System and Methodology Providing Secure Workspace Environment

US 20070101435A1
Filed: 10/14/2005
Published: 05/03/2007
Est. Priority Date: 10/14/2005
Status: Active Grant

First Claim

Patent Images

1. In a computer system, a method for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprising:

creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;

hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications;

during operation of the applications, encrypting the information to prevent unauthorized access;

in response to a request for access to the information, determining whether the request complies with the policy; and

if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methodology providing a secure workspace environment is described. In one embodiment, for example, in a computer system, a method is described for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprises steps of: creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed; hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications; during operation of the applications, encrypting the information to prevent unauthorized access; in response to a request for access to the information, determining whether the request complies with the policy; and if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.

Citations

66 Claims

1. In a computer system, a method for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprising:
- creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;
  
  hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications;
  
  during operation of the applications, encrypting the information to prevent unauthorized access;
  
  in response to a request for access to the information, determining whether the request complies with the policy; and
  
  if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the particular functions of the operating system include input/output (I/O) functions.
  - 3. The method of claim 2, wherein the I/O functions include file services of the operating system.
  - 4. The method of claim 1, wherein said hooking step occurs in a manner that is transparent to the applications.
  - 5. The method of claim 1, further comprising:
    - displaying user feedback for indicating that the applications are running in a secured manner.
  - 6. The method of claim 5, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 7. The method of claim 1, wherein said hooking step occurs in a manner that is transparent to users.
  - 8. The method of claim 1, wherein said information includes session information generated during operation of the applications.
  - 9. The method of claim 1, wherein the secured workspace operates within the existing operating system in a manner that allows users to easily switch back to an existing unsecured workspace of the operating system.
  - 10. The method of claim 1, wherein the secured workspace operates within user-space mode of the operating system, without requiring device drivers.
  - 11. The method of claim 1, wherein the policy specifies actions of the applications that are permitted and are not permitted.
  - 12. The method of claim 11, wherein the policy specifies certain banned programs that are not permitted to run in the secured workspace.
  - 13. The method of claim 12, wherein said banned programs include malicious software.
  - 14. A computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 15. A downloadable set of processor-executable instructions for performing the method of claim 1.

16. A computer system providing a secured workspace for allowing users to run applications in a secured manner, the system comprising:
- a computer running under control of an existing operating system;
  
  a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;
  
  a module for intercepting particular functions of the existing operating system in order to allow the secured workspace to run under the existing operating system, said module permitting the secured workspace to obtain control over the information created during operation of the applications;
  
  an encryption module for preventing unauthorized access to the information; and
  
  a decryption module for providing authorized access to the information, in response to receiving a request that complies with the policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the particular functions of the operating system include input/output (I/O) functions.
  - 18. The system of claim 17, wherein the I/O functions include file services of the operating system.
  - 19. The system of claim 16, wherein the module for intercepting operates in a manner that is transparent to the applications.
  - 20. The system of claim 16, further comprising:
    - displayable user feedback for indicating that the applications are running in a secured manner.
  - 21. The system of claim 20, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 22. The system of claim 16, wherein the module for intercepting operates in a manner that is transparent to users.
  - 23. The system of claim 16, wherein said information includes session information generated during operation of the applications.
  - 24. The system of claim 16, wherein the secured workspace operates within the existing operating system in a manner that allows users to easily switch back to an existing unsecured workspace of the operating system.
  - 25. The system of claim 16, wherein the secured workspace operates within user-space mode of the operating system, without requiring device drivers.
  - 26. The system of claim 16, wherein the policy specifies actions of the applications that are permitted and are not permitted.
  - 27. The system of claim 26, wherein the policy specifies certain banned programs that are not permitted to run in the secured workspace.
  - 28. The system of claim 27, wherein said banned programs include selected ones of spyware and computer virus software.
  - 29. The system of claim 16, wherein the particular functions of the operating system include clipboard functions.
  - 30. The system of claim 16, wherein the information includes registry information created during operation of the applications.

31. A system providing a secured desktop environment that allows users to run application software securely, the system comprising:
- a computer running under an operating system, said computer including application software for use by users; and
  
  a secured desktop environment comprising;
  
  a configurable policy specifying permitted operations of the application software and specifying permitted access to information created during operation of the application software;
  
  a hooks engine for intercepting particular calls to the operating system, thereby allowing the secured desktop environment to control operations of the application software and control access to information created during operation of the application software; and
  
