Super-user privileges are virtualized by designating a virtual super-user for each of a plurality of virtual processes and intercepting system calls for which actual super-user privileges are required, which are nevertheless desirable for a virtual super-user to perform in the context of his or her own virtual process. In one embodiment, a computer operating system includes multiple virtual processes, such as virtual private servers. Each virtual process can be associated with one or more virtual super-users. When an actual process makes a system call that requires actual super-user privileges, the call is intercepted by a system call wrapper.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE44210
Priority
Dec 22 2000
Filed
May 15 2009
Issued
May 07 2013
Expiry
Dec 22 2020
Inventors
Keshav, Sr…
Assg.orig
Ensim Corp…
Assg.curr
ALTO DYNAM…
Entity
Large
Referenced by
0
References
166
Maint.:
all paid
0. 14. A system for virtualizing user privileges in a computer operating system including multiple virtual private servers, the system comprising:
means for associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
means for associating an identifier with the first user wherein the first user owns a first set of resources;
means for associating a second user with the second virtual private server;
means for associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
means for intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
means for determining, in response to the intercepted call to the operating system, that the process can access the first set of resources but not the second set of resources.
0. 4. A method performed by a computing system having a processor and memory for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
associating an identifier with the first user wherein the first user owns a first set of resources;
associating a second user with the second virtual private server;
associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
in response to the intercepted call to the operating system, determining that the process is permitted to access the first set of resources but is not permitted to access the second set of resources.
0. 13. A computer-readable storage device storing computer-executable instructions that, when executed, perform a method for virtualizing user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a first user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
associating an identifier with the first user wherein the first user owns a first set of resources;
associating a second user with the second virtual private server;
associating the identifier with the second user wherein the second user owns a second set of resources that is different from the first set of resources;
intercepting a call to the operating system that retrieves privileges for users, the call made by a process associated with the first virtual private server, and
in response to the intercepted call to the operating system, determining that the process can access the first set of resources but not the second set of resources.
1. A computer-implemented method for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the method comprising:
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server;
designating the user as a virtual super-user;
intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and
in response to the intercepted call to the operating system pertaining to the first virtual private server:
granting actual super-user privileges to the user; and
allowing execution of the call to the operating system.
2. A computer program product for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the computer program product comprising a computer-readable medium storage device and computer program code encoded on the medium storage device for:
associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within the same operating system as a second plurality of actual processes comprising a second virtual private server;
designating the user as a virtual super-user;
intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process located in the operating system, the process owned by the user, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed when the call to the operating system is invoked; and
granting actual super-user privileges to the user, and allowing execution of the call to the operating system, in response to the intercepted call to the operating system pertaining to the first virtual private server.
0. 3. A system for virtualizing super-user privileges in a computer operating system including multiple virtual private servers, the system comprising:
means for associating a user with a first virtual private server, the first virtual private server comprising a first plurality of actual processes executing within a same operating system as a second plurality of actual processes comprising a second virtual private server;
means for designating the user as a virtual super-user;
means for intercepting a call to the operating system for which actual super-user privileges are required, the call made by a process executed by the operating system, the process owned by the user, wherein the means for intercepting the call to the operating system is configured to:
load a system call wrapper;
save a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replace the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed if the call to the operating system is invoked; and
means for granting virtual super-user privileges to the user and allowing execution of the call to the operating system in response to the intercepted call to the operating system pertaining to the first virtual private server, wherein a virtual super-user has a subset of the privileges of an actual super-user but a superset of the privileges of a user other than the actual super-user.
0. 5. The method of claim 4, wherein intercepting the call to the operating system comprises:
loading a system call wrapper;
saving a pointer to the call to the operating system, wherein the pointer to the call to the operating system comprises a system call vector; and
replacing the pointer to the call to the operating system with a pointer to the system call wrapper, such that the system call wrapper is executed if the call to the operating system is invoked.
0. 6. The method of claim 4 wherein the call to the operating system indicates to take an action on a resource owned by the first user but not the second user.
0. 7. The method of claim 4 wherein the identifier is a user identifier.
0. 8. The method of claim 4 further comprising encoding the user identifier with a virtual process identifier.
0. 9. The method of claim 8 wherein the encoding includes shifting the virtual process identifier by a specified number of bits and then applying a logical OR operation to a result of the shifting with the user identifier.
0. 10. The method of claim 4 wherein the identifier is a group identifier.
0. 11. The method of claim 10 further comprising encoding the group identifier with a virtual process identifier.
0. 12. The method of claim 11 wherein the encoding includes shifting the virtual process identifier by a specified number of bits and then applying a logical OR operation to a result of the shifting with the group identifier.

where UID is the UID 305, VPID is the VPID 203 (from the table 127), and “<<” and “|” are the left shift and logical “OR” operators, respectively. In other words, the VPID 203 is left shifted 16 bits and then logically ORed with the UID 305.

Those skilled in the art will recognize that the above-described technique limits the number of unique UIDs 305 and virtual processes 101 to 65536, respectively. In alternative embodiments, however, the relative location and/or number of bits allocated to the VPID 203 within the UID 305 may vary, resulting in different limitations.

After the UID 305 is modified, the system call wrapper 111 associates the resource with the modified UID 305. This may be accomplished, in one embodiment, by executing the system call 115 by the wrapper 111, specifying the modified UID 305. In an alternative embodiment, the system call wrapper 111 can include its own code for setting the UID 305.

Consequently, from a standpoint of the calling process 301, the resource is associated with the UID 305 specified in the system call 115. From a standpoint of the operating system 117, however, the resource is actually associated with the modified UID 305.

FIG. 4 provides an example of the above-described technique. Suppose that a process 301 having a PID 201 of 3942 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1. As shown, the system call wrapper 111 uses the virtual process table 127 to determine the VPID 203 (e.g., 1) associated with the calling process 301. The VPID 203 is then encoded within UID 305 as described above, resulting in a modified UID 305 having a hexadecimal value of 0x00010001 (65537 in decimal). Accordingly, the calling process 301 is associated with a UID 305 of 65537 rather than the specified UID 305 of 1.

