HOME

TheInfoList



OR:

Process isolation is a set of different hardware and software technologies designed to protect each process from other processes on the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. It does so by preventing process A from writing to process B. Process isolation can be implemented with
virtual address space In computing, a virtual address space (VAS) or address space is the set of ranges of virtual addresses that an operating system makes available to a process. The range of virtual addresses usually starts at a low address and can extend to the hig ...
, where process A's address space is different from process B's address space – preventing A from writing onto B. Security is easier to enforce by disallowing inter-process memory access, in contrast with less secure architectures such as
DOS DOS is shorthand for the MS-DOS and IBM PC DOS family of operating systems. DOS may also refer to: Computing * Data over signalling (DoS), multiplexing data onto a signalling channel * Denial-of-service attack (DoS), an attack on a communicat ...
in which any process can write to any memory in any other process.


Limited inter-process communication

In a system with process isolation, limited (controlled) interaction between processes may still be allowed over
inter-process communication In computer science, inter-process communication or interprocess communication (IPC) refers specifically to the mechanisms an operating system provides to allow the processes to manage shared data. Typically, applications can use IPC, categoriz ...
(IPC) channels such as
shared memory In computer science, shared memory is memory that may be simultaneously accessed by multiple programs with an intent to provide communication among them or avoid redundant copies. Shared memory is an efficient means of passing data between progr ...
, local sockets or Internet sockets. In this scheme, all of the process' memory is isolated from other processes except where the process is allowing input from collaborating processes. System policies may disallow IPC in some circumstances. For example, in
mandatory access control In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system or database constrains the ability of a ''subject'' or ''initiator'' to access or generally perform some sort of operation on a ...
systems, subjects with different sensitivity levels may not be allowed to communicate with each other. The security implications in these circumstances are broad and span applications in network key encryption systematics as well as distributed caching algorithms. Interface-defined protocols such as basic cloud access architecture and network sharing are similarly affected.


Operating systems

Notable operating systems that support process isolation: *
Unix Unix (; trademarked as UNIX) is a family of multitasking, multiuser computer operating systems that derive from the original AT&T Unix, whose development started in 1969 at the Bell Labs research center by Ken Thompson, Dennis Ritchie, ...
,
Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...
,
OS X macOS (; previously OS X and originally Mac OS X) is a Unix operating system developed and marketed by Apple Inc. since 2001. It is the primary operating system for Apple's Mac computers. Within the market of desktop and la ...
* VMS *
Microsoft Windows Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
from
Windows NT 3.1 Windows NT 3.1 is the first major release of the Windows NT operating system developed by Microsoft, released on July 27, 1993. At the time of Windows NT's release, Microsoft's Windows 3.1 desktop environment had established brand recognit ...


Web browsers

Internet Explorer 4 Microsoft Internet Explorer 4 (IE4) is a graphical web browser that Microsoft unveiled in Spring of 1997, and released in September 1997, primarily for Microsoft Windows, but also with versions available for the classic Mac OS, Solaris, and H ...
used process isolation in order to allow separate windowed instances of the browser their own processes; however, at the height of the
browser wars A browser war is competition for dominance in the usage share of web browsers. The "first browser war," (1995-2001) pitted Microsoft's Internet Explorer against Netscape's Navigator. Browser wars continued with the decline of Internet Explore ...
, this was dropped in subsequent versions to compete with
Netscape Navigator Netscape Navigator was a web browser, and the original browser of the Netscape line, from versions 1 to 4.08, and 9.x. It was the flagship product of the Netscape Communications Corp and was the dominant web browser in terms of usage share in ...
(which sought to concentrate upon one process for the entire Internet suite). This idea of process-per-instance would not be revisited until a decade afterwards, when
tabbed browsing In interface design, a tab is a graphical user interface object that allows multiple documents or panels to be contained within a single window, using tabs as a navigational widget for switching between sets of documents. It is an interface s ...
became more commonplace. In
Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, ...
's " Multi-Process Architecture" and
Internet Explorer 8 Windows Internet Explorer 8 (IE8) is a web browser for Windows. It was released by Microsoft on March 19, 2009, as the eighth version of Internet Explorer and the successor to Internet Explorer 7. It was the default browser in Windows 7 (later def ...
's " Loosely Coupled IE (LCIE)",''IE8 and Loosely-Coupled IE (LCIE)''
by Andy Zeigler, Tuesday, March 11, 2008 tabs containing webpages are contained within their own semi-separate OS-level processes which are isolated from the core process of the browser so as to prevent the crash of one tab/page from crashing the entire browser. This method (known popularly as multiprocess or process-per-tab) is meant to both manage memory and processing by allowing offending tabs to crash separately from the browser and other tabs and manage security.


Browsers with process isolation

*
Google Chrome Google Chrome is a cross-platform web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, ...
*
Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated IE or MSIE) is a series of graphical web browsers developed by Microsoft which was used in the Windows line of operating systems (in ...
8 and later *
Safari A safari (; ) is an overland journey to observe wild animals, especially in eastern or southern Africa. The so-called "Big Five" game animals of Africa – lion, leopard, rhinoceros, elephant, and Cape buffalo – particularly form an impor ...
*
Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current an ...
(default since 57) * Maxthon


Programming languages

Erlang (programming language) Erlang ( ) is a general-purpose, concurrent, functional programming language, and a garbage-collected runtime system. The term Erlang is used interchangeably with Erlang/OTP, or Open Telecom Platform (OTP), which consists of the Erlang run ...
is providing a similar concept in user space, by realizing strictly separated lightweight processes.


Related technologies

*
Virtual memory In computing, virtual memory, or virtual storage is a memory management technique that provides an "idealized abstraction of the storage resources that are actually available on a given machine" which "creates the illusion to users of a very ...
and
virtual address space In computing, a virtual address space (VAS) or address space is the set of ranges of virtual addresses that an operating system makes available to a process. The range of virtual addresses usually starts at a low address and can extend to the hig ...
allows for memory space isolation. * Polyinstantiation allows mirrors of shared resources, where changes by process A will not be visible to process B.


See also

*
Sandbox (computer security) In computer security, a sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading. The isolation metaphor is taken from the idea of children w ...
*
NX bit The NX bit (no-execute) is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions or for storage of data, a feature normally only found in Harvard architecture processors. However, the NX bit is ...


References

{{Reflist, 2 Operating system security