APPROACHES FOR SECURING AN INTERNET ENDPOINT USING FINE-GRAINED OPERATING SYSTEM VIRTUALIZATION

US 20110296412A1
Filed: 05/25/2011
Published: 12/01/2011
Est. Priority Date: 05/28/2010
Status: Active Grant

First Claim

Patent Images

1. A method for executing untrusted software on a client, comprising:

in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed,wherein instantiating the virtual machine is performed without human intervention.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. Selected resources such as files are displayed to the virtual machines according to user and organization policies and controls. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.

161 Citations

20 Claims

1. A method for executing untrusted software on a client, comprising:
- in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed,wherein instantiating the virtual machine is performed without human intervention.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein instantiating the virtual machine further comprises:
    - identifying, from a plurality of templates, a template for use in instantiating the virtual machine; and
      
      instantiating the virtual machine using the identified template.
  - 3. The method of claim 1, wherein instantiating the virtual machine further comprises:
    - identifying, from a plurality of templates, a template for use in instantiating the virtual machine based on a policy that considers the type of application whose execution is being requested by the request, wherein each of the plurality of templates describe characteristics of a virtual machine suitable for a different type of activity.
  - 4. The method of claim 3, wherein at least two of the plurality of templates includes a common portion which is the same across the at least two templates, wherein the common portion includes reference to a shared operating system image used to instantiate an operating system to run in virtual machines created using the at least two templates, and wherein the characteristics of a virtual machine described by each of the plurality of templates include a size of the virtual machine, firewall settings for the virtual machine, and whether the virtual machine is a validated virtual machine, a legacy virtual machine, or an untrusted virtual machine.
  - 5. The method of claim 1, further comprising:
    - consulting policy data to determine whether the application should run alone, or with two or more other applications, within a single virtual machine,wherein consulting is performed without prompting or notifying a user.
  - 6. The method of claim 1, further comprising:
    - upon booting the client, executing, within an initial virtual machine, a set of processes responsible for rendering all user interfaces displayed by the client, wherein the initial virtual machine is not connected to any network.
  - 7. The method of claim 1, further comprising:
    - executing, within a legacy virtual machine, a file system; and
      
      executing, within each of one or more other virtual machines running in the client other than the legacy virtual machine, a local file system,wherein the files comprised with each local file system (a) are a subset of the files in the file system and (b) have been selected as being pertinent to the performance of an application executing within the virtual machine comprising the local file system.
  - 8. The method of claim 7, further comprising:
    - in response to receiving input from a user, a dynamic file system switch supplying one or more privileged files to a particular local file system, wherein the input from the user does not identify the virtual machine or the particular local file system to which the one or more privileged files are to be supplied.
  - 9. The method of claim 1, further comprising:
    - assigning, to the virtual machine, responsibility for a selected set of devices based on a policy expressed in policy data stored on the client.
  - 10. The method of claim 1, further comprising:
    - in response to the client determining that the application has ceased to execute, the client ceasing execution of the virtual machine without human intervention.
  - 11. The method of claim 1, wherein instantiating a virtual machine using the template comprises:
    - instantiating the virtual machine using a copy-on-write process.
  - 12. The method of claim 1, wherein instantiating a virtual machine is performed by a type 1 hypervisor or a type 2 hypervisor.
  - 13. The method of claim 1, wherein a plurality of virtual machines have been instantiated in the client, and wherein each of the plurality of virtual machines prevent any application running in one virtual machine from communicating with another application running in a different virtual machine.
  - 14. The method of claim 1, wherein communication between an identified set of virtual machines can be enabled by a person with sufficient privileges.
  - 15. The method of claim 1, further comprising:
    - executing, within a plurality of virtual machines running on the client, an operating system,wherein the operating system executing in each of the plurality of virtual machines is instantiated from the same operating system image.
  - 16. The method of claim 1, wherein a host operating system executing on one of the plurality of virtual machines running on the client, and wherein the host operating system is instantiated using the same operating system image.
  - 17. The method of claim 1, further comprising:
    - in response to a user executing a plurality of applications on the client, the client identifying, without intervention from the user and for each of the plurality of applications, a template to use in instantiating a separate virtual machine in which only one of the plurality of application is to run.
  - 18. The method of claim 1, further comprising:
    - a firewall virtual machine providing, to any virtual machine running on the client in which untrusted code is executing, restricted access to only those network resources deemed necessary on a as-needed basis in accordance with a policy described by policy data stored on the client.

19. A client, comprising:
- one or more processors;
  
  one or more storage mediums storing one or more sequences of instructions, which when executed by the one or more processors, causes;
  
  in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed,wherein instantiating the virtual machine is performed without human intervention.

20. A computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
- in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed,wherein instantiating the virtual machine is performed without human intervention.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Banga, Gaurav, Kapoor, Vikram, Bondalapati, Kiran, Pratt, Ian

Granted Patent

US 8,972,980 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 2209/5018   Thread allocation

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

APPROACHES FOR SECURING AN INTERNET ENDPOINT USING FINE-GRAINED OPERATING SYSTEM VIRTUALIZATION

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

161 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

APPROACHES FOR SECURING AN INTERNET ENDPOINT USING FINE-GRAINED OPERATING SYSTEM VIRTUALIZATION

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

161 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links