are terminated. If, however, the super-user specifies an argument of −1, all processes 301 other than those with PID 201 of 0 or 1 are terminated.
In one embodiment, it is desirable for a virtual super-user 1101 to be able to terminate processes 301 associated with his or her virtual process 101. Accordingly, the system call wrapper 111 intercepts system calls 115 for terminating processes 301 (e.g., kill( )).
Where a virtual super-user 1101 attempts to terminate a specific process 301 associated with his or her virtual process 101, the wrapper 111 proceeds as discussed above with reference to FIG. 12. In other words, the wrapper 111 grants temporary actual super-user privileges to the calling process 301 and allows execution of the system call 115.
However, as shown in FIG. 13, where the system call 115 specifies a negative parameter, the wrapper 111 proceeds differently. Since the powers of virtual super-user 1101 should be limited to his or her virtual process 101, a kill( ) system call 115 with an argument of −1 results only in the termination of processes 301 associated with the virtual process 101. Thus, in one embodiment, a kill(−1) system call 115 “pertains” to the virtual process 101 by definition.
In one embodiment, the system call wrapper 111 iterates through the virtual process table 127, terminating all processes 301 associated with the virtual process 101. Thus, a kill(−1) system call 115 operates in the manner expected, maintaining the illusion that the virtual process 101 of the virtual super-user 1101 is executing on a dedicated host machine.
Likewise, in the case of an argument of less than −1, denoting a GID 307, the wrapper 111 cycles through all of the processes 301 associated with the virtual process 101 of the virtual super-user 1101 and determines whether each such process 301 corresponds to the specified group (e.g., GID 307). If so, those processes 301 are terminated in the manner discussed above.
As an example, as shown in FIG. 13, suppose that a process 301 is associated with a virtual process 1 (e.g., having a VPID 203 of 1). The process 301 is owned by a virtual super-user 1101 by virtue of the VSUID 1103 (e.g., 0x00010000), and pertains to the virtual process 101 by definition. Accordingly, the wrapper 111 grants temporary actual super-user privileges to the calling process 301 by executing the system call 1201.
Thereafter, the wrapper 111 iterates through the virtual process table 127, identifying each process 301 (e.g., PIDs 3942 and 4400) associated with a VPID 203 of 1. System calls 115 (e.g., kill(3942), kill (4400)) are then made to terminate each of the identified processes 301, after which the actual super-user privileges are withdrawn by executing the system call 1203.
A variety of other system calls 115 may be intercepted within the scope of the invention in order to grant limited super-user privileges to a virtual super-user 1101. Those skilled in the art will know how to apply the above-described techniques in the context of these other system calls 115.
In some instances, it is desirable to prevent a virtual super-user 1101 from executing certain system calls 115 altogether. For example, in UNIX®, the insmod( ) and rmmod( ) functions allow a super-user to insert modules into, and remove modules from, the operating system kernel 109. Giving such powers to a virtual super-user 1101 could seriously compromise system security, allowing the virtual super-user 1101 to alter the basic functionality of the operating system 117.
In one embodiment, a virtual super-user 1101 is prevented from executing a system call 115 for which actual super-user privileges are required by simply not intercepting the call 115. Since the VSUID 1103 is not a super-user UID 305, the operating system 117 will automatically reject an attempt by a virtual super-user 1101 to execute, for example, the insmod( ) call 115.
In an alternative embodiment of the invention, a virtual super-user 1101 is not designated by assigning a VSUID 1103, as discussed above. Rather, a virtual super-user 1101 is simply assigned a UID 305 as in the case of other users. Thereafter, the assigned UID 305 is stored in a virtual super-user list 1401 or other suitable data structure, as illustrated in FIG. 14, together with an indication of the virtual process 101 (e.g., VPID 203). Accordingly, when selected system calls 115 are intercepted for which actual super-user privileges are required, a user may be identified as a virtual super-user 1101 by consulting the virtual super-user list 1401.
Since virtual super-users 1101 in this embodiment are given regular UIDs 305, the possibility of conflicts between virtual processes 101 arises. However, such conflicts may be resolved using the techniques described in FIGS. 9-10, i.e. intercepting system calls 115 for setting a UID 305 of a resource and assigning an alternative UID 901. Thus, virtual super-users 1101 of different virtual processes 101 may appear to share the same UID 305 without conflict.
FIG. 15 summarizes the above-described techniques. A method 1500 for virtualizing super-user privileges has two phases, preparation and operation. The preparation phase begins by loading 1501 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 1503 of pointers 114 to selected system calls 115 for performing operations for which actual super-user privileges are required, which are nevertheless desirable to be performed by a virtual super-user 1101 with respect to his or her own virtual process 101 (e.g., open( ), kill( ), etc.). The pointers 114 are then replaced 1505, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead
During the operation phase, a system call 115 is intercepted 1507 by the system call wrapper 111. Thereafter, the wrapper 111 determines 1509 whether the call 115 was “made” by a virtual super-user 1101 (i.e. by a process 301 owned by a virtual super-user 1101). If not, the system call 115 is disallowed 1511, and the method 1500 ends.
If, however, the call 115 was made by a virtual super-user 1101, a determination 1513 is made whether the call 115 pertains to the virtual process 101 of the virtual super-user 1101. If not, the call 115 is disallowed, and the method 1500 ends.
If, however, the call 115 pertains to the virtual process 101 of the virtual super-user 1101, actual super-user privileges are granted to the virtual super-user, after which the system call 115 is executed 1517. Finally, the actual super-user privileges are withdrawn 1519, and the method 1500 ends.
In view of the foregoing, the present invention offers numerous advantages not available in conventional approaches. For example, super-user privileges are virtualized in an operating system 117 including multiple virtual processes 101, such that a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process 101, but is unable to interfere with other virtual processes 101 or the underlying operating system 117. Thus, each virtual process 101 can have a virtual super-user 1101, while preserving the illusion that the virtual processes 101 are running on dedicated host machines.
As will be understood by those familiar with the art, the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Likewise, the particular naming of the modules, features, attributes or any other aspect is not mandatory or significant, and the mechanisms that implement the invention or its features may have different names or formats. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

Claims (14)

We claim:
1. A computer-implemented method for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server;
designating the user as a virtual super-user;
intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and
in response to the intercepted call to the operating system pertaining to the first virtual private server:
granting actual super-user privileges to the user; and
allowing execution of the call to the operating system.
2. A computer program product for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the computer program product comprising a computer-readable medium storage device and computer program code encoded on the medium storage device for:
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server;
designating the user as a virtual super-user;
intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and
granting actual super-user privileges to the user, and allowing execution of the call to the operating system, in response to the intercepted call to the operating system pertaining to the first virtual private server.
3. A system for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the system comprising:
means for associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
means for designating the user as a virtual super-user;
means for intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process executed by the operating system, the process owned by the user, wherein the means for intercepting the call to the operating system is configured to:
load a system call wrapper;
save a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replace the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed if the call to the operating system is invoked; and
means for granting virtual super-user privileges to the user and allowing execution of the call to the operating system in response to the intercepted call to the operating system pertaining to the first virtual private server, wherein a virtual super-user has a subset of the privileges of an actual super-user but a superset of the privileges of a user other than the actual super-user.
4. A method performed by a computing system having a processor and memory for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
associating an identifier with the first user wherein the first user owns a first set of resources;
associating a second user with the second virtual private server;
associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
in response to the intercepted call to the operating system, determining that the process is permitted to access the first set of resources but is not permitted to access the second set of resources.
5. The method of claim 4, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed if the call to the operating system is invoked.
6. The method of claim 4 wherein the call to the operating system indicates to take an action on a resource owned by the first user but not the second user.
7. The method of claim 4 wherein the identifier is a user identifier.
8. The method of claim 4 further comprising encoding the user identifier with a virtual process identifier.
9. The method of claim 8 wherein the encoding includes shifting the virtual process identifier by a specified number of bits and then applying a logical OR operation to a result of the shifting with the user identifier.
10. The method of claim 4 wherein the identifier is a group identifier.
11. The method of claim 10 further comprising encoding the group identifier with a virtual process identifier.
12. The method of claim 11 wherein the encoding includes shifting the virtual process identifier by a specified number of bits and then applying a logical OR operation to a result of the shifting with the group identifier.
13. A computer-readable storage device storing computer-executable instructions that, when executed, perform a method for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
associating an identifier with the first user wherein the first user owns a first set of resources;
associating a second user with the second virtual private server;
associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
in response to the intercepted call to the operating system, determining that the process can access the first set of resources but not the second set of resources.
14. A system for virtualizing user privileges in a computer operating system including multiple virtual private servers, the system comprising:
means for associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
means for associating an identifier with the first user wherein the first user owns a first set of resources;
means for associating a second user with the second virtual private server;
means for associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
means for intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
means for determining, in response to the intercepted call to the operating system, that the process can access the first set of resources but not the second set of resources.
US12/467,137 2000-12-22 2009-05-15 Virtualizing super-user privileges for multiple virtual processes Expired - Lifetime USRE44210E1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/467,137 USRE44210E1 (en) 2000-12-22 2009-05-15 Virtualizing super-user privileges for multiple virtual processes

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US09/747,687 US7219354B1 (en) 2000-12-22 2000-12-22 Virtualizing super-user privileges for multiple virtual processes
US12/467,137 USRE44210E1 (en) 2000-12-22 2009-05-15 Virtualizing super-user privileges for multiple virtual processes

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US09/747,687 Reissue US7219354B1 (en) 2000-12-22 2000-12-22 Virtualizing super-user privileges for multiple virtual processes

Publications (1)

Publication Number Publication Date
USRE44210E1 true USRE44210E1 (en) 2013-05-07

Family

ID=38015888

Family Applications (2)