As shown in FIG. 5, a different UID 305 will result from a different VPID 203. For instance, suppose that the VPID 203 of the virtual process 101 of FIG. 5 has a value of 3. Applying the above-described equation, the resulting modified UID 305 has a hexadecimal value of 0x00030001 (196609 in decimal). Accordingly, the calling process 301 is associated with a UID 305 of 196609 rather than the original UID 305 of 1 or the modified UID 305 of 65537 from the previous example.

The above-described technique for virtualizing resource ownership is summarized in FIG. 6. A method 600 begins in one embodiment by loading 601 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 603 of pointers 114 to selected system calls 115 to be intercepted (e.g., setuid( ), setgid( ), and chown( )). The pointers 114 are then replaced 605, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.

A system call 115 for setting the UID 305 of a resource is then intercepted 607. Next, the system call wrapper 111 determines 609 the virtual process 101 corresponding to the calling process 301. In one embodiment, this determination is made by referencing the virtual process table 127, as described above.

After the virtual process 101 is determined, the system call wrapper 111 encodes 611 an indication of the virtual process 101 (e.g., the VPID 203) within the UID 305. The wrapper 111 then associates 613 the resource with the modified UID 305. In one implementation, this is accomplished by executing the system call 115 within the wrapper 111, specifying the modified UID 305.

Another aspect of virtualizing resource ownership involves intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a system resource. In the case of UNIX®, the getuid( ) function returns the UID 305 associated with the calling process 301. Similarly, the UNIX® getgid( ) function returns the GID 307. Additionally, the UNIX® stat( ) function returns the UID 305 and/or GID 307 associated with a file 303. Of course, the invention is not limited to any particular terminology or operating system 117.

Consequently, if a system call 115 for obtaining a UID 305 (e.g., getuid( )) were allowed to execute without modification, the calling process 301 would receive a “modified” UID 305, such as a UID 305 including an indication of a virtual process 101. From the standpoint of the calling process 301, the UID 305 would be unexpected, with unpredictable results.

Thus, FIG. 7 illustrates a system 700 for virtualizing resource ownership. After intercepting one of the above-identified system calls 115, the system call wrapper 111 obtains the UID 305 from the standpoint of the operating system 117. The wrapper 111 obtains the UID 305, in one embodiment, by executing the system call 115. In alternative embodiments, the wrapper 111 may include its own code for obtaining the UID 305.

In one embodiment, the UID 305 obtained by the wrapper 111 includes an indication of the virtual process 101 (e.g., VPID 203). Thus, the wrapper 111 removes the VPID 203 to restore the original, unmodified UID 305, as described in greater detail below.

As previously explained, a UID 305 in Solaris® is a 32 bit word. In one implementation, the upper 16 bits are used to encode the VPID 203, while the lower 16 bits are used to store the UID data. Thus, the VPID 203 may be removed from the UID 305 by applying the equation:
UID=0x0000FFFF & UID  Eq. 2
where UID is the UID 305 and “&” is the logical “AND” operator. In other words, the set of bits corresponding to the VPID 203 within the UID 305 are cleared. Of course, the encoding of the VPID 203 may vary in alternative embodiments, necessitating a different equation.

An example of the above-described process is shown in FIG. 7. Suppose that a process 301 executes the UNIX® getuid( ) system call 115, which is intercepted by the system call wrapper 111. The wrapper 111 obtains the UID 305 (e.g., 0x00010001) associated with the resource by executing, for example, the system call 115. As illustrated, the upper 16 bits of the UID 305 include an indication of a virtual process 101 (e.g., a VPID 203 of 1).

The wrapper 111 then removes the indication of the virtual process 101 by logically ANDing the UID 305 with a value configured to clear the bits associated with the VPID 203, (e.g., 65535). As a result, a UID 305 of 1 is returned to the calling process 301, rather than the UID 305 of 65537.

The above-described technique for virtualizing resource ownership is summarized in FIG. 8. A method 800 begins in one embodiment by loading 801 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 803 of pointers 114 to selected system calls 115 to be intercepted (e.g., getuid( ), getgid( ), and stat ( )). The pointers 114 are then replaced 805, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead.

A system call 115 for obtaining the UID 305 associated with a resource is then intercepted 807. Next, the system call wrapper 111 obtains 809 the UID 305 associated with the resource. In one embodiment, the wrapper 111 obtains the UID 305 by executing the system call 115. As noted, the UID 305 includes, as a consequence of the method 600 of FIG. 6, an indication of a virtual process 101 (e.g., VPID 203).

After the UID 305 is obtained, the system call wrapper 111 removes 811 the VPID 203 by logically ANDing the UID 305 with an appropriate value, e.g., 65535. The UID 305 is then returned 813 to the calling process 301.

FIG. 9 illustrates an alternative system 900 for virtualizing resource ownership. In an alternative embodiment, an indication of the virtual process 101 is not encoded within the UID 305. Rather, after a system call 115 for setting a UID 305 is intercepted, the system call wrapper 111 selects an alternative UID 901 from a set 903 of available (unused) UIDs 305. The set 903 may be implemented using any suitable data structure, such as a table or linked list. The alternative UID 901 may be selected using any convenient method, such as selecting the next available UID 305 in the set 903.

Once the alternative UID 901 is selected, the wrapper 111 creates an association 905 in a translation data structure 907 between the UID 305 specified in the call 115, the alternative UID 901 selected by the wrapper 111, and an indication of the virtual process 101 (e.g., VPID 203), which may be obtained by the wrapper 111 from the virtual process table 127.

After the translation data structure 907 is updated, the wrapper 111 associates the resource with the alternative UID 901. This is accomplished, in one embodiment, by executing the system call 115, specifying the alternative UID 901.

FIG. 9 provides an example of the above-described technique. Suppose that a process 301 having a PID 201 of 1847 attempts to execute the UNIX® setuid( ) system call 115 with a specified UID 305 of 1. As illustrated, the system call wrapper 111 intercepts the call 115 and uses the virtual process table 127 to determine the virtual process 101 (e.g., VPID 203) associated with the calling process 301.

The system call wrapper 111 then selects an alternative UID 901 (e.g., 1003) from a set 903 of available UIDs 305. Thereafter, the wrapper 111 creates an association 905 in the translation data structure 907 between the UID 305 specified in the call 115 (e.g., 1), the alternative UID 901 (e.g., 1003), and the VPID 203 (e.g., 2). Once the translation data structure 907 is updated, the wrapper 111 associates the calling process 301 with the alternative UID 901 by executing, for example, the system call 115.

