This invention is related to emulation and dynamic compiling technology used to create a user-space virtualization program.
The latest platforms used for embedded systems require a resource management system to arbitrate and protect system resources. Such resource management systems often provide application programming interfaces (API) for arbitrating or protecting system resources. However, to maximize the functionality of embedded systems, it is sometimes desirable to execute untrusted applications, or legacy applications, that do not use the resource management systems of the platform. Therefore, a method to control the system resources of the platform and extend its security policy for the aforementioned applications is also required in embedded systems.
Traditionally, access control mechanisms have been incorporated in many existing operating systems except embedded products. Well-known examples include user permission checks in Linux™. In this case, each file is related to owner user's ID and permission mode, which serves as an indication of whether certain users are accessible to the file. Additionally, it is possible to restrict certain system calls so that they are called only from a super user ID. Furthermore, the Linux “chroot” system call can restrict a portion of file system from being viewable from certain processes.
A problem in a method utilizing a user ID and permissions in existing Linux is that it cannot control restriction granularity adequately. For example, regardless of a security policy, whoever owns a file can access his/her own file and arbitrarily change access restriction. The SELinux subsystem copes with this problem by implementing Mandatory Access Control. With Mandatory Access Control, users cannot freely change access restriction even with their own files. Moreover, access can be restricted even for privileged users such as root authorities. However, with SELinux, the Linux kernel has to be arranged and recompiled, which requires a complicated setup and process.
On the contrary, there are many embedded operating systems that do not incorporate access control mechanisms. For example, Symbian (versions 9.1 and lower), or WinCE do not include the idea of a user ID. Most of their file systems (except the system files only accessible from the kernel) are accessible in the user-mode process. In SymbianOS version 9.1, the kernel is modified to reinforce OS security.
However, a significant modification is needed for the OS kernel to implement such OS security. Therefore, it is difficult to avoid the risk of bugs occurring from the modifications. Furthermore, the risk of bugs occurring is inevitable upon each modification of access control features in the kernel, which would accordingly require high cost and may result in a loss of flexibility in the design of access control features. However, regardless of SELinux or the latest SymbianOS, both the access control system and the resource management system are OS-dependent implemented, and such access control systems are not commonly applicable irrespective of OS types.
Recently, virtualization technologies such as VMWare and Xen have been proposed for partitioning resources on desktop and server systems. These technologies can realize access control features. However, because these approaches require duplication of almost an entire operation system image, they are not ideal for embedded platforms with limited computing resources (e.g. memory, etc.).
Therefore, methods and apparatus are desired to allow legacy applications to share resources without modification in embedded systems.
All patents, applications, published applications and other publications referred to herein are incorporated by reference herein in their entirety, including the following references:    SELinux, Kerry Thompson, System Admin Magazine, March 2003, http://www.samag.com/documents/s=7835/sam0303a/0303a.htm    Platform Security—a Technical Overview, Version 1.2, Mark Shackman, Symbian Ltd, http://www.symbian.com/developer/techlib/papers/plat_sec_tech_overview/platform/security_a_tec hnical_overview.pdf.    QEMU Internals, Fabrice Bellard, http://fabrice.bellard.free.fr/qemu/qemu-tech.html    The Xen Virtual Machine Monitor, http://www.cl.cam.ac.uk/Research/SRG/netos/xen/    VMWare, http://vmware.com/User-Mode Linu, http://user-mode-linux.sourceforge.net/