Application Number Title Priority Date Filing Date
US09/747,687 Ceased US7219354B1 (en) 2000-12-22 2000-12-22 Virtualizing super-user privileges for multiple virtual processes
US12/467,137 Expired - Lifetime USRE44210E1 (en) 2000-12-22 2009-05-15 Virtualizing super-user privileges for multiple virtual processes

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US09/747,687 Ceased US7219354B1 (en) 2000-12-22 2000-12-22 Virtualizing super-user privileges for multiple virtual processes

Country Status (1)

Country Link
US (2) US7219354B1 (en)

Families Citing this family (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6907421B1 (en) 2000-05-16 2005-06-14 Ensim Corporation Regulating file access rates according to file type
US7461144B1 (en) * 2001-02-16 2008-12-02 Swsoft Holdings, Ltd. Virtual private server with enhanced security
US7890605B1 (en) * 2001-02-16 2011-02-15 Parallels Holdings, Ltd. System and method for pre-installing of virtual private server files
US7461148B1 (en) * 2001-02-16 2008-12-02 Swsoft Holdings, Ltd. Virtual private server with isolation of system components
US7698400B1 (en) * 2004-04-19 2010-04-13 Swsoft Holdings, Ltd. Dedication of administrative servers to management of server functions in a multi-server environment
US7552434B2 (en) * 2004-04-30 2009-06-23 Hewlett-Packard Development Company, L.P. Method of performing kernel task upon initial execution of process at user level
US7546631B1 (en) * 2004-04-30 2009-06-09 Sun Microsystems, Inc. Embedded management system for a physical device having virtual elements
US7546600B2 (en) * 2004-04-30 2009-06-09 Hewlett-Packard Development Company Method of assigning virtual process identifier to process within process domain
US7971255B1 (en) * 2004-07-15 2011-06-28 The Trustees Of Columbia University In The City Of New York Detecting and preventing malcode execution
US7471664B2 (en) * 2005-11-02 2008-12-30 Intel Corporation Network management policy and compliance in a wireless network
US9189291B2 (en) * 2005-12-12 2015-11-17 International Business Machines Corporation Sharing a kernel of an operating system among logical partitions
US20070255714A1 (en) * 2006-05-01 2007-11-01 Nokia Corporation XML document permission control with delegation and multiple user identifications
US9201703B2 (en) 2006-06-07 2015-12-01 International Business Machines Corporation Sharing kernel services among kernels
US7383327B1 (en) 2007-10-11 2008-06-03 Swsoft Holdings, Ltd. Management of virtual and physical servers using graphic control panels
US7941510B1 (en) 2007-10-11 2011-05-10 Parallels Holdings, Ltd. Management of virtual and physical servers using central console
US7782869B1 (en) * 2007-11-29 2010-08-24 Huawei Technologies Co., Ltd. Network traffic control for virtual device interfaces
US8484355B1 (en) * 2008-05-20 2013-07-09 Verizon Patent And Licensing Inc. System and method for customer provisioning in a utility computing platform
US8301848B2 (en) 2008-06-09 2012-10-30 International Business Machines Corporation Virtualizing storage for WPAR clients using node port ID virtualization
US8180905B2 (en) * 2008-12-09 2012-05-15 Microsoft Corporation User-mode based remote desktop protocol (RDP) encoding architecture
US8561090B2 (en) * 2009-02-26 2013-10-15 Red Hat, Inc. Method and an apparatus to implement secure system call wrappers
US8924963B2 (en) * 2009-03-31 2014-12-30 Microsoft Corporation In-process intermediary to create virtual processes
US8429648B2 (en) * 2009-05-28 2013-04-23 Red Hat, Inc. Method and apparatus to service a software generated trap received by a virtual machine monitor
US8813069B2 (en) * 2009-05-29 2014-08-19 Red Hat, Inc. Migration of functionalities across systems
US8412754B2 (en) 2010-04-21 2013-04-02 International Business Machines Corporation Virtual system administration environment for non-root user
US10303888B2 (en) * 2017-05-03 2019-05-28 International Business Machines Corporation Copy protection for secured files
GB2563066B (en) 2017-06-02 2019-11-06 Avecto Ltd Computer device and method for managing privilege delegation
GB2566262B (en) 2017-09-01 2020-08-26 Avecto Ltd Managing installation of applications on a computer device
GB2566305B (en) 2017-09-08 2020-04-15 Avecto Ltd Computer device and method for controlling process components
GB2566949B (en) 2017-09-27 2020-09-09 Avecto Ltd Computer device and method for managing privilege delegation
GB2568919B (en) 2017-11-30 2020-07-15 Avecto Ltd Managing removal and modification of installed programs on a computer device
GB2570655B (en) * 2018-01-31 2020-12-16 Avecto Ltd Managing privilege delegation on a server device
GB2573491B (en) 2018-02-08 2020-07-01 Avecto Ltd Managing privilege delegation on a computer device
GB2570924B (en) 2018-02-12 2021-06-16 Avecto Ltd Managing registry access on a computer device
GB2572977B (en) 2018-04-18 2020-04-22 Avecto Ltd Protecting a computer device from escalation of privilege attacks
GB2577067B (en) 2018-09-12 2021-01-13 Avecto Ltd Controlling applications by an application control system in a computer device