FIG. 10 illustrates a corresponding system 1000 for intercepting system calls 115 for obtaining the UID 305 or GID 307 associated with a resource. Initially, the system call wrapper 111 intercepts the call 115 (e.g., getuid( ), getgid( ), and stat( )). Thereafter, the wrapper 111 determines the virtual process 101 (e.g., VPID 203) associated with the calling process 301 using a virtual process table 127 or the like.

The system call wrapper 111 then obtains the alternative UID 901 associated with the resource by executing, for example, the system call 115. As described above, the alternative UID 901 is associated with the resource as a consequence of the system 900 illustrated in FIG. 9.

After the alternative UID 901 is obtained, the wrapper 111 accesses the translation data structure 907, looking up the alternative UID 901 and the VPID 203. When an association 905 is found, the corresponding UID 305 is retrieved from the translation data structure 907 and returned to the calling process 301.

An example of the above-described process is shown in FIG. 10. Suppose that a process 301 executes the getuid( ) function, which is intercepted by the system call wrapper 111. In one embodiment, the wrapper 111 executes the getuid( ) function, which returns an alternative UID 901 of 1003. The wrapper 111 also determines the VPID 203 (e.g., 2) associated with the calling process 301 by accessing the virtual process table 127.

The wrapper 111 then accesses the translation data structure 907, looking up an alternative UID 901 of 1003 and a VPID 203 of 2. As illustrated, an association 905 exists, revealing a UID 305 of 1, which is subsequently returned to the calling process 301.

III. Virtualizing Super-User Privileges

As noted above, in UNIX® and related operating systems, the “super-user” is granted special privileges not available to other users. For example, the super-user can open, modify, or delete the files of other users, as well as terminate other users' processes. Indeed, the super-user can add and delete users, assign and change passwords, and insert modules into the operating system kernel 109.

Implementing super-user privileges in an operating system 117 including multiple virtual processes 101 presents numerous challenges. For example, each virtual process 101 should be allowed to have a user who is granted super-user-like powers, e.g., the ability to add and delete users of the virtual process 101, access files 303 of any user of the virtual process 101, terminate processes 301 associated with the virtual process 101, and the like.

However, if a user of each virtual process 101 were given full super-user privileges, a super-user of one virtual process 101 could access the files 303 of a user of another virtual process 101. Similarly, a super-user of one virtual process 101 could terminate the processes 301 associated with a user of another virtual process 101. Indeed, a super-user of one virtual process 101 could obtain exclusive access to all system resources, effectively disabling the other virtual processes 101. Clearly, granting a user of each virtual process 101 full super-user privileges would seriously compromise system security, entirely removing the illusion that each virtual process 101 is running on a dedicated host computer.

As illustrated in FIG. 11, the present invention solves the foregoing problems, in one embodiment, by designating a plurality of virtual super-users 1101, typically one per virtual process 101. A virtual super-user 1101 has many of the privileges of an actual super-user with respect to his or her own virtual process 101. For example, a virtual super-user 1101 can add and delete users of the virtual process 101, access files 303 of any user of the virtual process 101, terminate processes 301 associated with the virtual process 101, and the like. However, a virtual super-user 1101 cannot, for instance, add or delete users of other virtual processes 101, access the files 303 of users of other virtual processes 101, or terminate the processes 301 associated with other virtual processes 101.

In one embodiment, a virtual super-user 1101 is designated by assigning to a user a virtual super-user identifier (VSUID) 1103. The VSUID 1103 may be assigned by a virtual super-user designation module 1105, which generates a VSUID 1103 for each virtual super-user 1101, as described below.

A UID 305 of zero is interpreted by UNIX® and related operating systems as the super-user UID 305. However, assigning a UID 305 of zero to each virtual super-user 1101 would result in the problems discussed above, since an actual super-user has unfettered access to all system resources.

Accordingly, a VSUID 1103 comprises, in one embodiment, a super-user UID 305 (e.g., 0), which has been encoded with an indication of a virtual process 101 (e.g., VPID 203) using the techniques described with reference to FIGS. 5-6. As explained above, a UID 305 may be divided, in one implementation, into two 16 bit portions, with the upper 16 bits used to encode a VPID 203, and the lower 16 bits used to store the original UID 305.

For instance, as shown in FIG. 11, a VPID 203 of 1 is encoded within the upper 16 bits of the VSUID 1103, resulting in a VSUID 1103 of 0x00010000. Likewise, a VPID 203 of 2 results in a VSUID 1103 of 0x00020000. Finally, a VPID 203 of 3 results in a VSUID 1103 of 0x00030000. Of course, those skilled in the art will recognize that the VSUID 1103 may be encoded in various ways without departing from the spirit and scope of the invention.

From the standpoint of the operating system 117, however, the VSUID 1103 is not a super-user UID 305, and does not convey any super-user privileges. For example, a VSUID 1103 of 0x00010000 has a decimal value of 65536, clearly not a UID 305 of zero. Thus, without more, a virtual super-user 1101 would have all of the limitations of a regular user.

Consequently, as shown in FIG. 12, selected system calls 115 are intercepted for performing operations requiring actual super-user privileges, which are nevertheless desirable for a virtual super-user 1101 to perform in the context of his or her own virtual process 101. For example, system calls 115 are intercepted that operate on files 303, e.g., open( ), creat( ), link( ), unlink( ), chdir( ), fchdir( ), symlink( ), readlink( ), readdir( ), access( ), rename( ), mkdir( ), rmdir( ), truncate( ), and ftruncate( ). Of course, those skilled in the art will recognize that the invention is not limited to any particular operating system 117 or terminology.

As noted above, a normal user is typically restricted from opening, deleting, renaming, etc., a file 303 owned by another user. However, a virtual super-user 1101 should appear, in most respects, to be an actual super-user for operations pertaining to his or her own virtual process 101.

Thus, in one embodiment, if a system call 115 is “made” by a virtual super-user 1101 (i.e., by a process 301 owned by a virtual super-user 1101) and pertains to the virtual process 101 of the virtual super-user 1101, then actual super-user privileges are temporarily granted to the virtual super-user 1101 for purposes of the system call 115. This may be accomplished, in one embodiment, by executing an appropriate function, e.g., setuid( ), to assign a UID 305 of zero or other designation of super-user privileges to the calling process 301. After the system call 115 is executed, the super-user privileges may be withdrawn by executing the same function to restore the VSUID 1103.

