Process isolation is a set of different hardware and software technologies designed to protect each

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...

from other processes on the

operating system An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ...

. It does so by preventing process A from writing to process B. Process isolation can be implemented with

virtual address space In computing, a virtual address space (VAS) or address space is the set of ranges of virtual addresses that an operating system makes available to a process. The range of virtual addresses usually starts at a low address and can extend to the h ...

, where process A's address space is different from process B's address space – preventing A from writing onto B. Security is easier to enforce by disallowing inter-process memory access, in contrast with less secure architectures such as DOS in which any process can write to any memory in any other process.

Limited inter-process communication

In a system with process isolation, limited (controlled) interaction between processes may still be allowed over

inter-process communication In computer science, interprocess communication (IPC) is the sharing of data between running Process (computing), processes in a computer system. Mechanisms for IPC may be provided by an operating system. Applications which use IPC are often cat ...

(IPC) channels such as shared memory, local sockets or Internet sockets. In this scheme, all of the process' memory is isolated from other processes except where the process is allowing input from collaborating processes. System policies may disallow IPC in some circumstances. For example, in mandatory access control systems, subjects with different sensitivity levels may not be allowed to communicate with each other. The security implications in these circumstances are broad and span applications in network key encryption systematics as well as distributed caching algorithms. Interface-defined protocols such as basic cloud access architecture and network sharing are similarly affected.

Operating systems

Operating systems that support process isolation by providing separate address spaces for each process include: *

Unix-like A Unix-like (sometimes referred to as UN*X, *nix or *NIX) operating system is one that behaves in a manner similar to a Unix system, although not necessarily conforming to or being certified to any version of the Single UNIX Specification. A Uni ...

systems such as

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

macOS macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...

, Solaris, and AIX * VMS *

Windows NT Windows NT is a Proprietary software, proprietary Graphical user interface, graphical operating system produced by Microsoft as part of its Windows product line, the first version of which, Windows NT 3.1, was released on July 27, 1993. Original ...

Web browsers

Internet Explorer 4 Microsoft Internet Explorer 4 (IE4) is the fourth version of the Internet Explorer graphical web browser that Microsoft unveiled in Spring of 1997, and released on September 22, 1997, primarily for Microsoft Windows, but also with versions availa ...

used process isolation in order to allow separate windowed instances of the browser their own processes; however, at the height of the

browser wars A browser war is a competition for dominance in the usage share of web browsers. The "first browser war" (1995–2001) occurred between proponents of Internet Explorer and Netscape Navigator, and the "second browser war" (2004–2017) between tho ...

, this was dropped in subsequent versions to compete with

Netscape Navigator The 1990s releases of the Netscape (web browser), Netscape line referred to as Netscape Navigator were a series of now discontinued web browsers. from versions 1 to 4.08. It was the Core product, flagship product of the Netscape, Netscape Comm ...

(which sought to concentrate upon one process for the entire Internet suite). This idea of process-per-instance would not be revisited until a decade afterwards, when

tabbed browsing In interface design, a tab is a graphical user interface object that allows multiple documents or Panel (computer software), panels to be contained within a single window (computing), window, using tabs as a navigational widget for switching be ...

became more commonplace. In

Google Chrome Google Chrome is a web browser developed by Google. It was first released in 2008 for Microsoft Windows, built with free software components from Apple WebKit and Mozilla Firefox. Versions were later released for Linux, macOS, iOS, iPadOS, an ...

's " Multi-Process Architecture" and Internet Explorer 8's " Loosely Coupled IE (LCIE)", tabs containing webpages are contained within their own semi-separate OS-level processes which are isolated from the core process of the browser so as to prevent the crash of one tab/page from crashing the entire browser. This method (known popularly as multiprocess or process-per-tab) is meant to both manage memory and processing by allowing offending tabs to crash separately from the browser and other tabs and manage security.

Browsers with process isolation

Internet Explorer Internet Explorer (formerly Microsoft Internet Explorer and Windows Internet Explorer, commonly abbreviated as IE or MSIE) is a deprecation, retired series of graphical user interface, graphical web browsers developed by Microsoft that were u ...

8 and later *

Safari A safari (; originally ) is an overland journey to observe wildlife, wild animals, especially in East Africa. The so-called big five game, "Big Five" game animals of Africa – lion, African leopard, leopard, rhinoceros, African elephant, elep ...

Mozilla Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curren ...

(default since 57) *

Maxthon Maxthon (, formerly named ''MyIE2'') is a freeware web browser, created by JeffChen in Singapore. It is available for Microsoft Windows, Windows, macOS, Linux, and as ''Maxthon Mobile'' for Android (operating system), Android, iOS, and Windows P ...

Programming languages

Erlang (programming language) Erlang ( ) is a general-purpose, concurrent, functional high-level programming language, and a garbage-collected runtime system. The term Erlang is used interchangeably with Erlang/OTP, or Open Telecom Platform (OTP), which consists of the ...

is providing a similar concept in user space, by realizing strictly separated lightweight processes.

Related technologies

Virtual memory In computing, virtual memory, or virtual storage, is a memory management technique that provides an "idealized abstraction of the storage resources that are actually available on a given machine" which "creates the illusion to users of a ver ...

and

allows for memory space isolation. * Polyinstantiation allows mirrors of shared resources, where changes by process A will not be visible to process B.

References

{{Reflist, 2 Operating system security