Protected execution environments within a computer system
First Claim
1. A method of providing a protected execution environment on a computer, the method comprising:
- intercepting an input/output request for a file from an application;
determining if the application is authorized to modify the protected execution environment, wherein determining if the application is authorized to modify the protected execution environment comprises designating the application as not authorized to modify the protected execution environment if the application was invoked by another application that is not authorized to modify the protected execution environment;
creating a redirected input/output request to an alternate environment when the application is not authorized to modify the protected execution environment and the file is within the protected execution environment; and
submitting the redirected input/output request to a file system manager.
17 Assignments
0 Petitions
Accused Products
Abstract
A protected execution agent installs itself within a file system manager on the computer to control modifications to a protected execution environment by intercepting I/O requests from applications. If an unauthorized application attempts to modify the protected execution environment, the protected execution agent terminates the original I/O request and creates a redirected I/O request that specifies a corresponding directory path within an alternate environment. The requested I/O operation is a carried out by the file system against the alternate environment. A configuration utility is responsible for determining which installed applications are authorized to change the protected execution environment. The configuration utility also establishes a parent-child relationship between an unauthorized application that invokes or “spawns” an authorized application, with the authorized child application being considered unauthorized when performing processes on behalf of the unauthorized parent application.
-
Citations
24 Claims
-
1. A method of providing a protected execution environment on a computer, the method comprising:
-
intercepting an input/output request for a file from an application;
determining if the application is authorized to modify the protected execution environment, wherein determining if the application is authorized to modify the protected execution environment comprises designating the application as not authorized to modify the protected execution environment if the application was invoked by another application that is not authorized to modify the protected execution environment;
creating a redirected input/output request to an alternate environment when the application is not authorized to modify the protected execution environment and the file is within the protected execution environment; and
submitting the redirected input/output request to a file system manager. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23)
-
-
11. A method for operating a computer system with a protected execution environment, the method comprising:
-
executing a configuration utility to categorize a plurality of applications installed on the computer system as authorized or not authorized to modify the protected execution environment;
defining the protected execution environment based on the authorized applications; and
installing a protected execution agent in a file system to intercept input/output requests submitted by the applications, wherein the protected execution agent directs an input/output request to an alternate environment if the application that submitted the request is not authorized and the request is directed to the protected execution environment, and wherein the protected execution agent is installed in a hook chain in a file system manager to intercept the input/output requests before the requests are processed by any other agent installed in the hook chain. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
24. A system to provide a protected execution environment on a computer, the system comprising:
-
an execution agent to;
intercept an input/output request for a file from an application;
determine if the application is authorized to modify the protected execution environment, wherein determining if the application is authorized to modify the protected execution environment comprises designating the application as not authorized to modify the protected execution environment if the application was invoked by another application that is not authorized to modify the protected execution environment;
create a redirected input/output request to an alternate environment when the application is not authorized to modify the protected execution environment and the file is within the protected execution environment; and
submit the redirected input/output request to a file system manager.
-
Specification