Whether the system call 115 was made by a virtual super-user 1101 may be determined by checking whether the owner of the calling process 301 has a VSUID 1103. Of course, if the system call 115 was not made by a virtual super-user 1101, the wrapper 111 preferably disallows execution of the system call 115. For instance, the wrapper 111 may generate an error message, indicating a privilege violation. Alternatively, the wrapper 111 may simply allow the system call 115 to proceed without granting actual super-user privileges, resulting in the operating system 117 disallowing execution of the system call 115, since the VSUID 1103 does not convey actual super-user privileges.

Whether the system call 115 pertains to the virtual process 101 of the virtual super-user 1101 may be determined by checking whether the system resource(s) affected by the system call 115 relate to the virtual process 101 of the virtual super-user 1101. For example, with respect to system calls 115 that affect processes 301 (such as kill( )), the virtual process table 127 may be checked to determine whether the process 301 has an association 129 with the virtual process 101 of the virtual super-user 1101. Similarly, in one embodiment, each virtual process 101 has a distinct file system, allowing the wrapper 111 to easily determine whether a file 303 referenced by the call 115 is associated with the virtual process 101 of the virtual super-user 1101.

As shown in FIG. 12, suppose that a process 301 owned by a virtual super-user 1101 attempts to execute the open( ) system call 115 in order to open another user's file 303, which is nevertheless associated with the virtual process 101 of the virtual super-user 1101. The virtual process 101 (e.g., VPID 203) may be determined, in one embodiment, by referencing the virtual process table 127 using the PID 201 of “3942.”

Since the file 303 pertains to the virtual process 101 of the virtual super-user 1101, the system call wrapper 111 temporarily grants actual super-user privileges to the virtual super-user 1101. In the illustrated embodiment, this is accomplished by executing an appropriate system call 1201 (e.g., in UNIX®, the setuid( ) function with a UID 305 of zero). The system call 115 is then executed, after which the wrapper 111 withdraws the actual super-user privileges 1101 by executing, for example, an appropriate system call 1203 (e.g., in UNIX®, the setuid( ) function with the original VSUID 1103 of the virtual super-user 1101). This approach grants super-user privileges on a call-by-call basis.

Thus, a virtual super-user 1101 may perform an operation for which actual super-user privileges are required, without granting the virtual super-user 1101 unfettered access to all of the system's resources. This allows each virtual process 101 to have at least one system administrator with limited super-user-like powers, while maintaining the illusion that each virtual process 101 is running on a dedicated host computer.

Other system calls 115 that may be intercepted include system calls 115 for terminating a process 301. In UNIX®, the kill( ) system call 115 allows a user to terminate one or more processes 301. For example, executing the kill( ) system call 115 with a specified process 301 (e.g., PID 201) terminates that process 301. Executing the kill( ) system call 115 with an argument of −1 results in the termination of all of the user's processes 301. An argument of less than −1 results in the termination of all of the processes 301 associated with a group (e.g., GID 307, where the GID value is equal to the absolute value of the argument).

As noted above, a super-user may terminate any system process 301. Thus, if the super-user specifies a PID 201, the corresponding process 301 will be terminated. Likewise, if the super-user specifies a negative GID 307, the processes 301 belonging to the specified group are terminated. If, however, the super-user specifies an argument of −1, all processes 301 other than those with PID 201 of 0 or 1 are terminated.

In one embodiment, it is desirable for a virtual super-user 1101 to be able to terminate processes 301 associated with his or her virtual process 101. Accordingly, the system call wrapper 111 intercepts system calls 115 for terminating processes 301 (e.g., kill( )).

Where a virtual super-user 1101 attempts to terminate a specific process 301 associated with his or her virtual process 101, the wrapper 111 proceeds as discussed above with reference to FIG. 12. In other words, the wrapper 111 grants temporary actual super-user privileges to the calling process 301 and allows execution of the system call 115.

However, as shown in FIG. 13, where the system call 115 specifies a negative parameter, the wrapper 111 proceeds differently. Since the powers of virtual super-user 1101 should be limited to his or her virtual process 101, a kill( ) system call 115 with an argument of −1 results only in the termination of processes 301 associated with the virtual process 101. Thus, in one embodiment, a kill(−1) system call 115 “pertains” to the virtual process 101 by definition.

In one embodiment, the system call wrapper 111 iterates through the virtual process table 127, terminating all processes 301 associated with the virtual process 101. Thus, a kill(−1) system call 115 operates in the manner expected, maintaining the illusion that the virtual process 101 of the virtual super-user 1101 is executing on a dedicated host machine.

Likewise, in the case of an argument of less than −1, denoting a GID 307, the wrapper 111 cycles through all of the processes 301 associated with the virtual process 101 of the virtual super-user 1101 and determines whether each such process 301 corresponds to the specified group (e.g., GID 307). If so, those processes 301 are terminated in the manner discussed above.

As an example, as shown in FIG. 13, suppose that a process 301 is associated with a virtual process 1 (e.g., having a VPID 203 of 1). The process 301 is owned by a virtual super-user 1101 by virtue of the VSUID 1103 (e.g., 0x00010000), and pertains to the virtual process 101 by definition. Accordingly, the wrapper 111 grants temporary actual super-user privileges to the calling process 301 by executing the system call 1201.

Thereafter, the wrapper 111 iterates through the virtual process table 127, identifying each process 301 (e.g., PIDs 3942 and 4400) associated with a VPID 203 of 1. System calls 115 (e.g., kill(3942), kill (4400)) are then made to terminate each of the identified processes 301, after which the actual super-user privileges are withdrawn by executing the system call 1203.

A variety of other system calls 115 may be intercepted within the scope of the invention in order to grant limited super-user privileges to a virtual super-user 1101. Those skilled in the art will know how to apply the above-described techniques in the context of these other system calls 115.