Citations (165)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3377624A (en) 1966-01-07 1968-04-09 Ibm Memory protection system
US4177510A (en) 1973-11-30 1979-12-04 Compagnie Internationale pour l'Informatique, CII Honeywell Bull Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes
JPS642145B2 (en) 1981-05-30 1989-01-13 Denki Kagaku Kogyo Kk
US5189667A (en) 1990-03-01 1993-02-23 Kabushiki Kaisha Toshiba Method and apparatus for controlling call processing based upon load conditions
US5212793A (en) 1991-09-04 1993-05-18 International Business Machines Corp. Generic initiators
US5226160A (en) 1989-07-18 1993-07-06 Visage Method of and system for interactive video-audio-computer open architecture operation
US5249290A (en) 1991-02-22 1993-09-28 At&T Bell Laboratories Method of and apparatus for operating a client/server computer network
US5263147A (en) 1991-03-01 1993-11-16 Hughes Training, Inc. System for providing high security for personal computers and workstations
US5325530A (en) 1993-01-29 1994-06-28 International Business Machines Corporation Controller for sequential programming tools executed in a parallel computing environment
US5437032A (en) 1993-11-04 1995-07-25 International Business Machines Corporation Task scheduler for a miltiprocessor system
US5528753A (en) 1994-06-30 1996-06-18 International Business Machines Corporation System and method for enabling stripped object software monitoring in a computer system
US5572680A (en) 1992-12-18 1996-11-05 Fujitsu Limited Method and apparatus for processing and transferring data to processor and/or respective virtual processor corresponding to destination logical processor number
US5584023A (en) 1993-12-27 1996-12-10 Hsu; Mike S. C. Computer system including a transparent and secure file transform mechanism
US5603020A (en) 1993-10-08 1997-02-11 Fujitsu Limited Method for detecting file names by informing the task of the identification of the directory antecedent to the file
US5615400A (en) 1993-06-30 1997-03-25 Apple Computer, Inc. System for object oriented dynamic linking based upon a catalog of registered function set or class identifiers
US5623492A (en) 1995-03-24 1997-04-22 U S West Technologies, Inc. Methods and systems for managing bandwidth resources in a fast packet switching network
US5636371A (en) 1995-06-07 1997-06-03 Bull Hn Information Systems Inc. Virtual network mechanism to access well known port application programs running on a single host system
US5640595A (en) 1993-06-29 1997-06-17 International Business Machines Corporation Multimedia resource reservation system with graphical interface for manual input of resource reservation value
US5692047A (en) 1995-12-08 1997-11-25 Sun Microsystems, Inc. System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources
US5706453A (en) 1995-02-06 1998-01-06 Cheng; Yang-Leh Intelligent real-time graphic-object to database linking-actuator for enabling intuitive on-screen changes and control of system configuration
US5706097A (en) 1995-11-13 1998-01-06 Eastman Kodak Company Index print with a digital recording medium containing still images, motion sequences, and sound sequences
US5708774A (en) 1996-07-23 1998-01-13 International Business Machines Corporation Automated testing of software application interfaces, object methods and commands
US5719854A (en) 1994-11-23 1998-02-17 Lucent Technologies Inc. Efficiently providing multiple grades of service with protection against overloads in shared resources
US5727147A (en) 1995-12-08 1998-03-10 Sun Microsystems, Inc. System and method for resolving symbolic references to externally located program files
US5727203A (en) 1995-03-31 1998-03-10 Sun Microsystems, Inc. Methods and apparatus for managing a database in a distributed object operating environment using persistent and transient cache
US5748614A (en) 1995-06-09 1998-05-05 Siemens Aktiengesellschaft Method for scheduling message cells leaving an ATM node
US5752003A (en) 1995-07-14 1998-05-12 3 Com Corporation Architecture for managing traffic in a virtual LAN environment
US5761477A (en) 1995-12-04 1998-06-02 Microsoft Corporation Methods for safe and efficient implementations of virtual machines
US5764889A (en) 1996-09-26 1998-06-09 International Business Machines Corporation Method and apparatus for creating a security environment for a user task in a client/server system
US5781550A (en) 1996-02-02 1998-07-14 Digital Equipment Corporation Transparent and secure network gateway
US5799173A (en) 1994-07-25 1998-08-25 International Business Machines Corporation Dynamic workload balancing
US5809527A (en) 1993-12-23 1998-09-15 Unisys Corporation Outboard file cache system
US5828893A (en) 1992-12-24 1998-10-27 Motorola, Inc. System and method of communicating between trusted and untrusted computer systems
US5838916A (en) 1996-03-14 1998-11-17 Domenikos; Steven D. Systems and methods for executing application programs from a memory device linked to a server
US5838686A (en) 1994-04-22 1998-11-17 Thomson Consumer Electronics, Inc. System for dynamically allocating a scarce resource
US5842002A (en) 1994-06-01 1998-11-24 Quantum Leap Innovations, Inc. Computer virus trap
US5845129A (en) 1996-03-22 1998-12-01 Philips Electronics North America Corporation Protection domains in a single address space
US5850399A (en) 1997-04-04 1998-12-15 Ascend Communications, Inc. Hierarchical packet scheduling method and apparatus
US5860004A (en) 1996-07-03 1999-01-12 Sun Microsystems, Inc. Code generator for applications in distributed object systems
US5864683A (en) 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US5889956A (en) 1995-07-19 1999-03-30 Fujitsu Network Communications, Inc. Hierarchical resource management with maximum allowable allocation boundaries
US5889996A (en) 1996-12-16 1999-03-30 Novell Inc. Accelerator for interpretive environments
US5892968A (en) 1995-10-16 1999-04-06 Hitachi, Ltd. Multimedia data transferring method
US5905859A (en) 1997-01-09 1999-05-18 International Business Machines Corporation Managed network device security method and apparatus
US5913024A (en) 1996-02-09 1999-06-15 Secure Computing Corporation Secure server utilizing separate protocol stacks
US5915085A (en) 1997-02-28 1999-06-22 International Business Machines Corporation Multiple resource or security contexts in a multithreaded application
US5915095A (en) 1995-08-08 1999-06-22 Ncr Corporation Method and apparatus for balancing processing requests among a plurality of servers based on measurable characteristics off network node and common application
US5918018A (en) 1996-02-09 1999-06-29 Secure Computing Corporation System and method for achieving network separation
US5920699A (en) 1996-11-07 1999-07-06 Hewlett-Packard Company Broadcast isolation and level 3 network switch
US5933603A (en) 1995-10-27 1999-08-03 Emc Corporation Video file server maintaining sliding windows of a video data set in random access memories of stream server computers for immediate video-on-demand service beginning at any specified location
WO1999039261A1 (en) 1997-10-09 1999-08-05 The Learning Company Windows api trapping system
US5937159A (en) 1997-03-28 1999-08-10 Data General Corporation Secure computer system
US5956481A (en) 1997-02-06 1999-09-21 Microsoft Corporation Method and apparatus for protecting data files on a computer from virus infection
US5961582A (en) 1994-10-25 1999-10-05 Acorn Technologies, Inc. Distributed and portable execution environment
US5978373A (en) 1997-07-11 1999-11-02 Ag Communication Systems Corporation Wide area network system providing secure transmission
US5982748A (en) 1996-10-03 1999-11-09 Nortel Networks Corporation Method and apparatus for controlling admission of connection requests
US5987524A (en) 1997-04-17 1999-11-16 Fujitsu Limited Local area network system and router unit
US5987608A (en) 1997-05-13 1999-11-16 Netscape Communications Corporation Java security mechanism
US5987242A (en) 1996-01-19 1999-11-16 Bentley Systems, Incorporated Object-oriented computerized modeling system
US5991812A (en) 1997-01-24 1999-11-23 Controlnet, Inc. Methods and apparatus for fair queuing over a network
US5999963A (en) 1997-11-07 1999-12-07 Lucent Technologies, Inc. Move-to-rear list scheduling
US6016318A (en) 1996-07-12 2000-01-18 Nec Corporation Virtual private network system over public mobile data network and virtual LAN
US6018527A (en) 1996-08-13 2000-01-25 Nortel Networks Corporation Queue service interval based cell scheduler with hierarchical queuing configurations
US6023721A (en) 1997-05-14 2000-02-08 Citrix Systems, Inc. Method and system for allowing a single-user application executing in a multi-user environment to create objects having both user-global and system global visibility
US6038609A (en) 1997-04-04 2000-03-14 Telefonaktiebolaget Lm Ericsson Method, communication network and service access interface for communications in an open system interconnection environment
US6038608A (en) 1996-11-25 2000-03-14 Nec Corporation Virtual LAN system
US6047325A (en) 1997-10-24 2000-04-04 Jain; Lalit Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks
US6055617A (en) 1997-08-29 2000-04-25 Sequent Computer Systems, Inc. Virtual address window for accessing physical memory in a computer system
US6055637A (en) 1996-09-27 2000-04-25 Electronic Data Systems Corporation System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
US6061349A (en) 1995-11-03 2000-05-09 Cisco Technology, Inc. System and method for implementing multiple IP addresses on multiple ports
US6065118A (en) 1996-08-09 2000-05-16 Citrix Systems, Inc. Mobile code isolation cage
US6075791A (en) 1997-10-28 2000-06-13 Lucent Technologies Inc. System for guaranteeing data transfer rates and delays in packet networks
US6078957A (en) 1998-11-20 2000-06-20 Network Alchemy, Inc. Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system
US6078929A (en) 1996-06-07 2000-06-20 At&T Internet file system
US6086623A (en) 1997-06-30 2000-07-11 Sun Microsystems, Inc. Method and implementation for intercepting and processing system calls in programmed digital computer to emulate retrograde operating system
US6092178A (en) 1998-09-03 2000-07-18 Sun Microsystems, Inc. System for responding to a resource request
US6094674A (en) 1994-05-06 2000-07-25 Hitachi, Ltd. Information processing system and information processing method and quality of service supplying method for use with the system
US6101543A (en) 1996-10-25 2000-08-08 Digital Equipment Corporation Pseudo network adapter for frame capture, encapsulation and encryption
US6108759A (en) 1995-02-23 2000-08-22 Powerquest Corporation Manipulation of partitions holding advanced file systems
US6108701A (en) 1998-07-20 2000-08-22 Lucent Technologies, Inc. Soft switch extension for internet protocol applications
US6122673A (en) 1998-07-22 2000-09-19 Fore Systems, Inc. Port scheduler and method for scheduling service providing guarantees, hierarchical rate limiting with/without overbooking capability
US6154776A (en) 1998-03-20 2000-11-28 Sun Microsystems, Inc. Quality of service allocation on a network
US6154778A (en) 1998-05-19 2000-11-28 Hewlett-Packard Company Utility-based multi-category quality-of-service negotiation in distributed systems
