US Patent 8468600 Handling instruction received from a sandboxed thread of execution

Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for enveloping a thread of execution within an IDT-based secure sandbox. In one aspect, embodiments of the invention provide a method performed in a computer system, the method receiving an instruction from an execution thread where the computer system can be configured for redirection of instructions from the execution thread. The method can determine whether the instruction includes at least one of an interrupt instruction, a system call instruction and a system enter instruction. In response to determining that the instruction includes at least one of the interrupt instruction, the system call instruction and the system enter instruction, the method can further: (i) eliminate the redirection, (ii) modify a stack to specify return of control, and (iii) thereafter, pass the control to an operating system kernel.