In some instances, it is desirable to prevent a virtual super-user 1101 from executing certain system calls 115 altogether. For example, in UNIX®, the insmod( ) and rmmod( ) functions allow a super-user to insert modules into, and remove modules from, the operating system kernel 109. Giving such powers to a virtual super-user 1101 could seriously compromise system security, allowing the virtual super-user 1101 to alter the basic functionality of the operating system 117.

In one embodiment, a virtual super-user 1101 is prevented from executing a system call 115 for which actual super-user privileges are required by simply not intercepting the call 115. Since the VSUID 1103 is not a super-user UID 305, the operating system 117 will automatically reject an attempt by a virtual super-user 1101 to execute, for example, the insmod( ) call 115.

In an alternative embodiment of the invention, a virtual super-user 1101 is not designated by assigning a VSUID 1103, as discussed above. Rather, a virtual super-user 1101 is simply assigned a UID 305 as in the case of other users. Thereafter, the assigned UID 305 is stored in a virtual super-user list 1401 or other suitable data structure, as illustrated in FIG. 14, together with an indication of the virtual process 101 (e.g., VPID 203). Accordingly, when selected system calls 115 are intercepted for which actual super-user privileges are required, a user may be identified as a virtual super-user 1101 by consulting the virtual super-user list 1401.

Since virtual super-users 1101 in this embodiment are given regular UIDs 305, the possibility of conflicts between virtual processes 101 arises. However, such conflicts may be resolved using the techniques described in FIGS. 9-10, i.e. intercepting system calls 115 for setting a UID 305 of a resource and assigning an alternative UID 901. Thus, virtual super-users 1101 of different virtual processes 101 may appear to share the same UID 305 without conflict.

FIG. 15 summarizes the above-described techniques. A method 1500 for virtualizing super-user privileges has two phases, preparation and operation. The preparation phase begins by loading 1501 a system call wrapper 111 into the operating system 117. Thereafter, copies are made 1503 of pointers 114 to selected system calls 115 for performing operations for which actual super-user privileges are required, which are nevertheless desirable to be performed by a virtual super-user 1101 with respect to his or her own virtual process 101 (e.g., open( ), kill( ), etc.). The pointers 114 are then replaced 1505, in one implementation, by pointers 118 to the system call wrapper 111. Thus, when one of the selected system calls 115 is made, the system call wrapper 111 is executed instead

During the operation phase, a system call 115 is intercepted 1507 by the system call wrapper 111. Thereafter, the wrapper 111 determines 1509 whether the call 115 was “made” by a virtual super-user 1101 (i.e. by a process 301 owned by a virtual super-user 1101). If not, the system call 115 is disallowed 1511, and the method 1500 ends.

If, however, the call 115 was made by a virtual super-user 1101, a determination 1513 is made whether the call 115 pertains to the virtual process 101 of the virtual super-user 1101. If not, the call 115 is disallowed, and the method 1500 ends.

If, however, the call 115 pertains to the virtual process 101 of the virtual super-user 1101, actual super-user privileges are granted to the virtual super-user, after which the system call 115 is executed 1517. Finally, the actual super-user privileges are withdrawn 1519, and the method 1500 ends.

In view of the foregoing, the present invention offers numerous advantages not available in conventional approaches. For example, super-user privileges are virtualized in an operating system 117 including multiple virtual processes 101, such that a virtual super-user has the power to perform traditional system administrator functions with respect to his or her own virtual process 101, but is unable to interfere with other virtual processes 101 or the underlying operating system 117. Thus, each virtual process 101 can have a virtual super-user 1101, while preserving the illusion that the virtual processes 101 are running on dedicated host machines.

As will be understood by those familiar with the art, the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. Likewise, the particular naming of the modules, features, attributes or any other aspect is not mandatory or significant, and the mechanisms that implement the invention or its features may have different names or formats. Accordingly, the disclosure of the present invention is intended to be illustrative, but not limiting, of the scope of the invention, which is set forth in the following claims.

INVENTORS:

