SAFE AND SECURE PROGRAM EXECUTION FRAMEWORK WITH GUEST APPLICATION SPACE
First Claim
1. A system and method protect computing system comprising:
- a) a management component to create at least one new working space and manage it,b) an API call intercept processor to inspect intercept or manipulate system calls,c) a policy module containing rules that defines how the said system calls is redirected or manipulated,d) a method that collects intercepted parameters from intercepted API, apply rules from policy module and redirect those calls,whereby, program if infected will modify data on a secondary working space keeping primary working space intact and eventually protecting the system and user privacy is protected because secondary working space can be recreated or disposed easily.
0 Assignments
0 Petitions
Accused Products
Abstract
A system and method is provided here that allow computer user to create a temporary guest running space for application without switching user environment. This unique method allows user to run trusted applications in regular running space while keeping a separate working space for applications that uses or visit non trusted data sources.
Proposed method provides a safe execution environment while application running in guest space can'"'"'t temper or alter data information stored in regular running space. A set of policy rules dictates how information will be exchanged between applications running in two separate working spaces transparently.
The proposed system also make sure program files can'"'"'t be altered or modified without proper need and suspicious call to modify program files or alter execution environment is blocked.
-
Citations
20 Claims
-
1. A system and method protect computing system comprising:
-
a) a management component to create at least one new working space and manage it, b) an API call intercept processor to inspect intercept or manipulate system calls, c) a policy module containing rules that defines how the said system calls is redirected or manipulated, d) a method that collects intercepted parameters from intercepted API, apply rules from policy module and redirect those calls, whereby, program if infected will modify data on a secondary working space keeping primary working space intact and eventually protecting the system and user privacy is protected because secondary working space can be recreated or disposed easily. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
whereby, user can click on a shortcut icon on his users desktop to launch browser in primary space and click on another shortcut icon on user'"'"'s desktop to launch browser on alternate working space where those two browsers doesn'"'"'t share cookies, favorite lists, browsing history and if one browser is infected doesn'"'"'t affect the other even after reboot.
-
-
5. A management component as recited in claim 1 comprises a mean to create icons on desktop or computer screen where each icon represents shortcut to program(s), program group(s) or working spaces, thus user can simply click on icon and easily lunch program at different working spaces.
-
6. A management component as recited in claim 1 implement copy_on_write method comprising:
-
a) a mean to set an working space as read only working space, b) a mean to create new working space initializing it with the same information of read only working space without copying it, c) a method to copy necessary information when program running in the new working space modify data so that readonly working space and new working space exist side by side, whereby, user can click on a shortcut icon on his users desktop to launch browser in primary space and click on another shortcut icon on user'"'"'s desktop to launch browser on a copy_on_write working space where those two browsers share cookies, favorite lists, browsing history at the current point of time and any subsequent changes stay separate.
-
-
7. Working space as recited in claim 1 comprises a primary space that constitute user'"'"'s regular running space such as desktop on windows OS and additional space(s) that exists within the users space in such a way as if a new user space called virtual user space created in the system but only the user can see the virtual user space.
-
8. Working space as recited in claim 1 include a method to keep its own part of user configuration data, or application data within a particular user space where it can inherit user security settings.
-
9. Working space as recited in claim 1 comprises a method to share its configuration or application data among all its own working space that allows user to run an application in multiple spaces with common settings.
-
10. Working space as recited in claim 1 comprises a method to keep common settings for multiple users that allows multiple users to run programs at user'"'"'s working space(s) with common settings.
-
11. An API call intercept processor as recited in claim 1 is embedded in the module of respective API where code of those API is modified and recompiled, whereby, allowing implementing the interception without doing any runtime API interception.
-
12. An API call intercept processor as recited in claim 1 inject a DLL that manipulate the function entry points function table such as import table, or overwrite existing function code, or use system provided mechanism to implement interception.
-
13. An API call intercept processor as recited in claim 1 comprises a step to collect API call parameters;
- retrieve rules from policy module that is applicable for this particular call, and then determines which working space(s) it should target, and modify the call parameters with different set parameters or replace the call with a different set of calls.
-
14. A policy module as recited in claim 1 contains policy how interception should be done for a given system, or how working space(s) should be managed or created, or how API call should be manipulated.
-
15. A policy module as recited in claim 1 is implemented in other components of the system and method as recited in claim 1 in a hard coded way to bypass a separate policy module, whereby, allowing an implementation of a preset policy preconfigured for a particular set of user(s) or systems.
-
16. A policy module as recited in claim 1 creates it rule based on predefined information in a database, or creates information collecting application profiling data that covers how different application is executed, what kind of data application access, how applications are installed or deployed across different computer systems in the network.
-
17. A system and method to protect program modules and working space comprising:
-
a) an API call intercept processor to inspect intercept or manipulate system calls, b) a policy module containing rules that defines how the calls should be redirected or manipulated, c) a step that would identify if an API call or set of API calls about to create or modify a program modules or execution environment settings for a working space and allow disallow or modify the call using rules in said policy module, whereby, users can keep its primary working space with all program module in read only state and block any calls that can modify those program modules such as exe file driver files and make the work space program module writeable while doing maintenance work such as program installation or updating the system. - View Dependent Claims (18, 19)
-
-
20. A system and method for a protection framework comprising:
-
a) an API call intercept processor to inspect intercept or manipulate system calls, b) a policy module containing rules that defines how the calls should be redirected or manipulated or new rules should be created, c) a step that to identify if an API call or set of API calls is about to create or modify a program modules or change execution environment settings and allow disallow or modify the call, d) a management component to manage multiple working space, e) a framework where interconnected computers communicate with each other to collect data to create new rules that allow to create a protective environment, whereby, enabling users to protect its program modules or working space by connecting different computers and build protection shield sharing information among different computers by deploying disposable working space, using read only working spaces, copy_on_write working space or blocking calls that can modify program modules that greatly enhance users privacy and security.
-
Specification