US6161139A (en) 1998-07-10 2000-12-12 Encommerce, Inc. Administrative roles that govern access to administrative functions
US6167520A (en) 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
US6172981B1 (en) 1997-10-30 2001-01-09 International Business Machines Corporation Method and system for distributing network routing functions to local area network stations
US6189046B1 (en) 1997-03-27 2001-02-13 Hewlett-Packard Company Mechanism and method for merging cached location information in a distributed object environment
US6192389B1 (en) 1997-03-28 2001-02-20 International Business Machines Corporation Method and apparatus for transferring file descriptors in a multiprocess, multithreaded client/server system
US6192512B1 (en) 1998-09-24 2001-02-20 International Business Machines Corporation Interpreter with virtualized interface
US6230203B1 (en) 1995-10-20 2001-05-08 Scientific-Atlanta, Inc. System and method for providing statistics for flexible billing in a cable environment
US6240463B1 (en) 1998-11-24 2001-05-29 Lucent Technologies Inc. Router placement methods and apparatus for designing IP networks with performance guarantees
US6243825B1 (en) * 1998-04-17 2001-06-05 Microsoft Corporation Method and system for transparently failing over a computer name in a server cluster
US6247057B1 (en) 1998-10-22 2001-06-12 Microsoft Corporation Network server supporting multiple instance of services to operate concurrently by having endpoint mapping subsystem for mapping virtual network names to virtual endpoint IDs
US6247068B1 (en) 1997-03-07 2001-06-12 Advanced Micro Devices Inc. Winsock-data link library transcoder
US6259699B1 (en) 1997-12-30 2001-07-10 Nexabit Networks, Llc System architecture for and method of processing packets and/or cells in a common switch
US6266678B1 (en) 1998-12-31 2001-07-24 Computer Associates Think, Inc. System and method for dynamically viewing contents of a data file
US6269404B1 (en) 1995-07-14 2001-07-31 3Com Corporation Virtual network architecture for connectionless LAN backbone
US6279039B1 (en) 1996-04-03 2001-08-21 Ncr Corporation Resource management method and apparatus for maximizing multimedia performance of open systems
US6279040B1 (en) 1995-12-06 2001-08-21 Industrial Technology Research Institute Scalable architecture for media-on demand servers
US6282581B1 (en) 1997-03-27 2001-08-28 Hewlett-Packard Company Mechanism for resource allocation and for dispatching incoming calls in a distributed object environment
US6282703B1 (en) 1998-10-29 2001-08-28 International Business Machines Corporation Statically linking an application process with a wrapper library
US6286047B1 (en) 1998-09-10 2001-09-04 Hewlett-Packard Company Method and system for automatic discovery of network services
US6298479B1 (en) 1998-05-29 2001-10-02 Sun Microsystems, Inc. Method and system for compiling and linking source files
US6314558B1 (en) 1996-08-27 2001-11-06 Compuware Corporation Byte code instrumentation
US6327622B1 (en) 1998-09-03 2001-12-04 Sun Microsystems, Inc. Load balancing in a network environment
US6336138B1 (en) 1998-08-25 2002-01-01 Hewlett-Packard Company Template-driven approach for generating models on network services
US6351775B1 (en) 1997-05-30 2002-02-26 International Business Machines Corporation Loading balancing across servers in a computer network
US6353616B1 (en) 1998-05-21 2002-03-05 Lucent Technologies Inc. Adaptive processor schedulor and method for reservation protocol message processing
US6363053B1 (en) 1999-02-08 2002-03-26 3Com Corporation Method and apparatus for measurement-based conformance testing of service level agreements in networks
US6366958B1 (en) 1996-10-21 2002-04-02 International Business Machines Corporation NETBIOS protocol support for a DCE RPC mechanism
US6370583B1 (en) 1998-08-17 2002-04-09 Compaq Information Technologies Group, L.P. Method and apparatus for portraying a cluster of computer systems as having a single internet protocol image
US6374292B1 (en) 1999-07-20 2002-04-16 Sun Microsystems, Inc. Access control system for an ISP hosted shared email server
US6381228B1 (en) 1999-01-15 2002-04-30 Trw Inc. Onboard control of demand assigned multiple access protocol for satellite ATM networks
US6385722B1 (en) 2000-01-27 2002-05-07 Sun Microsystems, Inc. Method, system, and article of manufacture for limiting access to program files in a shared library file
US6385638B1 (en) 1997-09-04 2002-05-07 Equator Technologies, Inc. Processor resource distributor and method
US6389448B1 (en) 1999-12-06 2002-05-14 Warp Solutions, Inc. System and method for load balancing
US6393484B1 (en) 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
US6425003B1 (en) 1999-01-22 2002-07-23 Cisco Technology, Inc. Method and apparatus for DNS resolution
US6430622B1 (en) 1999-09-22 2002-08-06 International Business Machines Corporation Methods, systems and computer program products for automated movement of IP addresses within a cluster
US6434742B1 (en) 1999-05-10 2002-08-13 Lucent Technologies Inc. Symbol for automatically renaming symbols in files during the compiling of the files
US6434631B1 (en) 1999-10-15 2002-08-13 Lucent Technologies Inc. Method and system for providing computer storage access with quality of service guarantees
US6438134B1 (en) 1998-08-19 2002-08-20 Alcatel Canada Inc. Two-component bandwidth scheduler having application in multi-class digital communications systems
US6442164B1 (en) 1999-06-03 2002-08-27 Fujitsu Network Communications, Inc. Method and system for allocating bandwidth and buffer resources to constant bit rate (CBR) traffic
US6449652B1 (en) 1999-01-04 2002-09-10 Emc Corporation Method and apparatus for providing secure access to a computer system resource
US6457008B1 (en) 1998-08-28 2002-09-24 Oracle Corporation Pluggable resource scheduling policies
US6463459B1 (en) 1999-01-22 2002-10-08 Wall Data Incorporated System and method for executing commands associated with specific virtual desktop
US6470398B1 (en) 1996-08-21 2002-10-22 Compaq Computer Corporation Method and apparatus for supporting a select () system call and interprocess communication in a fault-tolerant, scalable distributed computer environment
US6484173B1 (en) 2000-02-07 2002-11-19 Emc Corporation Controlling access to a storage device
US6487578B2 (en) 1997-09-29 2002-11-26 Intel Corporation Dynamic feedback costing to enable adaptive control of resource utilization
US6487663B1 (en) 1998-10-19 2002-11-26 Realnetworks, Inc. System and method for regulating the transmission of media data
US6490670B1 (en) 1998-04-24 2002-12-03 International Business Machines Corporation Method and apparatus for efficiently allocating objects in object oriented systems
US6496847B1 (en) 1998-05-15 2002-12-17 Vmware, Inc. System and method for virtualizing computer systems
US6499137B1 (en) 1998-10-02 2002-12-24 Microsoft Corporation Reversible load-time dynamic linking
US6529985B1 (en) 2000-02-04 2003-03-04 Ensim Corporation Selective interception of system calls
US6529950B1 (en) 1999-06-17 2003-03-04 International Business Machines Corporation Policy-based multivariate application-level QoS negotiation for multimedia services
US20030061338A1 (en) 1998-06-27 2003-03-27 Tony Stelliga System for multi-layer broadband provisioning in computer networks
US6542167B1 (en) 2000-01-28 2003-04-01 Wind River Systems, Inc. System and method for flexible software linking
US6553413B1 (en) 1998-07-14 2003-04-22 Massachusetts Institute Of Technology Content delivery network using edge-of-network servers for providing content delivery to a set of participating content providers
US6560613B1 (en) 2000-02-08 2003-05-06 Ensim Corporation Disambiguating file descriptors
US6578055B1 (en) 2000-06-05 2003-06-10 International Business Machines Corporation Methods, system and computer program products for mirrored file access through assuming a privileged user level
US6578068B1 (en) 1999-08-31 2003-06-10 Accenture Llp Load balancer in environment services patterns
US6580721B1 (en) 1998-08-11 2003-06-17 Nortel Networks Limited Routing and rate control in a universal transfer mode network
US6590588B2 (en) 1998-05-29 2003-07-08 Palm, Inc. Wireless, radio-frequency communications using a handheld computer
US6622159B1 (en) 1999-06-30 2003-09-16 International Business Machines Corporation Method, apparatus and computer program product for automatically restarting an RPC server without losing client RPC calls
US6647422B2 (en) 1996-02-26 2003-11-11 Network Engineering Technologies, Inc. Web server employing multi-homed, modular framework
US6658571B1 (en) 1999-02-09 2003-12-02 Secure Computing Corporation Security framework for dynamically wrapping software applications executing in a computing system
US6691312B1 (en) 1999-03-19 2004-02-10 University Of Massachusetts Multicasting video
US6711607B1 (en) 2000-02-04 2004-03-23 Ensim Corporation Dynamic scheduling of task streams in a multiple-resource system to ensure task stream quality of service
US6725456B1 (en) 1999-11-29 2004-04-20 Lucent Technologies Inc. Methods and apparatus for ensuring quality of service in an operating system
US6732211B1 (en) 2000-09-18 2004-05-04 Ensim Corporation Intercepting I/O multiplexing operations involving cross-domain file descriptor sets
US6754716B1 (en) 2000-02-11 2004-06-22 Ensim Corporation Restricting communication between network devices on a common network
US6760775B1 (en) 1999-03-05 2004-07-06 At&T Corp. System, method and apparatus for network service load and reliability management
US6779016B1 (en) * 1999-08-23 2004-08-17 Terraspring, Inc. Extensible computing system
US6785728B1 (en) 1997-03-10 2004-08-31 David S. Schneider Distributed administration of access to information
US6820117B1 (en) 1999-10-18 2004-11-16 Sun Microsystems, Inc. Bandwidth management
US6859835B1 (en) 1999-10-05 2005-02-22 Veritas Operating Corporation Virtual port multiplexing
US6907421B1 (en) 2000-05-16 2005-06-14 Ensim Corporation Regulating file access rates according to file type
US6909691B1 (en) 2000-08-07 2005-06-21 Ensim Corporation Fairly partitioning resources while limiting the maximum fair share
US6912590B1 (en) 1998-12-18 2005-06-28 Telefonaktiebolaget Lm Ericsson (Publ) Single IP-addressing for a telecommunications platform with a multi-processor cluster using a distributed socket based internet protocol (IP) handler
US6948003B1 (en) 2000-03-15 2005-09-20 Ensim Corporation Enabling a service provider to provide intranet services
US6976258B1 (en) 1999-11-30 2005-12-13 Ensim Corporation Providing quality of service guarantees to virtual hosts
US6985937B1 (en) 2000-05-11 2006-01-10 Ensim Corporation Dynamically modifying the resources of a virtual server
US7117354B1 (en) * 2000-07-20 2006-10-03 International Business Machines Corporation Method and apparatus for allowing restarted programs to use old process identification
US7143024B1 (en) 2000-07-07 2006-11-28 Ensim Corporation Associating identifiers with virtual processes
US7343421B1 (en) 2000-02-14 2008-03-11 Digital Asset Enterprises Llc Restricting communication of selected processes to a set of specific network addresses