Keshav, Srinivasan, Huang, Xun Wilson, Estan, Jr., Cristian

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
3377624,
4177510, Nov 30 1973 Compagnie Internationale pour l'Informatique, CII Honeywell Bull Protection of data in an information multiprocessing system by implementing a concept of rings to represent the different levels of privileges among processes
5189667, Mar 01 1990 Kabushiki Kaisha Toshiba Method and apparatus for controlling call processing based upon load conditions
5212793, Sep 04 1991 International Business Machines Corporation Generic initiators
5226160, Jul 18 1989 Visage Method of and system for interactive video-audio-computer open architecture operation
5249290, Feb 22 1991 AT&T Bell Laboratories Method of and apparatus for operating a client/server computer network
5263147, Mar 01 1991 Hughes Training, Inc. System for providing high security for personal computers and workstations
5325530, Jan 29 1993 International Business Machines Corporation Controller for sequential programming tools executed in a parallel computing environment
5437032, Nov 04 1993 International Business Machines Corporation Task scheduler for a miltiprocessor system
5528753, Jun 30 1994 International Business Machines Corporation System and method for enabling stripped object software monitoring in a computer system
5572680, Dec 18 1992 Fujitsu Limited Method and apparatus for processing and transferring data to processor and/or respective virtual processor corresponding to destination logical processor number
5584023, Dec 27 1993 OMNISECURE, INC Computer system including a transparent and secure file transform mechanism
5603020, Oct 08 1993 Fujitsu Limited Method for detecting file names by informing the task of the identification of the directory antecedent to the file
5615400, Jun 30 1993 Apple Inc System for object oriented dynamic linking based upon a catalog of registered function set or class identifiers
5623492, Mar 24 1995 Qwest Communications International Inc Methods and systems for managing bandwidth resources in a fast packet switching network
5636371, Jun 07 1995 Bull HN Information Systems Inc.; BULL HN INFORMATION SYSTEMS INC Virtual network mechanism to access well known port application programs running on a single host system
5640595, Jun 29 1993 International Business Machines Corporation Multimedia resource reservation system with graphical interface for manual input of resource reservation value
5692047, Dec 08 1995 Oracle America, Inc System and method for executing verifiable programs with facility for using non-verifiable programs from trusted sources
5706097, Sep 13 1996 Eastman Kodak Company Index print with a digital recording medium containing still images, motion sequences, and sound sequences
5706453, Feb 06 1995 Intelligent real-time graphic-object to database linking-actuator for enabling intuitive on-screen changes and control of system configuration
5708774, Jul 23 1996 International Business Machines Corporation Automated testing of software application interfaces, object methods and commands
5719854, Nov 23 1994 Alcatel-Lucent USA Inc Efficiently providing multiple grades of service with protection against overloads in shared resources
5727147, Dec 08 1995 Oracle America, Inc System and method for resolving symbolic references to externally located program files
5727203, Mar 31 1995 Sun Microsystems, Inc. Methods and apparatus for managing a database in a distributed object operating environment using persistent and transient cache
5748614, Jun 09 1995 Siemens Aktiengesellschaft Method for scheduling message cells leaving an ATM node
5752003, Jul 14 1995 HEWLETT-PACKARD DEVELOPMENT COMPANY, L P Architecture for managing traffic in a virtual LAN environment
5761477, Dec 04 1995 Microsoft Technology Licensing, LLC Methods for safe and efficient implementations of virtual machines
5764889, Sep 26 1996 International Business Machines Corporation Method and apparatus for creating a security environment for a user task in a client/server system
5781550, Feb 02 1996 Hewlett Packard Enterprise Development LP Transparent and secure network gateway
5799173, Jul 25 1994 International Business Machines Corporation Dynamic workload balancing
5809527, Dec 23 1993 Unisys Corporation Outboard file cache system
5828893, Dec 24 1992 Freescale Semiconductor, Inc System and method of communicating between trusted and untrusted computer systems
5838686, Apr 22 1994 Thomson Consumer Electronics, Inc. System for dynamically allocating a scarce resource
5838916, Mar 14 1996 RPX CLEARINGHOUSE LLC Systems and methods for executing application programs from a memory device linked to a server
5842002, Jun 01 1994 Quantum Leap Innovations, Inc. Computer virus trap
5845129, Mar 22 1996 Philips Electronics North America Corporation; Philips Electronics North America Corp Protection domains in a single address space
5850399, Mar 27 1998 RPX Corporation Hierarchical packet scheduling method and apparatus
5860004, Jul 03 1996 Oracle America, Inc Code generator for applications in distributed object systems
5864683, Oct 12 1994 McAfee, LLC System for providing secure internetwork by connecting type enforcing secure computers to external network for limiting access to data based on user and process access rights
5889956, Jul 18 1996 FUJITSU LIMITED, A JAPANESE CORPORATION Hierarchical resource management with maximum allowable allocation boundaries
5889996, Dec 16 1996 Oracle International Corporation Accelerator for interpretive environments
5892968, Oct 16 1995 GOOGLE LLC Multimedia data transferring method
5905730, Mar 27 1998 RPX Corporation High speed packet scheduling method and apparatus
5905859, Jan 09 1997 TREND MICRO INCORPORATED Managed network device security method and apparatus
5913024, Feb 09 1996 McAfee, LLC Secure server utilizing separate protocol stacks
5915085, Feb 28 1997 International Business Machines Corporation; IBM Corporation Multiple resource or security contexts in a multithreaded application
5915095, Aug 08 1995 RPX Corporation Method and apparatus for balancing processing requests among a plurality of servers based on measurable characteristics off network node and common application
5918018, Feb 09 1996 McAfee, LLC System and method for achieving network separation
5920699, Nov 07 1996 Hewlett Packard Enterprise Development LP Broadcast isolation and level 3 network switch
5933603, Oct 27 1995 EMC Corporation Video file server maintaining sliding windows of a video data set in random access memories of stream server computers for immediate video-on-demand service beginning at any specified location
5937159, Mar 28 1997 DATA GENERAL CORP Secure computer system
5956481, Feb 06 1997 Microsoft Technology Licensing, LLC Method and apparatus for protecting data files on a computer from virus infection
5961582, Oct 25 1994 Xylon LLC Distributed and portable execution environment
5978373, Jul 11 1997 AG COMMUNICATION SYSTEMS CORPORATION, A CORPORATION OF DELAWARE Wide area network system providing secure transmission
5982748, Oct 03 1996 AVAYA Inc Method and apparatus for controlling admission of connection requests
5987242, Jan 19 1996 Bentley Systems, Incorporated Object-oriented computerized modeling system
5987524, Apr 17 1997 Fujitsu Limited Local area network system and router unit
5987608, May 13 1997 Meta Platforms, Inc Java security mechanism
