System and methods providing secure workspace sessions

US 8,769,268 B2
Filed: 07/20/2007
Issued: 07/01/2014
Est. Priority Date: 07/20/2007
Status: Active Grant

First Claim

Patent Images

1. In a computer system operating under control of an operating system having a graphical user interface providing support for displaying one workspace session at a time, a method for providing a logged-in user a simultaneously displayed second workspace session for securely running applications, the method comprising:

displaying in the graphical user interface of the operating system a first workspace session of the computer system for a currently logged-in user, said first workspace session having a first set of privileges for miming applications under said first workspace session;

while said first workspace session remains active and displayed in the graphical user interface of the operating system, simultaneously displaying in the graphical user interface a second workspace session of the computer system for the currently logged-in user, the second workspace session having a second set of privileges for miming applications under the second workspace session and using a virtual file system and registry that is stored in encrypted form on a file system hosted by the operating system; and

securing said second workspace session so thatapplications running under the second workspace session are protected from applications running on the operating system that are outside the second workspace session,further securing the second workspace session by deleting the virtual file system and registry used by the second workspace session upon termination of the second workspace session,further securing the second workspace session by restricting access to peripheral devices from the second workspace session, so as to secure data created during the second workspace session,further securing the second workspace session by applying one set of firewall rules to applications running in the first workspace session and a second set of firewall rules to applications running in the second workspace session.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

System and methods providing secure workspace sessions is described. In one embodiment a method for providing multiple workspace sessions for securely running applications comprises steps of: initiating a first workspace session on an existing operating system instance running on the computer system, the first workspace session having a first set of privileges for running applications under that session; while the first workspace session remains active, initiating a second workspace session on the existing operating system instance running on the computer system, the second workspace session having a second set of privileges for running applications under the second workplace session; and securing the second workspace session so that applications running under the second workplace session are protected from applications running outside the second workspace session.

51 Citations

View as Search Results

32 Claims

1. In a computer system operating under control of an operating system having a graphical user interface providing support for displaying one workspace session at a time, a method for providing a logged-in user a simultaneously displayed second workspace session for securely running applications, the method comprising:
- displaying in the graphical user interface of the operating system a first workspace session of the computer system for a currently logged-in user, said first workspace session having a first set of privileges for miming applications under said first workspace session;
  
  while said first workspace session remains active and displayed in the graphical user interface of the operating system, simultaneously displaying in the graphical user interface a second workspace session of the computer system for the currently logged-in user, the second workspace session having a second set of privileges for miming applications under the second workspace session and using a virtual file system and registry that is stored in encrypted form on a file system hosted by the operating system; and
  
  securing said second workspace session so thatapplications running under the second workspace session are protected from applications running on the operating system that are outside the second workspace session,further securing the second workspace session by deleting the virtual file system and registry used by the second workspace session upon termination of the second workspace session,further securing the second workspace session by restricting access to peripheral devices from the second workspace session, so as to secure data created during the second workspace session,further securing the second workspace session by applying one set of firewall rules to applications running in the first workspace session and a second set of firewall rules to applications running in the second workspace session.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising:
    - while said first and second sessions remain active, initiating one or more subsequent workspace sessions on the existing operating system instance miming on the computer system, each said subsequent workspace session having a particular set of privileges for running applications under that session and secured so that applications running under that workspace session are protected from applications miming outside that workspace sessions.
  - 3. The method of claim 1, wherein the privileges comprise security rules applicable to applications running on the computer system.
  - 4. The method of claim 3, wherein the security rules include whether an application is authorized to access the Internet.
  - 5. The method of claim 1, wherein said step of initiating the second workspace session includes generating a separate window for the second workspace session for separately displaying applications running in the second workspace session.
  - 6. The method of claim 5, wherein generating a separate window includes displaying user feedback indicating that the applications running in the second workspace sessions are running in a secure manner.
  - 7. The method of claim 5, wherein the separate window is displayed in a manner that allows users to easily switch between the first workspace session and the second workspace session.
  - 8. The method of claim 1, wherein said step of securing the second workspace session includes hooking particular functions of the operating system instance in order to regulate access to information created during the second workspace session.
  - 9. The method of claim 1, further comprising:
    - storing all temporary data created during the second workspace session in encrypted form in the virtual file system.
  - 10. The method of claim 9, further comprising:
    - discarding all temporary data created during the second workspace session when the second workspace session terminates.
  - 11. The method of claim 1, further comprising:
    - storing all registry changes made during the second workspace session in encrypted form in the virtual registry.
  - 12. The method of claim 11, further comprising:
    - discarding all registry changes created during the second workspace session when the second workspace session terminates.
  - 13. The method of claim 1, further comprising:
    - creating a log file for all actions taken by applications running in the second workspace session.
  - 14. The method of claim 1, further comprising:
    - setting up a virtual private connection to a remote site inside the second workspace session for purposes of providing a secure connection to the remote site.
  - 15. A non-transitory computer-readable medium having processor-executable instructions for performing the method of claim 1.