Patent Citations (166)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US3377624A (en) 1966-01-07 1968-04-09 Ibm Memory protection system
US4177510A (en) 1973-11-30 1979-12-04 Compagnie Internationale pour l'Informatique, CII Honeywell Bull Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes
JPS642145B2 (en) 1981-05-30 1989-01-13 Denki Kagaku Kogyo Kk
US5226160A (en) 1989-07-18 1993-07-06 Visage Method of and system for interactive video-audio-computer open architecture operation
US5189667A (en) 1990-03-01 1993-02-23 Kabushiki Kaisha Toshiba Method and apparatus for controlling call processing based upon load conditions
US5249290A (en) 1991-02-22 1993-09-28 At&T Bell Laboratories Method of and apparatus for operating a client/server computer network
US5263147A (en) 1991-03-01 1993-11-16 Hughes Training, Inc. System for providing high security for personal computers and workstations
US5212793A (en) 1991-09-04 1993-05-18 International Business Machines Corp. Generic initiators
US5572680A (en) 1992-12-18 1996-11-05 Fujitsu Limited Method and apparatus for processing and transferring data to processor and/or respective virtual processor corresponding to destination logical processor number
US5828893A (en) 1992-12-24 1998-10-27 Motorola, Inc. System and method of communicating between trusted and untrusted computer systems
US5325530A (en) 1993-01-29 1994-06-28 International Business Machines Corporation Controller for sequential programming tools executed in a parallel computing environment
US5640595A (en) 1993-06-29 1997-06-17 International Business Machines Corporation Multimedia resource reservation system with graphical interface for manual input of resource reservation value
US5615400A (en) 1993-06-30 1997-03-25 Apple Computer, Inc. System for object oriented dynamic linking based upon a catalog of registered function set or class identifiers
US5603020A (en) 1993-10-08 1997-02-11 Fujitsu Limited Method for detecting file names by informing the task of the identification of the directory antecedent to the file
US5437032A (en) 1993-11-04 1995-07-25 International Business Machines Corporation Task scheduler for a miltiprocessor system
US5809527A (en) 1993-12-23 1998-09-15 Unisys Corporation Outboard file cache system
US5584023A (en) 1993-12-27 1996-12-10 Hsu; Mike S. C. Computer system including a transparent and secure file transform mechanism
US5838686A (en) 1994-04-22 1998-11-17 Thomson Consumer Electronics, Inc. System for dynamically allocating a scarce resource
US6094674A (en) 1994-05-06 2000-07-25 Hitachi, Ltd. Information processing system and information processing method and quality of service supplying method for use with the system
US5842002A (en) 1994-06-01 1998-11-24 Quantum Leap Innovations, Inc. Computer virus trap
US5528753A (en) 1994-06-30 1996-06-18 International Business Machines Corporation System and method for enabling stripped object software monitoring in a computer system
US5799173A (en) 1994-07-25 1998-08-25 International Business Machines Corporation Dynamic workload balancing
US5864683A (en) 1994-10-12 1999-01-26 Secure Computing Corporartion System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
US5961582A (en) 1994-10-25 1999-10-05 Acorn Technologies, Inc. Distributed and portable execution environment
US5719854A (en) 1994-11-23 1998-02-17 Lucent Technologies Inc. Efficiently providing multiple grades of service with protection against overloads in shared resources
US5706453A (en) 1995-02-06 1998-01-06 Cheng; Yang-Leh Intelligent real-time graphic-object to database linking-actuator for enabling intuitive on-screen changes and control of system configuration
US6108759A (en) 1995-02-23 2000-08-22 Powerquest Corporation Manipulation of partitions holding advanced file systems
US5623492A (en) 1995-03-24 1997-04-22 U S West Technologies, Inc. Methods and systems for managing bandwidth resources in a fast packet switching network
US5727203A (en) 1995-03-31 1998-03-10 Sun Microsystems, Inc. Methods and apparatus for managing a database in a distributed object operating environment using persistent and transient cache
US5636371A (en) 1995-06-07 1997-06-03 Bull Hn Information Systems Inc. Virtual network mechanism to access well known port application programs running on a single host system
US5748614A (en) 1995-06-09 1998-05-05 Siemens Aktiengesellschaft Method for scheduling message cells leaving an ATM node
US5752003A (en) 1995-07-14 1998-05-12 3 Com Corporation Architecture for managing traffic in a virtual LAN environment
US6269404B1 (en) 1995-07-14 2001-07-31 3Com Corporation Virtual network architecture for connectionless LAN backbone
US5889956A (en) 1995-07-19 1999-03-30 Fujitsu Network Communications, Inc. Hierarchical resource management with maximum allowable allocation boundaries
US5915095A (en) 1995-08-08 1999-06-22 Ncr Corporation Method and apparatus for balancing processing requests among a plurality of servers based on measurable characteristics off network node and common application
US5892968A (en) 1995-10-16 1999-04-06 Hitachi, Ltd. Multimedia data transferring method
US6230203B1 (en) 1995-10-20 2001-05-08 Scientific-Atlanta, Inc. System and method for providing statistics for flexible billing in a cable environment
US5933603A (en) 1995-10-27 1999-08-03 Emc Corporation Video file server maintaining sliding windows of a video data set in random access memories of stream server computers for immediate video-on-demand service beginning at any specified location
US6061349A (en) 1995-11-03 2000-05-09 Cisco Technology, Inc. System and method for implementing multiple IP addresses on multiple ports
US5706097A (en) 1995-11-13 1998-01-06 Eastman Kodak Company Index print with a digital recording medium containing still images, motion sequences, and sound sequences
US5761477A (en) 1995-12-04 1998-06-02 Microsoft Corporation Methods for safe and efficient implementations of virtual machines
US6279040B1 (en) 1995-12-06 2001-08-21 Industrial Technology Research Institute Scalable architecture for media-on demand servers
US5727147A (en) 1995-12-08 1998-03-10 Sun Microsystems, Inc. System and method for resolving symbolic references to externally located program files
US5692047A (en) 1995-12-08 1997-11-25 Sun Microsystems, Inc. System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources
US5987242A (en) 1996-01-19 1999-11-16 Bentley Systems, Incorporated Object-oriented computerized modeling system
US5781550A (en) 1996-02-02 1998-07-14 Digital Equipment Corporation Transparent and secure network gateway
US5913024A (en) 1996-02-09 1999-06-15 Secure Computing Corporation Secure server utilizing separate protocol stacks
US5918018A (en) 1996-02-09 1999-06-29 Secure Computing Corporation System and method for achieving network separation
US6647422B2 (en) 1996-02-26 2003-11-11 Network Engineering Technologies, Inc. Web server employing multi-homed, modular framework
US5838916A (en) 1996-03-14 1998-11-17 Domenikos; Steven D. Systems and methods for executing application programs from a memory device linked to a server
US5845129A (en) 1996-03-22 1998-12-01 Philips Electronics North America Corporation Protection domains in a single address space
US6279039B1 (en) 1996-04-03 2001-08-21 Ncr Corporation Resource management method and apparatus for maximizing multimedia performance of open systems
US6078929A (en) 1996-06-07 2000-06-20 At&T Internet file system
US5860004A (en) 1996-07-03 1999-01-12 Sun Microsystems, Inc. Code generator for applications in distributed object systems
US6016318A (en) 1996-07-12 2000-01-18 Nec Corporation Virtual private network system over public mobile data network and virtual LAN
US5708774A (en) 1996-07-23 1998-01-13 International Business Machines Corporation Automated testing of software application interfaces, object methods and commands
US6065118A (en) 1996-08-09 2000-05-16 Citrix Systems, Inc. Mobile code isolation cage
US6018527A (en) 1996-08-13 2000-01-25 Nortel Networks Corporation Queue service interval based cell scheduler with hierarchical queuing configurations
US6470398B1 (en) 1996-08-21 2002-10-22 Compaq Computer Corporation Method and apparatus for supporting a select () system call and interprocess communication in a fault-tolerant, scalable distributed computer environment
US6314558B1 (en) 1996-08-27 2001-11-06 Compuware Corporation Byte code instrumentation
US5764889A (en) 1996-09-26 1998-06-09 International Business Machines Corporation Method and apparatus for creating a security environment for a user task in a client/server system
US6055637A (en) 1996-09-27 2000-04-25 Electronic Data Systems Corporation System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
US5982748A (en) 1996-10-03 1999-11-09 Nortel Networks Corporation Method and apparatus for controlling admission of connection requests
US6366958B1 (en) 1996-10-21 2002-04-02 International Business Machines Corporation NETBIOS protocol support for a DCE RPC mechanism
US6101543A (en) 1996-10-25 2000-08-08 Digital Equipment Corporation Pseudo network adapter for frame capture, encapsulation and encryption
US5920699A (en) 1996-11-07 1999-07-06 Hewlett-Packard Company Broadcast isolation and level 3 network switch
US6167520A (en) 1996-11-08 2000-12-26 Finjan Software, Inc. System and method for protecting a client during runtime from hostile downloadables
US6038608A (en) 1996-11-25 2000-03-14 Nec Corporation Virtual LAN system
US5889996A (en) 1996-12-16 1999-03-30 Novell Inc. Accelerator for interpretive environments
US5905859A (en) 1997-01-09 1999-05-18 International Business Machines Corporation Managed network device security method and apparatus
US5991812A (en) 1997-01-24 1999-11-23 Controlnet, Inc. Methods and apparatus for fair queuing over a network
US5956481A (en) 1997-02-06 1999-09-21 Microsoft Corporation Method and apparatus for protecting data files on a computer from virus infection
US5915085A (en) 1997-02-28 1999-06-22 International Business Machines Corporation Multiple resource or security contexts in a multithreaded application
US6247068B1 (en) 1997-03-07 2001-06-12 Advanced Micro Devices Inc. Winsock-data link library transcoder
US6785728B1 (en) 1997-03-10 2004-08-31 David S. Schneider Distributed administration of access to information
US6189046B1 (en) 1997-03-27 2001-02-13 Hewlett-Packard Company Mechanism and method for merging cached location information in a distributed object environment
US6282581B1 (en) 1997-03-27 2001-08-28 Hewlett-Packard Company Mechanism for resource allocation and for dispatching incoming calls in a distributed object environment
US6192389B1 (en) 1997-03-28 2001-02-20 International Business Machines Corporation Method and apparatus for transferring file descriptors in a multiprocess, multithreaded client/server system
US5937159A (en) 1997-03-28 1999-08-10 Data General Corporation Secure computer system
US6038609A (en) 1997-04-04 2000-03-14 Telefonaktiebolaget Lm Ericsson Method, communication network and service access interface for communications in an open system interconnection environment
US5905730A (en) 1997-04-04 1999-05-18 Ascend Communications, Inc. High speed packet scheduling method and apparatus
US5850399A (en) 1997-04-04 1998-12-15 Ascend Communications, Inc. Hierarchical packet scheduling method and apparatus