5991812, Jan 24 1997 FONEWEB, INC Methods and apparatus for fair queuing over a network
5999963, Nov 07 1997 Alcatel Lucent Move-to-rear list scheduling
6016318, Jul 12 1996 NEC Corporation Virtual private network system over public mobile data network and virtual LAN
6018527, Aug 13 1996 RPX CLEARINGHOUSE LLC Queue service interval based cell scheduler with hierarchical queuing configurations
6023721, May 14 1997 Citrix Systems, Inc. Method and system for allowing a single-user application executing in a multi-user environment to create objects having both user-global and system global visibility
6038608, Nov 25 1996 NEC Corporation Virtual LAN system
6038609, Apr 04 1997 Telefonaktiebolaget LM Ericsson Method, communication network and service access interface for communications in an open system interconnection environment
6047325, Oct 24 1997 Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks
6055617, Aug 29 1997 International Business Machines Corporation Virtual address window for accessing physical memory in a computer system
6055637, Sep 27 1996 Hewlett Packard Enterprise Development LP System and method for accessing enterprise-wide resources by presenting to the resource a temporary credential
6061349, Nov 03 1995 Cisco Technology, Inc System and method for implementing multiple IP addresses on multiple ports
6065118, Aug 09 1996 Citrix Systems, Inc Mobile code isolation cage
6075791, Oct 28 1997 WSOU Investments, LLC System for guaranteeing data transfer rates and delays in packet networks
6078929, Jun 07 1996 DROPBOX, INC Internet file system
6078957, Nov 20 1998 CHECK POINT SOFTWARE TECHNOLOGIES INC Method and apparatus for a TCP/IP load balancing and failover process in an internet protocol (IP) network clustering system
6086623, Jun 30 1997 Oracle America, Inc Method and implementation for intercepting and processing system calls in programmed digital computer to emulate retrograde operating system
6092178, Sep 03 1998 Oracle America, Inc System for responding to a resource request
6094674, May 06 1994 Hitachi, Ltd. Information processing system and information processing method and quality of service supplying method for use with the system
6101543, Oct 25 1996 Hewlett Packard Enterprise Development LP Pseudo network adapter for frame capture, encapsulation and encryption
6108701, Jul 20 1998 THE CHASE MANHATTAN BANK, AS COLLATERAL AGENT Soft switch extension for internet protocol applications
6108759, Feb 23 1995 ACQUIOM AGENCY SERVICES LLC, AS ASSIGNEE Manipulation of partitions holding advanced file systems
6122673, Jul 22 1998 Ericsson AB Port scheduler and method for scheduling service providing guarantees, hierarchical rate limiting with/without overbooking capability
6154776, Mar 20 1998 Oracle America, Inc Quality of service allocation on a network
6154778, May 19 1998 Hewlett Packard Enterprise Development LP Utility-based multi-category quality-of-service negotiation in distributed systems
6161139, Jul 10 1998 ENTRUST, INC Administrative roles that govern access to administrative functions
6167520, Nov 08 1996 FINJAN LLC System and method for protecting a client during runtime from hostile downloadables
6172981, Oct 30 1997 International Business Machines Corporation Method and system for distributing network routing functions to local area network stations
6189046, Mar 27 1997 Hewlett Packard Enterprise Development LP Mechanism and method for merging cached location information in a distributed object environment
6192389, Mar 28 1997 International Business Machines Corporation Method and apparatus for transferring file descriptors in a multiprocess, multithreaded client/server system
6192512, Sep 24 1998 TREND MICRO INCORPORATED Interpreter with virtualized interface
6230203, Oct 20 1995 Scientific-Atlanta, LLC System and method for providing statistics for flexible billing in a cable environment
6240463, Nov 24 1998 Lucent Technologies Inc Router placement methods and apparatus for designing IP networks with performance guarantees
6243825, Apr 17 1998 Microsoft Technology Licensing, LLC Method and system for transparently failing over a computer name in a server cluster
6247057, Oct 22 1998 Microsoft Technology Licensing, LLC Network server supporting multiple instance of services to operate concurrently by having endpoint mapping subsystem for mapping virtual network names to virtual endpoint IDs
6247068, Mar 07 1997 Advanced Micro Devices Inc. Winsock-data link library transcoder
6259699, Dec 30 1997 WSOU Investments, LLC System architecture for and method of processing packets and/or cells in a common switch
6266678, Dec 31 1998 GOOGLE LLC System and method for dynamically viewing contents of a data file
6269404, Jul 14 1995 HEWLETT-PACKARD DEVELOPMENT COMPANY, L P Virtual network architecture for connectionless LAN backbone
6279039, Apr 03 1996 NCR Voyix Corporation Resource management method and apparatus for maximizing multimedia performance of open systems
6279040, Dec 06 1995 Industrial Technology Research Institute Scalable architecture for media-on demand servers
6282581, Mar 27 1997 Hewlett-Packard Company; HEWLETT-PACKARD DEVELOPMENT COMPANY, L P ; Agilent Technologies, Inc Mechanism for resource allocation and for dispatching incoming calls in a distributed object environment
6282703, Oct 29 1998 International Business Machines Corporation Statically linking an application process with a wrapper library
6286047, Sep 10 1998 Viavi Solutions Inc Method and system for automatic discovery of network services
6298479, May 29 1998 Oracle America, Inc Method and system for compiling and linking source files
6314558, Aug 27 1996 JPMORGAN CHASE BANK, N A , AS SUCCESSOR AGENT Byte code instrumentation
6327622, Sep 03 1998 Oracle America, Inc Load balancing in a network environment
6336138, Aug 25 1998 Hewlett Packard Enterprise Development LP Template-driven approach for generating models on network services
6351775, May 30 1997 SAP SE Loading balancing across servers in a computer network
6353616, May 21 1998 Lucent Technologies Inc Adaptive processor schedulor and method for reservation protocol message processing
6363053, Feb 08 1999 UNILOC 2017 LLC Method and apparatus for measurement-based conformance testing of service level agreements in networks
6366958, Oct 21 1996 International Business Machines Corporation NETBIOS protocol support for a DCE RPC mechanism
6370583, Aug 17 1998 HEWLETT-PACKARD DEVELOPMENT COMPANY, L P Method and apparatus for portraying a cluster of computer systems as having a single internet protocol image
6374292, Jul 20 1999 Oracle America, Inc Access control system for an ISP hosted shared email server
6381228, Jan 15 1999 Northrop Grumman Systems Corporation Onboard control of demand assigned multiple access protocol for satellite ATM networks
6385638, Sep 04 1997 HANGER SOLUTIONS, LLC Processor resource distributor and method
6385722, Jan 27 2000 Oracle America, Inc Method, system, and article of manufacture for limiting access to program files in a shared library file
6389448, Dec 06 1999 WARP Solutions, Inc.; WARP SOLUTIONS, INC System and method for load balancing
6393484, Apr 12 1999 International Business Machines Corp. System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks
6425003, Jan 22 1999 Cisco Technology, Inc Method and apparatus for DNS resolution
