METHOD TO VIRTUALIZE LARGE FILES IN A SANDBOX

Abstract

There is provided a method and system with an improved bitmap access control method of file virtualization for large files in sandbox. The process divides a large file to pieces clusters by fixed byte counts, building a mapping relationship between logical view of sandboxed file and physical shadow file on disk. Thus, there is no need to copy an entire file when a file is modified and waste the user's disk storage.

Description

BACKGROUND

[0001] File virtualization is a very important part of sandbox process. Common sandbox methods usually create a shadow file to redirect file access in the sandbox. Through the shadow file method, a sandbox could build a separated environment from existing file system data. All access and operations on file in a sandbox are redirected to shadow files, thus does not change status and content of outside files.

[0002] Though the shadow file method has a problem about big and large file virtualization. Existing methods create shadow file once upon write operation happens in sandbox. It copies entire file to redirected location as shadow file. After creating shadow file, all access and modifications are redirected to shadow file. Even a single byte change in a large file results in a copy operation of entire file.

[0003] In view of the forgoing, there is a need for a method and system that would provide more effective approach to file virtualization by saving time and disk storage resources.

SUMMARY OF THE INVENTION

[0004] The current invention is a method and system to provide improved bitmap access control method of file virtualization for large file in sandbox.

[0005] The invention method eliminates duplication of data on shadow file and makes virtualization more effective. There is no need to copy an entire file when the file is modified, which is time-consuming and downgrades overall performance of the sandbox. Also, it does not require duplicating file on a disk which wastes a user's disk storage.

BRIEF DESCRIPTION OF DRAWINGS

[0006] FIG. 1 is a depiction of general scheme of the invention.

[0007] FIG. 2a is a flowchart of one embodiment of the invention where a file is modified.

[0008] FIG. 2b is a schematic of the invention where the file is modified.

[0009] FIG. 3a is a flowchart of another embodiment of the invention where a call-back routine is written.

[0010] FIG. 3b is a schematic of another embodiment of the invention where a call-back routine is written.

[0011] FIG. 4 is a flowchart of other embodiment of the invention where consistent baseline view of file in sandbox is provided.

[0012] FIG. 5 is a schematic of the memory and hardware of a computer or handheld device, such as a tablet or smartphone.

[0013] FIG. 6 is a schematic of an individual user operating a computer or handheld device connected to the internet.

DETAILED DESCRIPTION

[0014] The present invention discloses the method of large file Virtualization in sandbox. The new method according to the present invention divides large file into pieces clusters by fixed byte counts, building a mapping relationship between logical view of sandboxed file and physical shadow file on disk.

[0015] The invention is not restricted to the details of the foregoing embodiments. The invention extends to any novel one, or any novel combination, of the features disclosed in this specification (including any accompanying claims, abstract and drawings), or to any novel one, or any novel combination, of the steps of any method or process so disclosed.

[0016] In FIG. 1 the sandbox process, running on a computer device 2, is accessing file system 4; the modification of file data 6 is recorded by a bitmap 8, and only modified part of the file 10 is redirected in sandbox 12. Bitmap 8 contains filesize or clustersize bits 14. Every bit 14 in bitmap 8 represents the redirect relationship of corresponding cluster 16. When the bitmap 8 is initially created, all bits 14 are cleared with 0, indicating the file 10 same as the original one. Bitmap 8 is flushed to disk 18 as a stream file(ADS) of shadow file 20 periodically and loaded when the file 10 is accessed in sandbox 12 for the first time after reboot.

[0017] FIGS. 2a and 2b show the flowchart and the scheme of the invention where file is modified. In step 201 the original file 10 is divided into clusters 16 (a typical cluster size is 4096 bytes). In step 202 a bitmap 8 containing filesize/clustersize bits 14 is allocated. If the bit 14 is 0, step 203, it means the cluster 16 is not modified in sandbox 12 and process running in sandbox 12 should read this cluster 16 from original file 10. Otherwise, in step 204, if the bit 14 is 1, it means the cluster 16 has been changed in sandbox 12 and process running in sandbox 12 should read its data 6 from shadow file 20.