US5987524A (en) 1997-04-17 1999-11-16 Fujitsu Limited Local area network system and router unit
US5987608A (en) 1997-05-13 1999-11-16 Netscape Communications Corporation Java security mechanism
US6023721A (en) 1997-05-14 2000-02-08 Citrix Systems, Inc. Method and system for allowing a single-user application executing in a multi-user environment to create objects having both user-global and system global visibility
US6351775B1 (en) 1997-05-30 2002-02-26 International Business Machines Corporation Loading balancing across servers in a computer network
US6086623A (en) 1997-06-30 2000-07-11 Sun Microsystems, Inc. Method and implementation for intercepting and processing system calls in programmed digital computer to emulate retrograde operating system
US5978373A (en) 1997-07-11 1999-11-02 Ag Communication Systems Corporation Wide area network system providing secure transmission
US6055617A (en) 1997-08-29 2000-04-25 Sequent Computer Systems, Inc. Virtual address window for accessing physical memory in a computer system
US6385638B1 (en) 1997-09-04 2002-05-07 Equator Technologies, Inc. Processor resource distributor and method
US6487578B2 (en) 1997-09-29 2002-11-26 Intel Corporation Dynamic feedback costing to enable adaptive control of resource utilization
WO1999039261A1 (en) 1997-10-09 1999-08-05 The Learning Company Windows api trapping system
US6047325A (en) 1997-10-24 2000-04-04 Jain; Lalit Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks
US6075791A (en) 1997-10-28 2000-06-13 Lucent Technologies Inc. System for guaranteeing data transfer rates and delays in packet networks
US6172981B1 (en) 1997-10-30 2001-01-09 International Business Machines Corporation Method and system for distributing network routing functions to local area network stations
US5999963A (en) 1997-11-07 1999-12-07 Lucent Technologies, Inc. Move-to-rear list scheduling
US6259699B1 (en) 1997-12-30 2001-07-10 Nexabit Networks, Llc System architecture for and method of processing packets and/or cells in a common switch
US6154776A (en) 1998-03-20 2000-11-28 Sun Microsystems, Inc. Quality of service allocation on a network
US6243825B1 (en) * 1998-04-17 2001-06-05 Microsoft Corporation Method and system for transparently failing over a computer name in a server cluster
US6490670B1 (en) 1998-04-24 2002-12-03 International Business Machines Corporation Method and apparatus for efficiently allocating objects in object oriented systems
US6496847B1 (en) 1998-05-15 2002-12-17 Vmware, Inc. System and method for virtualizing computer systems
US6154778A (en) 1998-05-19 2000-11-28 Hewlett-Packard Company Utility-based multi-category quality-of-service negotiation in distributed systems
US6353616B1 (en) 1998-05-21 2002-03-05 Lucent Technologies Inc. Adaptive processor schedulor and method for reservation protocol message processing
US6298479B1 (en) 1998-05-29 2001-10-02 Sun Microsystems, Inc. Method and system for compiling and linking source files
US6590588B2 (en) 1998-05-29 2003-07-08 Palm, Inc. Wireless, radio-frequency communications using a handheld computer
US20030061338A1 (en) 1998-06-27 2003-03-27 Tony Stelliga System for multi-layer broadband provisioning in computer networks
US6161139A (en) 1998-07-10 2000-12-12 Encommerce, Inc. Administrative roles that govern access to administrative functions
US6553413B1 (en) 1998-07-14 2003-04-22 Massachusetts Institute Of Technology Content delivery network using edge-of-network servers for providing content delivery to a set of participating content providers
US6108701A (en) 1998-07-20 2000-08-22 Lucent Technologies, Inc. Soft switch extension for internet protocol applications
US6122673A (en) 1998-07-22 2000-09-19 Fore Systems, Inc. Port scheduler and method for scheduling service providing guarantees, hierarchical rate limiting with/without overbooking capability
US6580721B1 (en) 1998-08-11 2003-06-17 Nortel Networks Limited Routing and rate control in a universal transfer mode network
US6370583B1 (en) 1998-08-17 2002-04-09 Compaq Information Technologies Group, L.P. Method and apparatus for portraying a cluster of computer systems as having a single internet protocol image
US6438134B1 (en) 1998-08-19 2002-08-20 Alcatel Canada Inc. Two-component bandwidth scheduler having application in multi-class digital communications systems
US6336138B1 (en) 1998-08-25 2002-01-01 Hewlett-Packard Company Template-driven approach for generating models on network services
US6457008B1 (en) 1998-08-28 2002-09-24 Oracle Corporation Pluggable resource scheduling policies
US6092178A (en) 1998-09-03 2000-07-18 Sun Microsystems, Inc. System for responding to a resource request
US6327622B1 (en) 1998-09-03 2001-12-04 Sun Microsystems, Inc. Load balancing in a network environment
US6286047B1 (en) 1998-09-10 2001-09-04 Hewlett-Packard Company Method and system for automatic discovery of network services
US6192512B1 (en) 1998-09-24 2001-02-20 International Business Machines Corporation Interpreter with virtualized interface
US6499137B1 (en) 1998-10-02 2002-12-24 Microsoft Corporation Reversible load-time dynamic linking
US6487663B1 (en) 1998-10-19 2002-11-26 Realnetworks, Inc. System and method for regulating the transmission of media data
US6247057B1 (en) 1998-10-22 2001-06-12 Microsoft Corporation Network server supporting multiple instance of services to operate concurrently by having endpoint mapping subsystem for mapping virtual network names to virtual endpoint IDs
US6282703B1 (en) 1998-10-29 2001-08-28 International Business Machines Corporation Statically linking an application process with a wrapper library
US6078957A (en) 1998-11-20 2000-06-20 Network Alchemy, Inc. Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system
US6240463B1 (en) 1998-11-24 2001-05-29 Lucent Technologies Inc. Router placement methods and apparatus for designing IP networks with performance guarantees
US6912590B1 (en) 1998-12-18 2005-06-28 Telefonaktiebolaget Lm Ericsson (Publ) Single IP-addressing for a telecommunications platform with a multi-processor cluster using a distributed socket based internet protocol (IP) handler
US6266678B1 (en) 1998-12-31 2001-07-24 Computer Associates Think, Inc. System and method for dynamically viewing contents of a data file
US6449652B1 (en) 1999-01-04 2002-09-10 Emc Corporation Method and apparatus for providing secure access to a computer system resource
US6381228B1 (en) 1999-01-15 2002-04-30 Trw Inc. Onboard control of demand assigned multiple access protocol for satellite ATM networks
US6463459B1 (en) 1999-01-22 2002-10-08 Wall Data Incorporated System and method for executing commands associated with specific virtual desktop
US6425003B1 (en) 1999-01-22 2002-07-23 Cisco Technology, Inc. Method and apparatus for DNS resolution
US6363053B1 (en) 1999-02-08 2002-03-26 3Com Corporation Method and apparatus for measurement-based conformance testing of service level agreements in networks
US6658571B1 (en) 1999-02-09 2003-12-02 Secure Computing Corporation Security framework for dynamically wrapping software applications executing in a computing system
US6760775B1 (en) 1999-03-05 2004-07-06 At&T Corp. System, method and apparatus for network service load and reliability management
US6691312B1 (en) 1999-03-19 2004-02-10 University Of Massachusetts Multicasting video
US6393484B1 (en) 1999-04-12 2002-05-21 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
US6434742B1 (en) 1999-05-10 2002-08-13 Lucent Technologies Inc. Symbol for automatically renaming symbols in files during the compiling of the files
US6442164B1 (en) 1999-06-03 2002-08-27 Fujitsu Network Communications, Inc. Method and system for allocating bandwidth and buffer resources to constant bit rate (CBR) traffic
US6529950B1 (en) 1999-06-17 2003-03-04 International Business Machines Corporation Policy-based multivariate application-level QoS negotiation for multimedia services
US6622159B1 (en) 1999-06-30 2003-09-16 International Business Machines Corporation Method, apparatus and computer program product for automatically restarting an RPC server without losing client RPC calls
US6374292B1 (en) 1999-07-20 2002-04-16 Sun Microsystems, Inc. Access control system for an ISP hosted shared email server
US6779016B1 (en) * 1999-08-23 2004-08-17 Terraspring, Inc. Extensible computing system
US6578068B1 (en) 1999-08-31 2003-06-10 Accenture Llp Load balancer in environment services patterns
US6430622B1 (en) 1999-09-22 2002-08-06 International Business Machines Corporation Methods, systems and computer program products for automated movement of IP addresses within a cluster
US6859835B1 (en) 1999-10-05 2005-02-22 Veritas Operating Corporation Virtual port multiplexing
US6434631B1 (en) 1999-10-15 2002-08-13 Lucent Technologies Inc. Method and system for providing computer storage access with quality of service guarantees
US6820117B1 (en) 1999-10-18 2004-11-16 Sun Microsystems, Inc. Bandwidth management
US6725456B1 (en) 1999-11-29 2004-04-20 Lucent Technologies Inc. Methods and apparatus for ensuring quality of service in an operating system
US6976258B1 (en) 1999-11-30 2005-12-13 Ensim Corporation Providing quality of service guarantees to virtual hosts
US6389448B1 (en) 1999-12-06 2002-05-14 Warp Solutions, Inc. System and method for load balancing
US6385722B1 (en) 2000-01-27 2002-05-07 Sun Microsystems, Inc. Method, system, and article of manufacture for limiting access to program files in a shared library file
US6542167B1 (en) 2000-01-28 2003-04-01 Wind River Systems, Inc. System and method for flexible software linking
US6529985B1 (en) 2000-02-04 2003-03-04 Ensim Corporation Selective interception of system calls
US6711607B1 (en) 2000-02-04 2004-03-23 Ensim Corporation Dynamic scheduling of task streams in a multiple-resource system to ensure task stream quality of service
US6484173B1 (en) 2000-02-07 2002-11-19 Emc Corporation Controlling access to a storage device
US6560613B1 (en) 2000-02-08 2003-05-06 Ensim Corporation Disambiguating file descriptors
US6754716B1 (en) 2000-02-11 2004-06-22 Ensim Corporation Restricting communication between network devices on a common network
US7343421B1 (en) 2000-02-14 2008-03-11 Digital Asset Enterprises Llc Restricting communication of selected processes to a set of specific network addresses
US6948003B1 (en) 2000-03-15 2005-09-20 Ensim Corporation Enabling a service provider to provide intranet services
US6985937B1 (en) 2000-05-11 2006-01-10 Ensim Corporation Dynamically modifying the resources of a virtual server
US6907421B1 (en) 2000-05-16 2005-06-14 Ensim Corporation Regulating file access rates according to file type
US6578055B1 (en) 2000-06-05 2003-06-10 International Business Machines Corporation Methods, system and computer program products for mirrored file access through assuming a privileged user level
US7143024B1 (en) 2000-07-07 2006-11-28 Ensim Corporation Associating identifiers with virtual processes
US7117354B1 (en) * 2000-07-20 2006-10-03 International Business Machines Corporation Method and apparatus for allowing restarted programs to use old process identification
US6909691B1 (en) 2000-08-07 2005-06-21 Ensim Corporation Fairly partitioning resources while limiting the maximum fair share
US6732211B1 (en) 2000-09-18 2004-05-04 Ensim Corporation Intercepting I/O multiplexing operations involving cross-domain file descriptor sets

