公开(公告)号：US20150161383A1

公开(公告)日：2015-06-11

申请号：US14621550

申请日：2015-02-13

Applicant: Google Inc.

Inventor： J. Bradley Chen ,  Matthew T. Harren ,  Matthew Papakipos ,  David C. Sehr ,  Bennet S. Yee ,  Gregory Dardyk

IPC: G06F21/53

CPC classification number: G06F21/51 ,  G06F9/30174 ,  G06F9/44589 ,  G06F21/53 ,  G06F21/57 ,  G06F2221/033 ,  G06F2221/2113 ,  G06F2221/2119 ,  H04L29/06884

Abstract: A system that safely executes a native code module on a computing device. During operation, the system receives the native code module, which is comprised of untrusted native program code expressed using native instructions in the instruction set architecture associated with the computing device. The system then loads the native code module into a secure runtime environment, and proceeds to execute a set of instructions from the native code module in the secure runtime environment. The secure runtime environment enforces code integrity, control flow integrity, and data integrity for the native code module. Furthermore, the secure runtime environment moderates which resources can be accessed by the native code module on the computing device and/or how these resources can be accessed. By executing the native code module in the secure runtime environment, the system facilitates achieving native code performance for untrusted program code without a significant risk of unwanted side effects.

Abstract translation: 一种在计算设备上安全执行本机代码模块的系统。 在操作期间，系统接收本地代码模块，其由使用与计算设备相关联的指令集架构中的本地指令表示的不可信的本机程序代码组成。 然后，系统将本机代码模块加载到安全运行时环境中，并继续在安全运行时环境中从本机代码模块执行一组指令。 安全运行时环境强制本机代码模块的代码完整性，控制流完整性和数据完整性。 此外，安全运行时环境调节哪些资源可以由计算设备上的本地代码模块访问和/或如何访问这些资源。 通过在安全运行时环境中执行本地代码模块，系统便于实现不可信程序代码的本地代码性能，而不会产生不必要的副作用的重大风险。

公开(公告)号：US08949433B1

公开(公告)日：2015-02-03

申请号：US14319690

申请日：2014-06-30

Applicant: Google Inc.

Inventor： Matthew Papakipos ,  Antoine Labour ,  Eric Uhrhane

IPC: G06F15/173 ,  H04L29/08

CPC classification number: G06F9/44521 ,  H04L67/10

Abstract: Some embodiments provide a system that executes an application. During operation, the system obtains a resource list associated with the application and stores a set of resources including a native code module from the resource list through communications over a network connection, wherein the resources are stored in persistent local storage. The application then loads the application in the web browser and loads the native code module into a secure runtime environment. Next, the application executes the application independently of the network connection using the native code module and the stored resources.

公开(公告)号：US09824418B1

公开(公告)日：2017-11-21

申请号：US15460168

申请日：2017-03-15

Applicant: Google Inc.

Inventor： Antoine Labour ,  Matthew Papakipos

IPC: G06T1/20 ,  G06T1/60

CPC classification number: G06T1/20 ,  G06F9/44526 ,  G06F9/44589 ,  G06F21/53 ,  G06F2221/2119 ,  G06T1/60

Abstract: A first code module is loaded into a secure runtime environment that prevents the first code module from accessing a graphics-processor unit (GPU). Rendering commands are generated using the code module based on a scene representation, and transmitted from the first code module within the secure runtime environment to a second code module outside the secure runtime environment. The second code module is configured to communicate with the GPU to provide graphics hardware acceleration, and a rendered image is rendered using the second code module and the GPU based on execution of the rendering commands outside the secure runtime environment.

公开(公告)号：US20170039382A1

公开(公告)日：2017-02-09

申请号：US15234597

申请日：2016-08-11

Applicant: Google Inc.

Inventor： Eric Uhrhane ,  Matthew Papakipos

IPC: G06F21/62

CPC classification number: G06F21/6218 ,  G06F21/53

Abstract: One embodiment provides a system that facilitates the execution of a web application. During operation, the system allocates a storage space on one or more storage devices for use by the web application. Next, the system creates, for the web application, a private filesystem comprising a private root directory within the storage space. Finally, the system enables access to the private filesystem for the web application through the private root directory in a manner that does not allow access to a host filesystem associated with the one or more storage devices from the web application.

Abstract translation: 一个实施例提供了有助于web应用的执行的系统。 在操作期间，系统在一个或多个存储设备上分配存储空间以供Web应用程序使用。 接下来，系统为web应用创建包括存储空间内的私有根目录的私有文件系统。 最后，该系统允许以不允许从web应用程序访问与一个或多个存储设备相关联的主机文件系统的方式通过专用根目录访问web应用的专用文件系统。

公开(公告)号：US09424435B2

公开(公告)日：2016-08-23

申请号：US14324543

申请日：2014-07-07

Applicant: Google Inc.

