Methods and apparatus for application isolation
First Claim
1. An apparatus, comprising:
- a memory including a shared persistent directory; and
a hardware processor configured to execute a virtualization module at least partially stored in the memory, the hardware processor configured to execute the virtualization module under control of a host operating system, the virtualization module configured to provide a first layer of network application isolation,the hardware processor configured to execute one or more virtual environments, each virtual environment from the one or more virtual environments configured to operate in a protected memory space, the one or more virtual environments configured to operate under control of a guest operating system operating within the virtualization module, each virtual environment from the one or more virtual environments configured to provide a second layer of network application isolation operating within the first layer of network application isolation,each virtual environment from the one or more virtual environments is associated with at least one network application,the virtualization module configured to provide isolation between the host operating system and the second layer of network application isolation,the shared persistent directory configured to operate within the first layer of network application isolation, each virtual environment from the one or more virtual environments configured to store information associated with the at least one network application associated with that virtual environment from the one or more virtual environments in the shared persistent directory, access to data associated with the host operating system by each virtual environment from the one or more virtual environments is restricted to the shared persistent directory.
3 Assignments
0 Petitions
Accused Products
Abstract
Processor(s) for detecting malicious software. A hardware virtual machine monitor (HVMM) operates under a host OS. Container(s) initialized with network application template(s) operate under a guest OS VM. A detection module operates under the guest OS VM includes a trigger detection module, a logging module and a container command module. The trigger detection module monitors activity on container(s) for a trigger event. The logging module writes activity report(s) in response to trigger event(s). The container command module issues command(s) in response to trigger event(s). The command(s) include a container start, stop and revert commands. A virtual machine control console operates under the host OS and starts/stops the HVMM. A container control module operates under the guest OSVM and controls container(s) in response to the command(s). The server communication module sends activity report(s) to a central collection network appliance that maintains a repository of activities for infected devices.
84 Citations
17 Claims
-
1. An apparatus, comprising:
-
a memory including a shared persistent directory; and a hardware processor configured to execute a virtualization module at least partially stored in the memory, the hardware processor configured to execute the virtualization module under control of a host operating system, the virtualization module configured to provide a first layer of network application isolation, the hardware processor configured to execute one or more virtual environments, each virtual environment from the one or more virtual environments configured to operate in a protected memory space, the one or more virtual environments configured to operate under control of a guest operating system operating within the virtualization module, each virtual environment from the one or more virtual environments configured to provide a second layer of network application isolation operating within the first layer of network application isolation, each virtual environment from the one or more virtual environments is associated with at least one network application, the virtualization module configured to provide isolation between the host operating system and the second layer of network application isolation, the shared persistent directory configured to operate within the first layer of network application isolation, each virtual environment from the one or more virtual environments configured to store information associated with the at least one network application associated with that virtual environment from the one or more virtual environments in the shared persistent directory, access to data associated with the host operating system by each virtual environment from the one or more virtual environments is restricted to the shared persistent directory.
-
-
2. The apparatus of claim 1, wherein each virtual environment from the one or more virtual environments is initiated by the first layer of network application isolation.
-
3. The apparatus of claim 1, wherein the guest operating system is a first type operating system and the host operating system is a second type operating system different from the first type operating system.
-
4. The apparatus of claim 1, wherein at least one of the one or more virtual environments resides on a rewritable external storage medium.
-
5. The apparatus of claim 1, wherein the virtualization module is configured to discard the protected memory space associated with a virtual environment from the one or more virtual environments after the virtual environment is released by the at least one network application associated with the virtual environment.
-
6. The apparatus of claim 1, wherein each virtual environment from the one or more virtual environments is inaccessible by the remaining virtual environments from the one or more virtual environments.
-
7. The apparatus of claim 1, wherein the one or more virtual environments includes a plurality of virtual environments.
-
8. The apparatus of claim 1, wherein the one or more virtual environments is configured to be executed within the guest operating system.
-
9. The apparatus of claim 1, wherein the first layer of network application isolation is a first type of network application isolation and the second layer of network application isolation is a second type of network application isolation different from the first layer of network application isolation.
-
10. The apparatus of claim 1, wherein the first layer of network application isolation is hardware level virtualization, the second layer of network application isolation is operating system level virtualization.
-
11. The apparatus of claim 1, wherein the one or more virtual environments includes a first virtual environment and a second virtual environment, the first virtual environment configured to isolate a network application executing within the first virtual environment from a network application executing within the second virtual environment.
-
12. The apparatus of claim 1, wherein the virtualization module is configured to isolate from the host operating system the at least one network application associated with a virtual environment from the one or more virtual environments.
-
13. A system, comprising:
-
a memory; and a hardware processor configured to execute a trigger detection module at least partially stored in the memory, the trigger detection module configured to detect at least one unauthorized activity in a virtual environment (1) associated with a network application, and (2) configured to provide a first layer of network application isolation that operates under control of a guest operating system operating within a second layer of network application isolation, the at least one unauthorized activity includes at least one of, at least one unauthorized change to a non-modifiable section of the virtual environment, at least one registry write, at least one start of a new process, at least one corruption to an existing process, at least one web site visited, at least one redirected Uniform Resource Locator (URL), at least one infection detail, at least one event timeline, at least one network connection, at least one file system write, or at least one configuration change, the trigger detection module configured to operate under control of a host operating system, the hardware processor configured to execute a logging module, the trigger detection module configured to send a message to the logging module reporting the at least one unauthorized activity, the hardware processor configured to send, to a central collection network appliance and over a network, information associated with the at least one unauthorized activity such that the central collection network appliance (1) maintains a repository of the information associated with the at least one unauthorized activity, (2) analyzes the information associated with the at least one unauthorized activity to determine at least one event that triggered the at least one unauthorized activity, and (3) transmits the information associated with the at least one unauthorized activity to at least one network traffic appliance.
-
-
14. The system of claim 13, wherein the trigger detection module is configured to gather the information associated with the at least one unauthorized activity, before sending the message.
-
15. The system of claim 13, wherein the logging module is configured to record at least one change due to the at least one unauthorized activity.
-
16. The system of claim 13, wherein the second layer of network application isolation is provided by a virtual machine monitor.
-
17. The system of claim 13, wherein the at least one unauthorized activity includes the at least one unauthorized change to the non-modifiable section of the virtual environment.
Specification