公开(公告)号：US20210400019A1

公开(公告)日：2021-12-23

申请号：US17353690

申请日：2021-06-21

Applicant: Apple Inc.

Inventor： Ivan KRSTIC ,  Damien P. SORRESSO ,  David P REMAHL ,  Elliot C. LISKIN ,  Justin S. HOGG ,  Kevin J. LINDEMAN ,  Lucia E. BALLARD ,  Nicholas J. CIRCOSTA ,  Richard J. COOPER ,  Ryan A. WILLIAMS ,  Steven C. VITTITOE ,  Zachariah J. RIGGLE ,  Patrick R. METCALFE ,  Andrew T. WHITEHEAD

IPC: H04L29/06 ,  H04L12/58

Abstract: The subject disclosure provides systems and methods for application-specific network data filtering. Application-specific network data filtering may be performed by a sandboxed process prior to providing the network data to an application to which the network data is directed. Any malicious or otherwise potentially harmful data that is included in the network data may be removed by the application-specific network data filter or may be allowed to corrupt the application specific network data filtering operations within the sandbox, thereby preventing the malicious or harmful data from affecting the application or other portions of an electronic device. In one or more implementations, a first process such as an application-specific network data filtering process may request allocation of memory for the first process from second process, such as an application, that is separate from a memory manager of the electronic device.

公开(公告)号：US20150347265A1

公开(公告)日：2015-12-03

申请号：US14502853

申请日：2014-09-30

Applicant: Apple Inc.

Inventor： Eric Russell Clements ,  Daniel Andreas STEFFEN ,  Jainam Ashokkumar SHAH ,  Vishal PATEL ,  Damien P. SORRESSO

IPC: G06F11/34

CPC classification number: G06F11/3476 ,  G06F9/46 ,  G06F11/0715 ,  G06F11/0778 ,  G06F11/34 ,  G06F2201/865

Abstract: Systems and methods are disclosed for logging encoded diagnostic information from a sequence of processing operations, the processing operations generated by an activity in a computing environment. Diagnostic information is tracked by activity, across process boundaries where the processes can be in computationally isolated, or “sandboxed”. Within each process, diagnostic information for an activity is stored in an activity-specific buffer registered with a kernel in the computing environment. For each activity in the computing system, the kernel keeps a list of all processes that have performed, or are performing, a processing task of the activity. The kernel also keeps a reference to the activity-specific log buffers for the activity for each process associated with the activity. If a processing operation for an activity fails, all activity-specific logs from all processes that are associated with the activity can be collected. A report can be generated from the collected logs for the activity.

Abstract translation: 公开了用于从处理操作序列记录编码的诊断信息的系统和方法，由计算环境中的活动产生的处理操作。 诊断信息由活动跟踪，跨进程边界进行计算隔离或“沙盒化”。 在每个过程中，活动的诊断信息存储在计算环境中与内核注册的活动特定缓冲区中。 对于计算系统中的每个活动，内核保留已执行或正在执行的活动的处理任务的所有进程的列表。 内核还会为与活动相关联的每个进程的活动保留对活动特定日志缓冲区的引用。 如果活动的处理操作失败，则可以收集与活动相关联的所有进程的所有活动特定日志。 可以从收集的活动记录中生成报告。

公开(公告)号：US20240380735A1

公开(公告)日：2024-11-14

申请号：US18783400

申请日：2024-07-24

Applicant: Apple Inc.

Inventor： Ivan KRSTIC ,  Damien P. SORRESSO ,  David P. REMAHL ,  Elliot C. LISKIN ,  Justin S. HOGG ,  Kevin J. LINDEMAN ,  Lucia E. BALLARD ,  Nicholas J. CIRCOSTA ,  Richard J. COOPER ,  Ryan A. WILLIAMS ,  Steven C. VITTITOE ,  Zachariah J. RIGGLE ,  Patrick R. METCALFE ,  Andrew T. WHITEHEAD

IPC: H04L9/40 ,  H04L51/212

Abstract: The subject disclosure provides systems and methods for application-specific network data filtering. Application-specific network data filtering may be performed by a sandboxed process prior to providing the network data to an application to which the network data is directed. Any malicious or otherwise potentially harmful data that is included in the network data may be removed by the application-specific network data filter or may be allowed to corrupt the application specific network data filtering operations within the sandbox, thereby preventing the malicious or harmful data from affecting the application or other portions of an electronic device. In one or more implementations, a first process such as an application-specific network data filtering process may request allocation of memory for the first process from second process, such as an application, that is separate from a memory manager of the electronic device.

公开(公告)号：US20230099057A1

公开(公告)日：2023-03-30

申请号：US17664206

申请日：2022-05-19

Applicant: Apple Inc.

Inventor： Geoffrey McCORMACK ,  Damien P. SORRESSO ,  Eric B. TAMURA ,  Robert J. KENDALL-KUPPE

IPC: G06F21/51 ,  H04L9/32

Abstract: Enclosed herein are techniques for securely executing an application. A method can be implemented by an operating system of a computing device, where the computing device includes a file system volume that includes a first data structure, and the method includes the steps of (1) receiving a request to launch the application, where the request references an application archive file that includes a second data structure that: (i) defines an organization of a plurality of files associated with the application, and (ii) includes cryptographic information for verifying the plurality of files and the second data structure; (2) in response to receiving the request: determining whether the second data structure, the plurality of files, or both, are valid using the cryptographic information; and (3) in response to determining that the second data structure, the plurality of files, or both, are valid: associating the second data structure with the first data structure.

公开(公告)号：US20200379662A1

公开(公告)日：2020-12-03

申请号：US16879432

申请日：2020-05-20

Applicant: Apple Inc.

Inventor： Vivek VERMA ,  Damien P. SORRESSO ,  Pavel SOKOLOV ,  Pierre-Olivier J. MARTEL ,  Eric B. TAMURA ,  Yoni BARON

IPC: G06F3/06

Abstract: Representative embodiments set forth herein disclose techniques for implementing improved links between paths of one or more file systems. According to some embodiments, techniques are disclosed for establishing a system volume and a data volume within a container. According to other embodiments, techniques are disclosed for establishing a link from a source path of a system volume within a container to a target path of a data volume within the container. According to yet other embodiments, techniques are disclosed for determining whether to allow a file system operation on a data volume of a container based on at least determining whether a target path is associated with a reference to a source path.