Inventor： Eric Uhrhane ,  Matthew Papakipos

IPC: G06F17/00 ,  G06F21/62 ,  G06F21/53

CPC classification number: G06F21/6218 ,  G06F21/53

Abstract: One embodiment provides a system that facilitates the execution of a web application. During operation, the system allocates a storage space on one or more storage devices for use by the web application. Next, the system creates, for the web application, a private filesystem comprising a private root directory within the storage space. Finally, the system enables access to the private filesystem for the web application through the private root directory in a manner that does not allow access to a host filesystem associated with the one or more storage devices from the web application.

公开(公告)号：US20140310315A1

公开(公告)日：2014-10-16

申请号：US14324543

申请日：2014-07-07

Applicant: Google Inc.

Inventor： Eric Uhrhane ,  Matthew Papakipos

IPC: G06F21/62

CPC classification number: G06F21/6218 ,  G06F21/53

Abstract: One embodiment provides a system that facilitates the execution of a web application. During operation, the system allocates a storage space on one or more storage devices for use by the web application. Next, the system creates, for the web application, a private filesystem comprising a private root directory within the storage space. Finally, the system enables access to the private filesystem for the web application through the private root directory in a manner that does not allow access to a host filesystem associated with the one or more storage devices from the web application.

Abstract translation: 一个实施例提供了有助于web应用的执行的系统。 在操作期间，系统在一个或多个存储设备上分配存储空间以供Web应用程序使用。 接下来，系统为web应用创建包括存储空间内的私有根目录的私有文件系统。 最后，该系统允许以不允许从web应用程序访问与一个或多个存储设备相关联的主机文件系统的方式通过专用根目录访问web应用的专用文件系统。

公开(公告)号：US08806019B1

公开(公告)日：2014-08-12

申请号：US14147699

申请日：2014-01-06

Applicant: Google Inc.

Inventor： Matthew Papakipos ,  Antoine Labour ,  Eric Uhrhane

IPC: G06F15/173

CPC classification number: G06F9/44521 ,  H04L67/10

Abstract: Some embodiments provide a system that executes an application. During operation, the system obtains a resource list associated with the application and stores a set of resources including a native code module from the resource list through communications over a network connection, wherein the resources are stored in persistent local storage. The application then loads the application in the web browser and loads the native code module into a secure runtime environment. Next, the application executes the application independently of the network connection using the native code module and the stored resources.

公开(公告)号：US08775487B2

公开(公告)日：2014-07-08

申请号：US13916427

申请日：2013-06-12

Applicant: Google Inc.

Inventor： Eric Uhrhane ,  Matthew Papakipos

IPC: G06F17/30

CPC classification number: G06F21/6218 ,  G06F21/53

Abstract: One embodiment provides a system that facilitates the execution of a web application. During operation, the system allocates a storage space on one or more storage devices for use by the web application. Next, the system creates, for the web application, a private filesystem comprising a private root directory within the storage space. Finally, the system enables access to the private filesystem for the web application through the private root directory in a manner that does not allow access to a host filesystem associated with the one or more storage devices from the web application.

Abstract translation: 一个实施例提供了有助于web应用的执行的系统。 在操作期间，系统在一个或多个存储设备上分配存储空间以供Web应用程序使用。 接下来，系统为web应用创建包括存储空间内的私有根目录的私有文件系统。 最后，该系统允许以不允许从web应用程序访问与一个或多个存储设备相关联的主机文件系统的方式通过专用根目录访问web应用的专用文件系统。

公开(公告)号：US09767597B1

公开(公告)日：2017-09-19

申请号：US14449676

申请日：2014-08-01

Applicant: Google Inc.

Inventor： Antoine Labour ,  Matthew Papakipos

IPC: G06T15/00 ,  G06T1/60

CPC classification number: G06T15/005 ,  G06F9/451 ,  G06F21/53 ,  G06T1/60

Abstract: Some embodiments provide a system that executes a web application. During operation, the system loads the web application in a web browser and loads a native code module associated with the web application into a secure runtime environment. Next, the system writes a set of rendering commands to a command buffer using the native code module and concurrently reads the rendering commands from the command buffer. Finally, the system renders an image for use by the web application by executing the rendering commands using a graphics-processing unit (GPU).

公开(公告)号：US09009739B2

公开(公告)日：2015-04-14

申请号：US13688776

申请日：2012-11-29

Applicant: Google Inc.

Inventor： Antoine Labour ,  Matthew Papakipos ,  Shiki Okasaka ,  Jeffrey R. Timanus

IPC: G06F9/46 ,  H04L29/06 ,  G06F9/445 ,  G06F17/30 ,  G06F21/53

CPC classification number: H04L67/42 ,  G06F9/44526 ,  G06F17/30861 ,  G06F21/53

Abstract: Some embodiments provide a system that executes plugin for a web browser. During operation, the system obtains the plugin as a native code module and executes the native code module in a secure runtime environment. Next, the system enables communication between the native code module and the web browser by providing an interface bridge between the native code module and the web browser.

Abstract translation: 一些实施例提供一种执行web浏览器的插件的系统。 在操作期间，系统将该插件作为本地代码模块获取，并在安全运行时环境中执行本机代码模块。 接下来，该系统通过在本地代码模块和网络浏览器之间提供接口桥接器来实现本地代码模块和Web浏览器之间的通信。