	US 12,437,057 B1
	Portable policy execution using embedded machines
Torin Sandall, San Francisco, CA (US); Timothy L Hinrichs, Los Altos, CA (US); and Teemu Koponen, San Francisco, CA (US)
Assigned to Apple Inc., Cupertino, CA (US)
Filed by Apple Inc., Cupertino, CA (US)
Filed on Feb. 24, 2023, as Appl. No. 18/114,186.
Application 18/114,186 is a continuation of application No. 16/773,923, filed on Jan. 27, 2020, granted, now 11,593,525.
Claims priority of provisional application 62/892,735, filed on Aug. 28, 2019.
Claims priority of provisional application 62/855,726, filed on May 31, 2019.
Claims priority of provisional application 62/846,461, filed on May 10, 2019.
This patent is subject to a terminal disclaimer.
Int. Cl. G06F 21/54 (2013.01); G06F 9/455 (2018.01); G06F 9/54 (2006.01); G06F 21/62 (2013.01); H04L 9/40 (2022.01)

CPC G06F 21/54 (2013.01) [G06F 9/45558 (2013.01); G06F 9/547 (2013.01); G06F 21/629 (2013.01); H04L 63/102 (2013.01); H04L 63/20 (2013.01); G06F 2009/45595 (2013.01); G06F 2221/033 (2013.01)]

20 Claims

1. A method for evaluating authorization policies that define access to APIs (Application Programming Interfaces) of an application that executes on a machine that is one of a plurality of machines operating on a host computer, the method comprising:

at a process virtual machine (VM) executing within the application that executes on the machine operating on the host computer:

receiving a request from a module of the application, within which the process VM executes, to authorize an API call that the application receives and that is to be executed by the application;

generating an authorization decision for the API call by using a binary process executing within the process VM; and

sending, to the module of the application from which the request is received, an authorization decision to allow the API call, wherein the application executes the requested API call after receiving the authorization decision to allow the API call.