Non-Patent Citations (85)

* Cited by examiner, † Cited by third party
Title
Aho, A. V. and Ullman J. D., Principles of Compiler Design, Reading, MA, 1977, pp. vii-x, 359-362, 519-522.
Bach, M. J., The Design of the Unix® Operating System, New Delhi, Prentice-Hall of India, 1989, pp. v-x, 19-37.
Berkeley Software Distribution, "man page: setpgid", Feb. 1, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet .
Berkeley Software Distribution, "man page: setsid", Feb. 1, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet .
Berkeley Software Distribution, "man page: setsid," Feb. 1, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet neosoft.com/neosoft/man/setsid.2.html>.
Berkeley Software Distribution, "man page: setpgid", Feb. 1, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet <URL:http://www.neosoft.com/neosoft/man/setpgid.2.html>.
Berkeley Software Distribution, "man page: setsid", Feb. 1, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet <URL:http://www.neosoft.com/neosoft/man/setsid.2.html>.
Boehm, B., "Managing Software Productivity and Reuse," IEEE Computer, vol. 32, No. 9, Sep. 1999, 3 pages.
Campbell, A. T. and Keshav, S., "Quality of Service in Distributed Systems," Computer Communications 21, 1998, pp. 291-293.
Corbato , F. J. et al. "An Experimental Timesharing System," Proceedings of the American Federation of Information Processing Societies Spring Joint Computer Conference, San Francisco, CA, May 1-3, 1962, pp: 335-344.
Corbato, F. J. et al. "An Experimental Timesharing System," Proceedings of the American Federation Of Information Processing Societies Spring Joint Computer Conference, San Francisco, CA, May 1-3, 1962, pp. 335-344.
Deutsch, P. and Grant, C.A., "A Flexible Measurement Tool for Software Systems," Information Processing 71 (Proc. of the IFIP Congress), 1971, pp. 320-326.
Duffield, N. G., et al., "A Flexible Model for Resource Management in Virtual Private Networks," Computer Communication Review Conference, Computer Communication, ACM SIGCOMM '99 Conference, Cambridge, MA, Aug. 30, 1999-Sep. 3, 1999. pp. 95-108.
Edjlali, G., et al., "History-based Access Control for Mobile Code," Fifth ACM Conference on Computer and Communication Security, Nov. 3-5, 1998, 19 pages.
Egevang, K. and Francis P., RFC 1631, May 1994 [online], [retrieved Feb. 2, 2000]. Retrieved from the Internet : org/rfcs/rfc1631.html>.
Erlingsson, U. and Schneider, F. B., "SASI Enforcement of Security Policies: A Retrospective," Proc. New Security Paradigms Workshop, Apr. 2, 1999, pp. 1-17.
Erlingsson, U. and Schneider, F.B., "SASI Enforcement of Security Policies: A Retrospective," Proc. New Security Paradigms Work-shop, Apr. 2, 1999, pp. 1-17.
Erlingsson, U. and Schnieder, F. B., IRM Enforcement of Java Stack Inspection, [online], Feb. 19, 2000, [Retrieved on Apr. 2, 2002]. Retrieved from the Internet: .
Erlingsson, U. and Schnieder, F. B., IRM Enforcement of Java Stack Inspection, [online], Feb. 19, 2000, [Retrieved on Apr. 2, 2002]. Retrieved from the Internet: <URL: http://cs-tr.cs.cornell.edu/Dienst/UI2.0/Show Page/ncstrl.cornell/TR2000-1786>.
Erlingsson, U. and Schnieder, F.B., IRM Enforcement of Java Stack Inspection, [online], Feb. 19, 2000, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: .
Erlingsson, U. and Schnieder, F.B., IRM Enforcement of Java Stack Inspection, [online], Feb. 19, 2000, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: <cs-tr.cs.cornell.edu/Dienst/U12.0/Show Page/ncstrl.cornell/TR2000-1786>.
Evans, D. and Twyman, A., "Flexible Policy-Directed Code Safety," Proc. of 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, 1999, pp. 1-14.
Evans. D. And Twyman, A., "Flexible Policy-Directed Code Safety," Proc. of 1999 IEEE Symposium on Security and Privacy, Oakland, CA, May 9-12, 1999, pp. 1-14.
Fraser, T. et al., "Hardening COTS Software with Generic Software Wrappers," Proc. of 1999 IEEE Symposium on Security and Privacy, 1999, 15 pages.
Frost, J., "UNIX Signals and Process Groups"Aug. 17, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet .
Frost, J., "UNIX Signals and Process Groups"Aug. 17, 1994, [Retrieved on Oct. 13, 2005], Retrieved from the Internet <URL:http://www.cs.ucsb.edu/˜almeroth/classes/W99.276/assignment1/signals.html>.
Goldberg, I. et al., "A Secure Environment For Untrusted Helper Applications (Confining the Wily Hacker)," Proc. of the Sixth USENIX UNIX Security Symposium, San Jose, CA, Jul. 1996, 14 pages.
Goldberg, I. et al., "A Secure Environment for Untrusted Helper Applications (Confining the Wily Hacker)," Proc.of the Sixth Usenix Unix Security Symposium, San Jose, CA, Jul. 1996, 14 pages.
Goldberg, R. P. "Survey of Virtual Machine Research," IEEE Computer, Jun. 1974, pp. 34-45.
Goyal Pawan et al., "Generalized Guaranteed Rate Scheduling Algorithms: A Framework," IEEE/ACM Transactions, vol. 5, Issue: 4, Aug. 1997, pp. 561-571.
Goyal, P. et al., "Start-time Fair Queuing: A Scheduling Algorithm for Integrated Services Packet Switching Networks," Proceedings of ACM SIGCOMM '96, San Francisco, CA, Aug. 1996, 14 pages.
Goyal, P., "Packet Scheduling Algorithms for Integrated Services Networks," PhD Dissertation, University of Texas, Austin, TX, Aug. 1997.
Goyal, P., et al., "A Hierarchical CPU Scheduler for Multimedia Operating Systems," Proceedings of the Second Symposium on Operating Systems and Design Implementations (OSDI'96), Seattle, WA, Oct. 1996, 15 pages.
Huang, X. W. et al., "The Entrapid Protocol Development Environment," Proceedings of IEEE Infocom '99, Mar. 1999, 9 pages.
Jánosi, T., "Notes on 'A Hierarchical CPU Scheduler for Multimedia Operating Systems' by Pawan Goyal, Xingang Guo and Harrick Vin," [online], [retrieved on May 8, 2000]. Retrieved from the Internet: .
Janosi, T., "Notes on 'A Hierarchical CPU Scheduler for Multimedia Operating Systems' by Pawan Goyal, Xingang Guo and Herrick Vin," [online], [retrieved on May 8, 2000]. Retrieved from the Internet: cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.hyml>.
Jánosi, T., "Notes on ‘A Hierarchical CPU Scheduler for Multimedia Operating Systems’ by Pawan Goyal, Xingang Guo and Harrick Vin," [online], [retrieved on May 8, 2000]. Retrieved from the Internet: <URL:cs.cornell.edu/Info/Courses/Spring-97/CS614/goy.html>.
Jonsson, J. "Exploring the Importance of Preprocessing Operations in Real-Time Multiprocessor Scheduling," Proc. of the IEEE Real-Time Systems Symposium-Work-In-Progress session, San Francisco, CA, Dec. 4, 1997, pp. 31-34.
Keshav , S., "An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network," Reading, MA, Addison-Wesley, 1997, pp. vii-xi, 85-115, 209-355, 395-444.
Laurie, B. And Laurie, P., Apache The Definite Guide, Sebastopol, CA, O'Reilly & Associates, Inc., Feb. 1999, pp. v-viii, 43-74.
Mallory, T. and Kullberg, A., RFC 1141, Jan. 1990 [online], [retrieved Feb. 2, 2000]. Retrieved from the Internet: org/rfcs/rfc1141.htnl>.
McDougall, R., et al., Resource Management, Upper Saddle River, NJ, Prentice Hall, 1999, pp. iii-xix, 135-191.
Mitra, Debasis et al., "Hierarchical Virtual Partitioning: Algorithms for Virtual Private Networking," Bell Labs Technical Journal, Spring 1997, http://cm.bell-labs.com/cm/ms/who/mitra/papers/globe.ps.
Mitra, Debasis et al., "Hierarchical Virtual Partitioning: Algorithms for Virtual Private Networking," Bell Labs Technical Journal, Spring, 1997, cm.bell-labs.com/cm/ms/who/mitra/papers/globe.ps.
Pandey, R. and Hashii, B., "Providing Fine-Grained Access Control for Mobile Programs Through Binary Editing," Technical Report TR98 08, University of California, Davis, CA, 1998, pp. 1-22.
Pending United States patent application entitled "Associating Identifiers With Virtual Processes," U.S. Appl. No. 09/611,877, filed Jul. 7, 2000.
Pending United States patent application entitled "Disambiguating File Descriptors," U.S. Appl. No. 09/500,212, filed Feb. 8, 2000.
Pending United States patent application entitled "Dynamic Scheduling of Task Streams in a Multiple-Resource System to Ensure Task Stream Quality of Service," U.S. Appl. No. 09/498,450, filed Feb. 4, 2000.
Pending United States patent application entitled "Dynamically Modifying the Resources of a Virtual Server," U.S. Appl. No. 09/569,371, filed May 11, 2000.
Pending United States patent application entitled "Enabling a Service Provider to Provide Intranet Services," U.S. Appl. No. 09/526,980, filed Mar. 15, 2000.
Pending United States patent application entitled "Fairly Partitioning Resources While Limiting the Maximum Fair Share," U.S. Appl. No. 09/633,575, filed Aug. 7, 2000.
Pending United States patent application entitled "Intercepting Calls to Non-Local Procedures," U.S. Appl. No. 09/687,031, filed Oct. 12, 2000.
Pending United States patent application entitled "Intercepting I/O Multiplexing Operations Involving Cross-Domain File Descriptor Sets," U.S. Appl. No. 09/664,914, filed Sep. 18, 2000.
Pending United States patent application entitled "Modifying Internal Components of a Running Operating Systems," U.S. Appl. No. 09/576,393, filed May 22, 2000.
Pending United States patent application entitled "Providing Quality of Service Guarantees to Virtual Hosts," U.S. Appl. No. 09/452,286, filed Nov. 30, 1999.
Pending United States patent application entitled "Regulating File Access Rates According to File Type," U.S. Appl. No. 09/572,672, filed May 16, 2000.
Pending United States patent application entitled "Restricting Communication Between Network Devices on a Common Network," U.S. Appl. No. 09/502,155, filed Feb. 11, 2000.
Pending United States patent application entitled "Restricting Communication of Selected Processes to a Set of Specific Network Addresses," U.S. Appl. No. 09/503,975, filed Feb. 14, 2000.
Pending United States patent application entitled "Selective Interception of System Calls," U.S. Appl. No. 09/499,098, filed Feb. 4, 2000.
Pending United States patent application entitled "Virtualizing Port Addresses for Non-Conflicting Use by Multiple Virtual Processes," U.S. Appl. No. 09/679,396, filed Oct. 3, 2000.
Pending United States patent application entitled "Virtualizing Resource Ownership for Multiple Virtual Processes," U.S. Appl. No. 09/747,664, filed Dec. 22, 2000.
Plummer, D. C., "An Ethernet Address Resolution Protocol-or-Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware," Nov. 1982, [online], [retrieved on Jan. 17, 2000]. Retrieved from the Internet: .
Plummer, D. C., "An Ethernet Address Resolution Protocol—or—Converting Network Protocol Addresses to 48.bit Ethernet Address for Transmission on Ethernet Hardware," Nov. 1982, [online], [retrieved on Jan. 17, 2000]. Retrieved from the Internet: <msg.net/kadow/answers/extras/rfc/rfc826.txt>.
Rijsinghani, A., RFC 1624, May 1994, [online], retrieved Feb. 2, 2000]. Retrieved from the Internet: .
Rijsinghani, A., RFC 1624, May 1994, [online], retrieved Feb. 2, 2000]. Retrieved from the Internet: <org/rfcs/rfc 1624.html>.
Ritchie, D.M., The Evolution of the Unix Time-Sharing System, AT&T Bell Laboratories Technical Journal 63, No. 6, Part 2, Oct. 1984, (originally presented 1979), 11 pages.
Rubini , A., Linux Device Drivers, Sebastopol, CA, O'Reilly & Associates, Inc., 1998, pp. v-x, 13-40.
Rusling, D. A., Files, [online], [retrieved on Dec. 7, 14999]. Retrieved from the Internet: cebaf.gov/-saw/linux/tlk-html/node49.html>.
Rusling, D. A., Identifiers, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet cebaf.gov/-saw/linux/tlk-html/node46.html>.
Rusling, D. A., Linux Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet cebaf.gov/-saw/linux/tlk-html/node45.html>.
Rusling, D. A., Processes, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet: cebaf.gov/-saw/linux/tlk-html/node44.html>.
Rusling, D. A., Scheduling in Multiprocessor Systems, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet : cebaf.gov/-saw/linux/tlk-html/node48.html>.
Rusling, D. A., Scheduling, [online], [retrieved on Dec. 7, 1999]. Retrieved from the Internet cebaf.gov/-saw/linux/tlk-html/node47.html>.
Saltzer, J., H. and Schroeder, M. D., "The Protection of Information in Computer Systems," [online], 1973, [retrieved on Apr. 2, 2002]. Retrieved from the Internet: cs.virginia.edu-evans/cs551/saltzer/.
Stevens, R. W., Unix Network Programming vol. 1 Networking APIs: Sockets and XTI, Upper Saddle River , River, NJ, Prentice Hall, 1998, pp. v-xiv, 29-53, 85-110, 727-760.
Stevens, Richard W., "Advanced Programming in the UNIX® Environment", 1993, pp. 237-246, 282-285, Addison Wesley Longman, Inc., USA.
Symbol Table, [online] copyright 1997, 1998, [Retrieved on Apr. 4, 2003] Retrieved from the Internet <URL: 16.239.33.100/search?q=cache:eASXk8qC--caldera.com/developers/gabi/1998-04-29/ch4.s . . . , pp. 1-5.
Symbol Table, [online] copyright 1997, 1998, [Retrieved on Apr. 4, 2003] Retrieved from the Internet 16.239.33.100/search?q=cache:eASXk8qC--caldera.com/developers/gabi/1998-04-29/ch4.s . . . , pp. 1-5.
Tanenbaum, A. S. and Woodhull, A. S., "Operating Systems: Design and Implementation," Upper Saddle River, NJ, Prentice Hall, 1997, pp. vii-xiv, 1-46, 410-454.
United States patent application entitled "Intercepting Calls to Non-Local Procedures," U.S. Appl. No. 09/687,031, filed Oct. 12, 2000.
United States patent application entitled "Modifying Internal Components of a Running Operating Systems," U.S. Appl. No. 09/576,393, filed May 22, 2000.
United States patent application entitled "Restricting Communication Between Network Devices on a Common Network," U.S. Appl. No. 09/502,155, filed Feb. 11, 2000.
United States patent application entitled "Virtaulizing Resource Ownership for Multiple Virtual Processes," U.S. Appl. No. 09/747,664, filed Dec. 22, 2000.
United States patent application entitled "Virtualizing Port Addresses for Non-Conflicting Use by Multiple Virtual Processes," U.S. Appl. No. 09/679,396, filed Oct. 3, 2000.
Wahbe, R., et al., "Efficient Software-Based Fault Isolation," Proc. of the Symposium on Operating System Principles, 1993, 14 pages.