6430622, Sep 22 1999 International Business Machines Corporation Methods, systems and computer program products for automated movement of IP addresses within a cluster
6434631, Oct 15 1999 WSOU Investments, LLC Method and system for providing computer storage access with quality of service guarantees
6434742, May 10 1999 Alcatel Lucent Symbol for automatically renaming symbols in files during the compiling of the files
6438134, Aug 19 1998 Alcatel-Lucent Canada Inc Two-component bandwidth scheduler having application in multi-class digital communications systems
6442164, Jun 03 1999 Fujitsu Limited Method and system for allocating bandwidth and buffer resources to constant bit rate (CBR) traffic
6449652, Jan 04 1999 EMC IP HOLDING COMPANY LLC Method and apparatus for providing secure access to a computer system resource
6457008, Aug 28 1998 Oracle International Corporation Pluggable resource scheduling policies
6463459, Jan 22 1999 JPMORGAN CHASE BANK, N A , AS SUCCESSOR AGENT System and method for executing commands associated with specific virtual desktop
6470398, Aug 21 1996 HEWLETT-PACKARD DEVELOPMENT COMPANY, L P Method and apparatus for supporting a select () system call and interprocess communication in a fault-tolerant, scalable distributed computer environment
6484173, Feb 07 2000 EMC IP HOLDING COMPANY LLC Controlling access to a storage device
6487578, Sep 29 1997 Intel Corporation Dynamic feedback costing to enable adaptive control of resource utilization
6487663, Oct 19 1998 Intel Corporation System and method for regulating the transmission of media data
6490670, Apr 24 1998 International Business Machines Corporation Method and apparatus for efficiently allocating objects in object oriented systems
6496847, May 15 1998 VMware LLC System and method for virtualizing computer systems
6499137, Oct 02 1998 Microsoft Technology Licensing, LLC Reversible load-time dynamic linking
6529950, Jun 17 1999 International Business Machines Corporation Policy-based multivariate application-level QoS negotiation for multimedia services
6529985, Feb 04 2000 CUFER ASSET LTD L L C Selective interception of system calls
6542167, Jan 28 2000 WIND RIVER SYSTEMS, INC System and method for flexible software linking
6553413, Jul 14 1998 Massachusetts Institute of Technology Content delivery network using edge-of-network servers for providing content delivery to a set of participating content providers
6560613, Feb 08 2000 DATACLOUD TECHNOLOGIES, LLC Disambiguating file descriptors
6578055, Jun 05 2000 International Business Machines Corporation Methods, system and computer program products for mirrored file access through assuming a privileged user level
6578068, Aug 31 1999 Accenture Global Services Limited Load balancer in environment services patterns
6580721, Aug 11 1998 Apple Inc Routing and rate control in a universal transfer mode network
6590588, May 29 1998 Qualcomm Incorporated Wireless, radio-frequency communications using a handheld computer
6622159, Jun 30 1999 International Business Machines Corporation Method, apparatus and computer program product for automatically restarting an RPC server without losing client RPC calls
6647422, Feb 26 1996 Network Engineering Technologies, Inc. Web server employing multi-homed, modular framework
6658571, Feb 09 1999 JPMORGAN CHASE BANK, N A ; MORGAN STANLEY SENIOR FUNDING, INC Security framework for dynamically wrapping software applications executing in a computing system
6691312, Mar 19 1999 MASSACHUSETTS, UNIVERSITY OF Multicasting video
6711607, Feb 04 2000 SERVSTOR TECHNOLOGIES, LLC Dynamic scheduling of task streams in a multiple-resource system to ensure task stream quality of service
6725456, Nov 29 1999 Alcatel Lucent Methods and apparatus for ensuring quality of service in an operating system
6732211, Sep 18 2000 CUFER ASSET LTD L L C Intercepting I/O multiplexing operations involving cross-domain file descriptor sets
6754716, Feb 11 2000 UNWIRED BROADBAND, INC Restricting communication between network devices on a common network
6760775, Mar 05 1999 AT&T Corp System, method and apparatus for network service load and reliability management
6779016, Aug 23 1999 Oracle America, Inc Extensible computing system
6785728, Mar 10 1997 DROPBOX, INC Distributed administration of access to information
6820117, Oct 18 1999 COBALT NETWORKS, INC Bandwidth management
6859835, Oct 05 1999 CA, INC Virtual port multiplexing
6907421, May 16 2000 DATACLOUD TECHNOLOGIES, LLC Regulating file access rates according to file type
6909691, Aug 07 2000 SERVSTOR TECHNOLOGIES, LLC Fairly partitioning resources while limiting the maximum fair share
6912590, Dec 18 1998 Telefonaktiebolaget LM Ericsson Single IP-addressing for a telecommunications platform with a multi-processor cluster using a distributed socket based internet protocol (IP) handler
6948003, Mar 15 2000 Intellectual Ventures I LLC Enabling a service provider to provide intranet services
6976258, Nov 30 1999 HANGER SOLUTIONS, LLC Providing quality of service guarantees to virtual hosts
6985937, May 11 2000 Intellectual Ventures I LLC Dynamically modifying the resources of a virtual server
7117354, Jul 20 2000 International Business Machines Corporation Method and apparatus for allowing restarted programs to use old process identification
7143024, Jul 07 2000 CUFER ASSET LTD L L C Associating identifiers with virtual processes
7343421, Feb 14 2000 LONGHORN HD LLC Restricting communication of selected processes to a set of specific network addresses
20030061338,
JP64002145,
WO9939261,
ASSIGNMENT RECORDS    Assignment records on the USPTO
////////
Executed onAssignorAssigneeConveyanceFrameReelDoc
Dec 18 2000ESTAN, CRISTIANEnsim CorporationASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0256260455 pdf
Mar 20 2001HUANG, XUN WILSONEnsim CorporationASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0256260540 pdf
Mar 20 2001KESHAV, SRINIVASANEnsim CorporationASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0256260540 pdf
Jun 07 2007Ensim CorporationDIGITAL ASSET ENTERPRISES, L L C ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0256310768 pdf
May 15 2009Digital Asset Enterprises, L.L.C.(assignment on the face of the patent)
Aug 12 2015DIGITAL ASSET ENTERPRISES, L L C CUFER ASSET LTD L L C MERGER SEE DOCUMENT FOR DETAILS 0371180001 pdf
Aug 09 2021CUFER ASSET LTD L L C INTELLECTUAL VENTURES ASSETS 173 LLCASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0572700921 pdf
Aug 25 2021INTELLECTUAL VENTURES ASSETS 173 LLCALTO DYNAMICS, LLCASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS 0585210704 pdf
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Oct 28 2014M1552: Payment of Maintenance Fee, 8th Year, Large Entity.
Oct 16 2018M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
May 07 20164 years fee payment window open
Nov 07 20166 months grace period start (w surcharge)
May 07 2017patent expiry (for year 4)
May 07 20192 years to revive unintentionally abandoned end. (for year 4)
May 07 20208 years fee payment window open
Nov 07 20206 months grace period start (w surcharge)
May 07 2021patent expiry (for year 8)
May 07 20232 years to revive unintentionally abandoned end. (for year 8)
May 07 202412 years fee payment window open
Nov 07 20246 months grace period start (w surcharge)
May 07 2025patent expiry (for year 12)
May 07 20272 years to revive unintentionally abandoned end. (for year 12)