VIRTUALIZATION METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE

US 20110113427A1
Filed: 11/10/2010
Published: 05/12/2011
Est. Priority Date: 11/12/2009
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for maintaining security of a computing system, comprising directing a processor to perform the actions:

defining a virtualized environment within the computing system;

defining a virtualized repository within storage resources of the computing system, the virtualized repository forming part of the virtualized environment;

whenever a program runs within the virtualized environment, preventing the program from interacting with any computing resources outside of the virtualized environment.whenever a program executing within the virtualized environment attempts to save a file in a designated folder, performing the following operations;

if no virtualized folder corresponding to the designated folder exists within the virtualized repository, creating a corresponding virtualized folder inside the virtualized repository, saving the file inside the virtualized folder, and creating a virtual shortcut inside the designated folder, the virtual shortcut pointing to the file inside the virtualized folder; and

,if a virtualized folder corresponding to the designated folder exists within the virtualized repository, saving the file inside the virtualized folder, and creating a virtual shortcut inside the designated folder, the virtual shortcut pointing to the file inside the virtualized folder.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure computing environment that prevents malicious code from “illegitimately” interacting with programs and data residing on the computing platform. While the various embodiments restrict certain programs to operate in a virtualized environment, such operation is transparent to the user from the operational point of view. Moreover, any program operating in the virtualized environment is made to believe that it has full access to all of the computing resources. To prevent a user from unknowingly or inadvertently allowing the program to adversely affect the computer, the user is also presented with “feel” that the program is able to perform all operations in the computing environment.

79 Citations

View as Search Results

20 Claims

1. A computer implemented method for maintaining security of a computing system, comprising directing a processor to perform the actions:
- defining a virtualized environment within the computing system;
  
  defining a virtualized repository within storage resources of the computing system, the virtualized repository forming part of the virtualized environment;
  
  whenever a program runs within the virtualized environment, preventing the program from interacting with any computing resources outside of the virtualized environment.whenever a program executing within the virtualized environment attempts to save a file in a designated folder, performing the following operations;
  
  if no virtualized folder corresponding to the designated folder exists within the virtualized repository, creating a corresponding virtualized folder inside the virtualized repository, saving the file inside the virtualized folder, and creating a virtual shortcut inside the designated folder, the virtual shortcut pointing to the file inside the virtualized folder; and
  
  ,if a virtualized folder corresponding to the designated folder exists within the virtualized repository, saving the file inside the virtualized folder, and creating a virtual shortcut inside the designated folder, the virtual shortcut pointing to the file inside the virtualized folder.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The computer implemented method of claim 1, wherein when a user clicks on the virtual shortcut, the system allows the file to execute only within the virtualized environment.
  - 3. The computer implemented method of claim 1, further comprising enabling the user to select whether the file should execute only inside the virtualized environment or be allowed to execute outside the virtual environment.
  - 4. The computer implemented method of claim 1, further comprising adding a graphical indicia to the virtual shortcut inside the designated folder to indicate that the virtual shortcut points to the file inside the virtual environment.
  - 5. The computer implemented method of claim 1, further comprising adding suffix or prefix to the name of the virtual shortcut inside the designated folder.
  - 6. The computer implemented method of claim 1, further comprising:
    - generating a list of file types;
      
      whenever a program executing within the virtualized environment attempts to save a file in a designated folder, first determining whether the designated file corresponds to a file type listed in the list of file types and, based on this determination deciding whether to proceed with storing the file inside the designated folder or inside the virtualized folder.
  - 7. The computer implemented method of claim 1, further comprising:
    - designating a directory level;
      
      whenever a program executing within the virtualized environment attempts to save a file in a designated folder, first determining whether the designated file reside below or above the designated directory level and, based on this determination deciding whether to proceed with storing the file inside the designated folder or inside the virtualized folder.
  - 8. The computer implemented method of claim 1, further comprising tracking operations performed on the virtual shortcut and performing corresponding operations on the file.
  - 9. The computer implemented method of claim 1, further comprising:
    - defining a list of harmless file types;
      
      defining a point of deletion event; and
      
      ,whenever the point of deletion event is reached, deleting all files in the virtualized repository, except file corresponding to the list of harmless file types.
  - 10. The computer implemented method of claim 9, further comprising:
    - defining a restore point;
      
      taking a snapshot of the virtualized repository;
      
      whenever the point of deletion event is reached, after deleting all files in the virtualized repository, restoring the snapshot into the virtualized repository.
  - 11. The computer implemented method of claim 1, further comprising:
    - defining a list of restricted programs;
      
      whenever a program attempts to execute determining whether the program is listed on the list of restricted program and, if so, restricting the program to execute only within the virtual environment.
  - 12. The computer implemented method of claim 1, further comprising:
    - defining a list of trusted programs;
      
      whenever a program attempts to execute determining whether the program is listed on the list of trusted program and, if not, restricting the program to execute only within the virtual environment.
  - 13. The computer implemented method of claim 1, further comprising:
    - defining a list of safe URLs;
      
      whenever a browser executes, monitoring the URL the browser is pointing to and whenever the URL is listed on the list of secure URLs allowing the browser to execute outside the virtualized environment and, otherwise, limiting the browser to execute only inside the virtualized environment.
  - 14. The computer implemented method of claim 1, further comprising:
    - Whenever a program initiates, determining the origin of the program and, if the origin is a removable media, restricting the program to run only inside the virtualized environment.
  - 15. The computer implemented method of claim 1, further comprising:
    - defining a list of confidential objects;
      
      preventing any program running inside the virtualized environment from seeing content of any object listed in the list of confidential objects.
  - 16. The computer implemented method of claim 15, further comprising:
    - whenever a program executing inside the virtualized environment attempts to access an object listed in the list of confidential objects, performing;
      
      opening a user window outside the virtualized environment;
      
      enabling a user to select the object from within the window;
      
      upon object selection, copying the object into the virtual environment to thereby create a virtualized object;
      
      providing the program an access to the virtualized object.
  - 17. The computer implemented method of claim 1, further comprising:
    - whenever a new program initiates, checking whether the new program contains a valid digital certificate and, if so, allowing the new program to initiate outside the virtual environment;
      
      otherwise, limiting the new program to the virtualized environment only.
  - 18. The computer implemented method of claim 1, further comprising:
    - monitoring all out-of-process requests;
      
      for each out of process request, checking whether the request originated from inside the virtualized environment and, if so, allowing the out-of-process request to execute only inside the virtualized environment.
  - 19. The computer implemented method of claim 18, further comprising:
    - generating virtualized instances of out-of-process request ports and directing all out-of-process requests originating from a program executing inside the virtual environment to the virtualized instances of out-of-process request ports.
  - 20. The computer implemented method of claim 1, further comprising:
    - Preventing a program executing inside the virtualized environment from seeing keystrokes made for the benefit of another program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
BUFFERZONE Security Ltd.
Original Assignee
BUFFERZONE Security Ltd.
Inventors
DOTAN, Eyal

Granted Patent

US 8,850,428 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 9/455   Emulation; Interpretation; ...

VIRTUALIZATION METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

VIRTUALIZATION METHOD FOR PROTECTING COMPUTER PROGRAMS AND DATA FROM HOSTILE CODE

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links