[0018] FIGS. 3a and 3b show the flowchart and the scheme of the invention where a call back routine is written. In step 301 sandbox process writes a virtual file 10. In step 302 all modified clusters 16 are calculated and corresponding bits 14 are marked to 1 in bitmap 8, so that the following read operations will read the modified data 6 from shadow file 20. All clusters 16 beyond bitmap's size are treated as 1, which means redirected to shadow file 20, step 303. In this way, when file 10 is appended in sandbox 12, the new data 6 is appended without changing bitmap 8.

[0019] In FIG. 4, a consistent baseline view of file 10 in sandbox 12 is provided. The file view should not change after virtualization even if original file 10 has been changed. In step 401 modifications to original from outside processes are monitored as well. In step 402 the modified cluster bit 14 is 1 in bitmap. Thus in step 403 the original file 10 is modified directly without extra process. In step 404 the modified cluster bit 14 is 0 in bitmap. So in step 405 original data 6 are copied to the shadow file 20 and corresponding bit 14 is set to 1. Therefore sandbox process gets the baseline view data from virtual file 10, step 406.

[0020] The method of the present invention may be used with computer systems and devices as shown in FIGS. 5 and 6. FIG. 5 illustrates a system 500 of a computer or device which includes a microprocessor 520 and a memory 540 which are coupled to a processor bus 560 which is coupled to a peripheral bus 600 by circuitry 580. The bus 600 is communicatively coupled to a disk 620. It should be understood that any number of additional peripheral devices are communicatively coupled to the peripheral bus 600 in embodiments of the invention. Further, the processor bus 560, the circuitry 580 and the peripheral bus 600 compose a bus system for computing system 500 in various embodiments of the invention. The microprocessor 520 starts disk access commands to access the disk 620. Commands are passed through the processor bus 560 via the circuitry 580 to the peripheral bus 600 which initiates the disk access commands to the disk 620. In various embodiments of the invention, the present system intercepts the disk access commands which are to be passed to the hard disk.

[0021] As shown generally by FIG. 6, there is a user 1000 of a computer 1010 or handheld device 1012 who accesses an Internet website 1020 with network connections to a server 1050 and database 1040. The computer 1010 or handheld device is compatible operating systems known in the art, such as Windows, iOS or android devices or android type operating systems. The user 1000 is potentially exposed to many malicious or unsafe applications located on the web or a particular website 1020 due to lack of security and validation with the source, even though the website 1020 itself may be known as reliable and trusted. The website may be an application store or directory which includes other software applications for downloading. Those of skill in the art would recognize that the computer 1010 or hand held devices 1012a or 1012b each has a processor and a memory coupled with the processor where the memory is configured to provide the processor with executable instructions. A boot disk 1030 is present for initiating an operating system as well for each of the computer 1010 or hand held devices 1012. It should also be noted that as used herein, the term handheld device includes phones, smart phones, tablets, personal digital assistants, media and game players and the like. As used throughout the specifications, the term "query" or "queries" is used in the broadest manner to include requests, polls, calls, summons, queries, and like terms known to those of skill in the art.

Claims

1. A method to provide an improved bitmap access control method of file virtualization for a large file in sandbox comprising: dividing a large file to pieces clusters by fixed byte counts; and building a mapping relationship between logical view of a sandboxed file and a physical shadow file on disk.

2. The method according to claim 1, where the large file is modified comprising: Dividing the large file into clusters; Allocating a bitmap containing filesize/clustersize bits; Running a process in a sandbox which reads a cluster from original large file if the bit is zero; and Running a process in a sandbox which reads a cluster from shadow file if the bit is one.

3. The method according to claim 1, where callback routine is written comprising: Writing a virtual file by the sandbox process; Calculating modified clusters and marking corresponding bits to 1 in bitmap; and Treating all clusters beyond bitmap's size as 1.

4. A method according to claim 1, where consistent baseline view of file in sandbox is provided comprising: Monitoring modifications to original from outside processes; Defining the modified cluster bit as 1 in bitmap; Modifying the original file directly without extra process; Defining the modified cluster bit as 0 in bitmap; and Copying original data to the shadow file and setting corresponding bit as 1.