Seamless management of untrusted data using virtual machines

US 9,148,428 B1
Filed: 03/13/2012
Issued: 09/29/2015
Est. Priority Date: 05/25/2011
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using virtual machines, which when executed by one or more processors, cause:

in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and

the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which hardware resources of the client and which software resources of the client, other than said file, are accessible to the virtual machine.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for managing potentially malicious files using one or more virtual machines. In response to receiving a request to perform an action on a file, a client applies a policy to determine whether the action is deemed trustworthy. The client identifies, without human intervention, a virtual machine, executing or to be executed on the client, in which the action is to be performed based on whether the action is deemed trustworthy. In this way, embodiments allow a user to make use of data deemed untrusted in certain cases without allowing the untrusted data from having unfettered access to the resources of the client. If the requested action is performed in a different virtual machine from which the action was requested, embodiments enable the performance of the action to be performed seamlessly to the user.

115 Citations

View as Search Results

30 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using virtual machines, which when executed by one or more processors, cause:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which hardware resources of the client and which software resources of the client, other than said file, are accessible to the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 28)
- - 2. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - upon determining that the action is deemed untrustworthy, performing a responsive action, wherein the responsive action includes one or more of;
      
      disallowing access to the file, adding an entry describing characteristics of the untrustworthy action to an audit log to facilitate future analysis, andissuing an alert to an authority to request permission to access the file.
  - 3. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the file originates from an untrusted domain, then the action is deemed untrustworthy.
  - 4. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action is to be performed by a mime-type handler associated with the file, then the action is deemed untrustworthy.
  - 5. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a process that previously interpreted an untrustworthy file, then the action is deemed untrustworthy.
  - 6. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves an entirety of the file being interpreted, then the action is deemed untrustworthy.
  - 7. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - upon determining that the action is deemed untrustworthy, storing data indicating that the file is untrustworthy.
  - 8. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - detecting, without human intervention, an attempt to interpret the contents of the file.
  - 9. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a portion of the file being interpreted, then the action is deemed trustworthy.
  - 10. The one or more non-transitory computer-readable storage mediums of claim 9, wherein the portion is a header of the file, a specified portion of the total number of bytes of the file, or a specified portion of the total number of blocks of the file.
  - 11. The one or more non-transitory computer-readable storage mediums of claim 1, wherein said virtual machine is a first virtual machine, wherein the action originated in a second virtual machine, and wherein the policy specifies that the action is to be performed in a different virtual machine other than said second virtual machine.
  - 12. The one or more non-transitory computer-readable storage mediums of claim 11, wherein a user is informed by the client that the action is performed but not informed by the client that the action is performed in the different virtual machine.
  - 13. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - upon determining that the action is deemed untrustworthy, storing data indicating that a process associated with the action is untrustworthy.
  - 14. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a process that has communicated with untrusted data or an untrusted network over the Internet, then the action is deemed untrustworthy.
  - 15. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the file is located in a particular location, then the file or action is deemed untrustworthy.
  - 16. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that actions initiated by a user are deemed trustworthy, and wherein the policy specifies that actions not associated with user-initiated action are deemed untrustworthy.
  - 17. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that if the file is created by a process in a set of identified processes, then the action is deemed untrustworthy.
  - 18. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that if the file is created by a process in a set of identified processes, then the action is deemed trustworthy.
  - 19. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies a preferred API level to interact with the file, and wherein if the action arises from any API level other than the preferred API level, then the action is deemed untrustworthy.
  - 20. The one or more non-transitory computer-readable storage mediums of claim 19, wherein the preferred API level is one of a number of API levels comprising an Explorer Shell Interface API level, a Win32 API level API, and a Kernel API level.
  - 21. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - providing notification, to a user, that the action is deemed untrustworthy; and
      
      in response to receiving user input which indicates that the untrustworthy action is to be performed in the same virtual machine in which the action arose, performing said action against said file in said virtual machine.
  - 22. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - the client denying the performance of the action upon determining that the policy indicates that the file is a member of a protected set of files and the action is a member of a prohibited set of actions.
  - 23. The one or more non-transitory computer-readable storage mediums of claim 1, wherein said policy is a first policy, and wherein execution of the one or more sequences of instructions further causes:
    - in response to determining that the file or action is deemed untrustworthy using a second policy, consulting a third policy to identify a responsive action to perform.
  - 24. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the instantiation of the virtual machine does not require booting of the virtual machine.
  - 25. The one or more non-transitory computer-readable storage mediums of claim 1, wherein each file in said set of files deemed untrustworthy is opened in a separate virtual machine by said client based on said policy.
  - 28. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the resources of the client that are accessible to the virtual machine are those resources necessary to view or edit the file.

26. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using virtual machines, which when executed by one or more processors, cause:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy;
  
  the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which resources of the client are accessible to the virtual machine;
  
  creating a name space entity for the file that is separate from the file; and
  
  in response to receiving an access request for the file through a particular API level, processing the access request by providing the name space entity to the requestor rather than the file.

27. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using virtual machines, which when executed by one or more processors, cause:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy;
  
  the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which resources of the client are accessible to the virtual machine,wherein said file is in a set of files deemed untrustworthy;
  
  encrypting said set of files deemed to be untrustworthy; and
  
  preventing any of the set of files deemed to be untrustworthy from being decrypted unless the set of files are decrypted within said virtual machine instantiated for that purpose.

29. A client, comprising:
- one or more processors;
  
  one or more non-transitory storage mediums storing one or more sequences of instructions for managing potentially malicious files using virtual machines, which when executed by the one or more processors, causes;
  
  in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which hardware resources of the client and which software resources of the client, other than said file, are accessible to the virtual machine.

30. A method for managing potentially malicious files using virtual machines, comprising:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, a virtual machine in which the action is to be performed against the file,wherein the policy determines which hardware resources of the client and which software resources of the client, other than said file, are accessible to the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Banga, Gaurav, Pratt, Ian, Kapoor, Vikram, Crosby, Simon, Vorobiev, Sergei, Khajura, Deepak
Primary Examiner(s)
Lewis, Lisa

Application Number

US13/419,345
Time in Patent Office

1,295 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 2209/5018   Thread allocation

G06F 9/3891   organised in groups of unit...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Seamless management of untrusted data using virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

115 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Seamless management of untrusted data using virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

115 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links