16. A computer system that adds support to an existing operating system to allow a user to run software programs in a plurality of simultaneously deployed workspace sessions subject to separate security rules of a security policy, the system comprising:
- a computer running under an operating system having a graphical user interface initially capable of displaying only a single workspace session at a time;
  
  a plurality of software programs for use by users of the computer;
  
  a configurable security policy specifying security rules applicable to the software programs;
  
  a session manager adding support to the operating system to simultaneously display in the graphical user interface first and second workspace sessions of the computer system for a currently logged-in user, with each of said sessions subject to separate security rules of the security policy and isolated from other workspace sessions, thereby allowing selected software programs to run in a secure manner in a separate and simultaneously displayed workspace session that is subject to separate security rules; and
  
  a file system processing engine providing each session a virtual file system stored in encrypted form on a file system hosted by the operating system, and a registry processing engine providing each session a virtual registry stored in encrypted form on the file system hosted by the operating system, wherein each session'"'"'s virtual file system and virtual registry are deleted once that session terminates;
  
  wherein the security policy includes peripheral device access rules that restrict access to peripheral devices from the second workspace session, andwherein the security policy includes firewall rules, so as to apply separate firewall rules to software programs running in different workspace sessions.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 17. The system of claim 16, wherein the security policy includes security rules specifying whether a software program is authorized to access the Internet.
  - 18. The system of claim 16, wherein the security policy includes security rules specifying actions of a software program that are permitted and are not permitted.
  - 19. The system of claim 16, wherein the security policy specifies certain banned programs that are not permitted to run in a particular workspace session, so as to secure software programs running in the particular workspace session.
  - 20. The system of claim 19, wherein said banned programs include selected ones of spyware software, computer virus software, instant messaging software, peer-to-peer (P2P) software and web browser software.
  - 21. The system of claim 16, wherein the session manager hooks particular functions of the operating system in creating a particular workspace session in order to regulate access to information created during the particular workspace session.
  - 22. The system of claim 16, wherein the session manager generates a separate window for each workspace session for separately displaying software programs running in each session.
  - 23. The system of claim 16, wherein the session manager sets up a virtual private connection to a remote site inside a particular workspace session for purposes of providing a secure connection to the remote site for software programs running in the particular workspace session.
  - 24. The system of claim 16, wherein said module for enforcing creates a log file for actions taken during a particular workspace session so as to enable an administrator to review said actions.
  - 25. The system of claim 16, wherein all temporary data created during a particular workspace session is stored in the session'"'"'s virtual file system.
  - 26. The system of claim 25, wherein said temporary data created during the particular session is destroyed when the particular session terminates.
  - 27. The system of claim 16, wherein all data created during a particular workspace session is automatically encrypted when stored in the session'"'"'s virtual file system.
  - 28. The system of claim 16, wherein said module for enforcing controls inter-process communication between individual software programs.
  - 29. The system of claim 28, wherein said module for enforcing blocks any inter-process communication that would violate the security policy.
  - 30. The system of claim 16, wherein each of said plurality of workspace sessions is used for particular purposes.
  - 31. The system of claim 30, wherein said particular purposes include selected ones of browsing the Internet, browsing an Intranet, reading confidential documents, securely connecting to a remote site, miming business applications, running personal applications, and evaluating software.
  - 32. The system of claim 16, wherein each said workspace session comprises a separate operating system session so as effectively isolate software programs miming in said session from programs running in other workspace sessions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Morozov, Artiom, Konanka, Dzmitry
Primary Examiner(s)
Lagor, Alexander

Application Number

US11/781,057
Publication Number

US 20100024036A1
Time in Patent Office

2,538 Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/71   to assure secure computing ...

G06F 21/74   operating in dual or compar...

System and methods providing secure workspace sessions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and methods providing secure workspace sessions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links