Many application programs are multi-user applications in that they allow multiple users to interact with the application concurrently. One example of a multi-user application may be a collaboration application that allows multiple users to collaborate by sharing information. The collaboration application may allow each user to access his or her own resources, such as files, emails, and calendars, and may even allow one user to access the resources of another user. For example, one user may share a directory of files that the other user can view and modify. Another example of a multi-user application may be a gaming application that allows multiple users to play against each other. The gaming application may allow each user to access his or her resources such as music files, files describing his or her character's personality, handheld controls (e.g., to change functions of buttons), and so on. The gaming application may even allow some users to access resources of other users. For example, the gaming application may display to each member of a team the combined list of the music files of the team members and allow any member to play any of the music files of the team members.
Operating systems typically allow applications to execute in various privilege modes. Applications generally execute in a relatively low privilege mode, such as user privilege mode. In user privilege mode, the application has access to only those resources to which the user running the application has access. Thus, an application executing in user privilege mode can access the music files of the user, but not the music files of other users. The application cannot, however, access operating system resources directly. The use of user privilege mode helps ensure that one user cannot access the resources of another user or the operating system without permission to do so. The use of user privilege mode is especially important in large data centers, such as cloud data centers, in which virtually any person can subscribe to the services of the data center. The data centers want to ensure the confidentiality of their customers' data.
To allow a multi-user application to access the resources of multiple users, the multi-user application may execute in a relatively high privilege mode, such as a system privilege mode (e.g., kernel privilege mode). In a system privilege mode, the application has virtually unlimited access to all the resources of the users of the application, as well as all the resources of other users and the operating system itself. Because such multi-user applications require such a high privilege mode, a data center that hosts such multi-user applications may implement rigorous quality control procedures to ensure that each multi-user application is developed to only access the resources of its users.
Although the quality control procedures may be rigorous, there is a possibility that a bug in a multi-user application may result in access to resources of non-users of the application or the operating system. Moreover, it is also possible that a multi-user application may be infected with malware that intentionally accesses such resources.