Also Published As

Publication number Publication date
US7219354B1 (en) 2007-05-15

Similar Documents

Publication Publication Date Title
USRE44210E1 (en) Virtualizing super-user privileges for multiple virtual processes
US9165160B1 (en) System for and methods of controlling user access and/or visibility to directories and files of a computer
US10042661B1 (en) Method for creation of application containers inside OS containers
US5708832A (en) Network redirection for the enhancement of server capacities
JP3696639B2 (en) Unification of directory service with file system service
US7783665B1 (en) Effective file-sharing among virtual environments
US9021494B2 (en) Method and system for communicating between isolation environments
US8539136B2 (en) Techniques for dynamic disk personalization
US8312459B2 (en) Use of rules engine to build namespaces
EP1794678B1 (en) Methods and systems for accessing, by application programs, resources provided by an operating system
US10025924B1 (en) Taskless containers for enhanced isolation of users and multi-tenant applications
US20030233544A1 (en) Methods and systems for providing a secure application environment using derived user accounts
CA2233537C (en) Accessing database information
US20130091183A1 (en) Volume Management
US6732211B1 (en) Intercepting I/O multiplexing operations involving cross-domain file descriptor sets
US20080109466A1 (en) Virtual Deletion In Merged Registry keys
US20200250092A1 (en) Shared filesystem metadata caching
US7188120B1 (en) System statistics virtualization for operating systems partitions
US9516032B2 (en) Methods and systems for using derived user accounts
Wood Coordination with attributes
US10616228B2 (en) Enhanced permissions for enabling re-purposing of resources while maintaining integrity
CN117193940A (en) Data access method, device, electronic equipment and computer readable medium
Nyman Dynamic Isolated Domains
Ooi Access control for an object-oriented distributed platform

Legal Events

Date Code Title Description
AS Assignment

Owner name: ENSIM CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:HUANG, XUN WILSON;KESHAV, SRINIVASAN;REEL/FRAME:025626/0540

Effective date: 20010320

Owner name: ENSIM CORPORATION, CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ESTAN, CRISTIAN;REEL/FRAME:025626/0455

Effective date: 20001218

AS Assignment

Owner name: DIGITAL ASSET ENTERPRISES, L.L.C., DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:ENSIM CORPORATION;REEL/FRAME:025631/0768

Effective date: 20070607

FPAY Fee payment

Year of fee payment: 8

AS Assignment

Owner name: CUFER ASSET LTD. L.L.C., DELAWARE

Free format text: MERGER;ASSIGNOR:DIGITAL ASSET ENTERPRISES, L.L.C.;REEL/FRAME:037118/0001

Effective date: 20150812

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 12TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1553); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 12

AS Assignment

Owner name: INTELLECTUAL VENTURES ASSETS 173 LLC, DELAWARE

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:CUFER ASSET LTD. L.L.C.;REEL/FRAME:057270/0921

Effective date: 20210809

AS Assignment

Owner name: ALTO DYNAMICS, LLC, GEORGIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTELLECTUAL VENTURES ASSETS 173 LLC;REEL/FRAME:058521/0704

Effective date: 20210825