System and methodology providing secure workspace environment

US 7,725,737 B2
Filed: 10/14/2005
Issued: 05/25/2010
Est. Priority Date: 10/14/2005
Status: Active Grant

First Claim

Patent Images

1. In a computer system, a method for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprising:

creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;

hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications;

during operation of the applications, encrypting the information to prevent unauthorized access;

in response to a request for access to the information, determining whether the request complies with the policy; and

if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methodology providing a secure workspace environment is described. In one embodiment, for example, in a computer system, a method is described for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprises steps of: creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed; hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications; during operation of the applications, encrypting the information to prevent unauthorized access; in response to a request for access to the information, determining whether the request complies with the policy; and if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.

104 Citations

View as Search Results

45 Claims

1. In a computer system, a method for creating a secured workspace within an existing operating system for allowing users to run applications in a secured manner, the method comprising:
- creating a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;
  
  hooking particular functions of the operating system in order to obtain control over the information created during operation of the applications;
  
  during operation of the applications, encrypting the information to prevent unauthorized access;
  
  in response to a request for access to the information, determining whether the request complies with the policy; and
  
  if the request complies with the policy, satisfying the request by providing access to a decrypted copy of the information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the particular functions of the operating system include input/output (I/O) functions.
  - 3. The method of claim 2, wherein the I/O functions include file services of the operating system.
  - 4. The method of claim 1, wherein said hooking step occurs in a manner that is transparent to the applications.
  - 5. The method of claim 1, further comprising:
    - displaying user feedback for indicating that the applications are running in a secured manner.
  - 6. The method of claim 5, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 7. The method of claim 1, wherein said hooking step occurs in a manner that is transparent to users.
  - 8. The method of claim 1, wherein said information includes session information generated during operation of the applications.
  - 9. The method of claim 1, wherein the secured workspace operates within the existing operating system in a manner that allows users to easily switch back to an existing unsecured workspace of the operating system.
  - 10. The method of claim 1, wherein the secured workspace operates within user-space mode of the operating system, without requiring device drivers.
  - 11. The method of claim 1, wherein the policy specifies actions of the applications that are permitted and are not permitted.
  - 12. The method of claim 11, wherein the policy specifies certain banned programs that are not permitted to run in the secured workspace.
  - 13. The method of claim 12, wherein said banned programs include malicious software.
  - 14. A computer-readable medium having processor-executable instructions for performing the method of claim 1.
  - 15. The method of claim 1, further comprising:
    - downloading a set of computer-executable instructions for performing the method of claim 1 on a computer having a processor and a memory.

16. A computer system providing a secured workspace for allowing users to run applications in a secured manner, the system comprising:
- a computer running under control of an existing operating system;
  
  a policy for configuring the secured workspace, the policy specifying how information created during operation of the applications may be accessed;
  
  a module for intercepting particular functions of the existing operating system in order to allow the secured workspace to run under the existing operating system, said module permitting the secured workspace to obtain control over the information created during operation of the applications;
  
  an encryption module for preventing unauthorized access to the information; and
  
  a decryption module for providing authorized access to the information, in response to receiving a request that complies with the policy.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 17. The system of claim 16, wherein the particular functions of the operating system include input/output (I/O) functions.
  - 18. The system of claim 17, wherein the I/O functions include file services of the operating system.
  - 19. The system of claim 16, wherein the module for intercepting operates in a manner that is transparent to the applications.
  - 20. The system of claim 16, further comprising:
    - displayable user feedback for indicating that the applications are running in a secured manner.
  - 21. The system of claim 20, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 22. The system of claim 16, wherein the module for intercepting operates in a manner that is transparent to users.
  - 23. The system of claim 16, wherein said information includes session information generated during operation of the applications.
  - 24. The system of claim 16, wherein the secured workspace operates within the existing operating system in a manner that allows users to easily switch back to an existing unsecured workspace of the operating system.
  - 25. The system of claim 16, wherein the secured workspace operates within user-space mode of the operating system, without requiring device drivers.
  - 26. The system of claim 16, wherein the policy specifies actions of the applications that are permitted and are not permitted.
  - 27. The system of claim 26, wherein the policy specifies certain banned programs that are not permitted to run in the secured workspace.
  - 28. The system of claim 27, wherein said banned programs include selected ones of spyware and computer virus software.
  - 29. The system of claim 16, wherein the particular functions of the operating system include clipboard functions.
  - 30. The system of claim 16, wherein the information includes registry information created during operation of the applications.

31. A system providing a secured desktop environment that allows users to run application software securely, the system comprising:
- a computer running under an operating system, said computer including application software for use by users; and
  
  a secured desktop environment comprising;
  
  a configurable policy specifying permitted operations of the application software and specifying permitted access to information created during operation of the application software;
  
  a hooks engine for intercepting particular calls to the operating system, thereby allowing the secured desktop environment to control operations of the application software and control access to information created during operation of the application software; and
  
  a module, operating in conjunction with said policy and said hooks engine, for encrypting the information created during operation of the application software, and for preventing any operation of the application software that is not permitted and any access to the information that is not permitted, wherein said module provides access to a decrypted copy of the information in response to receiving a request for access to the information that complies with the policy.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 32. The system of claim 31, wherein the particular calls to the operating system include input/output (I/O) API (application programming interface) functions.
  - 33. The system of claim 32, wherein the I/O API functions include file services of the operating system.
  - 34. The system of claim 31, wherein the hooks engine operates in a manner that is transparent to the application software.
  - 35. The system of claim 31, further comprising:
    - displayable user feedback for indicating that the application software is running in a secured manner.
  - 36. The system of claim 35, wherein the user feedback includes distinctive computer desktop wallpaper.
  - 37. The system of claim 31, wherein the hooks engine operates in a manner that is transparent to users.
  - 38. The system of claim 31, wherein said information includes session information generated during operation of the application software.
  - 39. The system of claim 31, wherein the secured desktop environment operates within the operating system in a manner that allows users to easily switch back to an existing unsecured desktop environment of the operating system.
  - 40. The system of claim 31, wherein the secured desktop environment operates within user-space mode of the operating system, without requiring device drivers.
  - 41. The system of claim 31, wherein the policy specifies actions of the application software that are permitted and are not permitted.
  - 42. The system of claim 31, wherein the particular calls to the operating system include clipboard functions.
  - 43. The system of claim 31, wherein the information includes registry information created during operation of the application software.
  - 44. The system of claim 31, wherein said module for preventing includes:
    - an encryption module for preventing unauthorized access to the information.
  - 45. The system of claim 31, wherein said module for preventing includes:
    - a decryption module for providing access to the information that is permitted pursuant to the policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Konanka, Dzmitry, Liahuski, Andrei
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/163,343
Publication Number

US 20070101435A1
Time in Patent Office

1,684 Days
Field of Search

None
US Class Current

713/190
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/52   during program execution, e...

G06F 21/57   Certifying or maintaining t...

G06F 9/45558   Hypervisor-specific managem...

System and methodology providing secure workspace environment

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

104 Citations

45 Claims

Specification

Solutions

Use Cases

Quick Links

System and methodology providing secure workspace environment

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

104 Citations

45 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links