  a module, operating in conjunction with said policy and said hooks engine, for preventing any operation of the application software that is not permitted and any access to the information that is not permitted.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The system of claim 31, wherein the particular calls to the operating system include input/output (I/O) API (application programming interface) functions.
  - 33. The system of claim 32, wherein the I/O API functions include file services of the operating system.
  - 34. The system of claim 31, wherein the hooks engine operates in a manner that is transparent to the application software.
  - 35. The system of claim 31, further comprising:
    - displayable user feedback for indicating that the application software is running in a secured manner.
  - 36. The system of claim 35, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 37. The system of claim 31, wherein the hooks engine operates in a manner that is transparent to users.
  - 38. The system of claim 31, wherein said information includes session information generated during operation of the application software.
  - 39. The system of claim 31, wherein the secured desktop environment operates within the operating system in a manner that allows users to easily switch back to an existing unsecured desktop environment of the operating system.
  - 40. The system of claim 31, wherein the secured desktop environment operates within user-space mode of the operating system, without requiring device drivers.
  - 41. The system of claim 31, wherein the policy specifies actions of the application software that are permitted and are not permitted.
  - 42. The system of claim 31, wherein the particular calls to the operating system include clipboard functions.
  - 43. The system of claim 31, wherein the information includes registry information created during operation of the application software.
  - 44. The system of claim 31, wherein said module for preventing includes:
    - an encryption module for preventing unauthorized access to the information.
  - 45. The system of claim 31, wherein said module for preventing includes:
    - a decryption module for providing access to the information that is permitted pursuant to the policy.

46. A method for securing software programs that run under control of a computer operating system, the method comprising:
- defining a configurable security policy that specifies operations of the software programs that are permitted;
  
  patching certain files of the computer operating system, so that interactions between the software programs and the computer operating system may be monitored for compliance with the security policy; and
  
  controlling operations of the software programs to prevent violation of the security policy.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The method of claim 46, wherein said patching step includes:
    - inserting program code stubs into particular files so that invocation of operating system services may be redirected to program logic that monitors such invocation.
  - 48. The method of claim 47, wherein the step of inserting a program code stubs includes:
    - allowing invocation of a particular operating system service, if the invocation would not violate the security policy.
  - 49. The method of claim 47, wherein the step of inserting a program code stubs includes:
    - denying invocation of a particular operating system service, if the invocation would violate the security policy.
  - 50. The method of claim 46, wherein said patching step includes:
    - patching certain files of the computer operating system in order to control operating system file services, so that the method may monitor file read and file write operations of the software programs.
  - 51. The method of claim 50, further comprising:
    - providing on-the-fly encryption for files created by the software programs.
  - 52. The method of claim 51, further comprising:
    - providing decryption for said files, in a manner that is transparent to the software programs.
  - 53. The method of claim 46, wherein said controlling step includes:
    - controlling inter process communication (IPC) that occurs between individual software programs.
  - 54. The method of claim 53, further comprising:
    - blocking any inter process communication (IPC) that would violate the security policy.
  - 55. The method of claim 46, further comprising:
    - controlling any print operations that are requested by the software programs.

56. A system for securing software programs that run under control of a computer operating system, the system comprising:
- a configurable security policy that specifies operations of the software programs that are permitted;
  
  means for patching certain files of the computer operating system, so that interactions between the software programs and the computer operating system may be monitored for compliance with the security policy; and
  
  means for controlling operations of the software programs to prevent violation of the security policy.
- View Dependent Claims (57, 58, 59, 60)
- - 57. The system of claim 56, wherein the patching means comprises:
    - program code stubs inserted into particular files so that invocation of operating system services may be redirected to program logic that monitors such invocation.
  - 58. The system of claim 57, wherein the program code stubs redirect program execution to certain program code that allows invocation of a particular operating system service, if the invocation would not violate the security policy.
  - 59. The system of claim 57, wherein the program code stubs redirect program execution to certain program code that denies invocation of a particular operating system service, if the invocation would violate the security policy.
  - 60. The system of claim 56, wherein the patching means includes:
    - means for patching certain files of the computer operating system in order to control operating system file services, so that the system may monitor file operations of the software programs.

61. An improved desktop environment for use with an existing operating system, wherein the improvement comprises:
- a policy specifying behavior of computer programs that is permitted;
  
  injectable program code that intercepts interactions between the computer programs and the existing operating system, so that the computer programs may be monitored for compliance with the policy; and
  
  wherein the desktop environment blocks any attempted behavior by the computer programs that would violate the policy.
- View Dependent Claims (62, 63, 64, 65, 66)
- - 62. The improved desktop environment of claim 61, wherein the existing operating system includes Microsoft Windows.
  - 63. The improved desktop environment of claim 62, wherein the injectable program code intercepts invocation of particular Microsoft Windows API (application programming interface) calls.
  - 64. The improved desktop environment of claim 63, wherein the particular Microsoft Windows API calls include ones providing file services.
  - 65. The improved desktop environment of claim 64, wherein the particular Microsoft Windows API calls include ones providing control over registry usage.
  - 66. The improved desktop environment of claim 61, wherein the improved desktop environment automatically cleans up any session data that remains after a user has concluded a given session with the improved desktop environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Konanka, Dzmitry, Liahuski, Andrei

Granted Patent

US 7,725,737 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

G06F 9/45558   Hypervisor-specific managem...

System and Methodology Providing Secure Workspace Environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

System and Methodology Providing Secure Workspace Environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links