Automated provisioning of secure virtual execution environment using virtual machine templates based on source code origin

US 9,626,204 B1
Filed: 08/17/2015
Issued: 04/18/2017
Est. Priority Date: 05/28/2010
Status: Expired due to Fees

First Claim

Patent Images

1. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:

in response to receiving a request to perform an action, instantiating an isolated environment without receiving an explicit user instruction to instantiate said isolated environment by performing;

identifying one or more templates from multiple pre-existing templates for use in instantiating said isolated environment based on a policy, wherein each of the multiple pre-existing templates describes isolated environment characteristics configured for different types of activity,wherein said policy additionally considers the provenance of executable code associated with said action in one or more of (a) identifying said one or more templates for use in instantiating said isolated environment or (b) determining whether to instantiate said isolated environment; and

after instantiating said isolated environment using said one or more templates, performing said action in said isolated environment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. In response to receiving a request to perform an action, an isolated environment (such as but not limited to a virtual machine) is instantiated without receiving an explicit user instruction to do so. To instantiate the isolated environment, one or more templates for use in instantiating the isolated environment are identified using a policy. The one or more templates describe isolated environment characteristics for different types of activity. After the isolated environment has been instantiated using one or more identified templates, the action may be performed in the isolated environment.

168 Citations

21 Claims

1. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
- in response to receiving a request to perform an action, instantiating an isolated environment without receiving an explicit user instruction to instantiate said isolated environment by performing;
  
  identifying one or more templates from multiple pre-existing templates for use in instantiating said isolated environment based on a policy, wherein each of the multiple pre-existing templates describes isolated environment characteristics configured for different types of activity,wherein said policy additionally considers the provenance of executable code associated with said action in one or more of (a) identifying said one or more templates for use in instantiating said isolated environment or (b) determining whether to instantiate said isolated environment; and
  
  after instantiating said isolated environment using said one or more templates, performing said action in said isolated environment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The non-transitory computer readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - determining a particular set of hardware resources to make available to the isolated environment; and
      
      providing the isolated environment access to the particular set of hardware resources without providing access to any other hardware resources.
  - 3. The non-transitory computer readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - determining a particular set of network resources to make available to the isolated environment; and
      
      providing the isolated environment access to the particular set of network resources without providing access to any other network resources.
  - 4. The non-transitory computer readable storage medium of claim 3, wherein said policy provides said isolated environment access to the particular set of network resources, and wherein said policy implements a network access policy for a plurality of isolated environments on a physical device.
  - 5. The non-transitory computer readable storage medium of claim 1, wherein said policy additionally considers user input accompanying the request in identifying said one or more templates for use in instantiating said isolated environment.
  - 6. The non-transitory computer readable storage medium of claim 1, wherein said policy additionally considers a reputation of data involved in performing said action in identifying said one or more templates for use in instantiating said isolated environment.
  - 7. The non-transitory computer readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - monitoring the behavior of one or more processes executing in the isolated environment; and
      
      customizing at least one of the one or more templates based on the behavior of the one or more processes in the isolated environment.
  - 8. The non-transitory computer readable storage medium of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - monitoring the behavior of one or more processes executing in the isolated environment; and
      
      updating the policy based on the behavior of the one or more processes in the isolated environment.
  - 9. The non-transitory computer readable storage medium of claim 1, wherein said isolated environment is instantiated on the same physical machine as said one or more processors.
  - 10. The non-transitory computer readable storage medium of claim 1, wherein said isolated environment is instantiated on a different physical machine than said one or more processors.

11. An apparatus, comprising:
- one or more processors; and
  
  one or more non-transitory computer-readable storage storing one or more sequences of instructions, which when executed by said one or more processors;
  
  cause;
  
  in response to receiving a request to perform an action, instantiating an isolated environment without receiving an explicit user instruction to instantiate said isolated environment by performing;
  
  identifying one or more templates from multiple pre-existing templates for use in instantiating said isolated environment based on a policy, wherein each of the multiple pre-existing templates describes isolated environment characteristics configured for different types of activity,wherein said policy additionally considers the provenance of executable code associated with said action in one or more of (a) identifying said one or more templates for use in instantiating said isolated environment or (b) determining whether to instantiate said isolated environment; and
  
  after instantiating said isolated environment using said one or more templates, performing said action in said isolated environment.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The apparatus of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - determining a particular set of hardware resources to make available to the isolated environment; and
      
      providing the isolated environment access to the particular set of hardware resources without providing access to any other hardware resources.
  - 13. The apparatus of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - determining a particular set of network resources to make available to the isolated environment; and
      
      providing the isolated environment access to the particular set of network resources without providing access to any other network resources.
  - 14. The apparatus of claim 13, wherein said policy provides said isolated environment access to the particular set of network resources, and wherein said policy implements a network access policy for a plurality of isolated environments on a physical device.
  - 15. The apparatus of claim 11, wherein said policy additionally considers user input accompanying the request in identifying said one or more templates for use in instantiating said isolated environment.
  - 16. The apparatus of claim 11, wherein said policy additionally considers a reputation of data involved in performing said action in identifying said one or more templates for use in instantiating said isolated environment.
  - 17. The apparatus of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - monitoring the behavior of one or more processes executing in the isolated environment; and
      
      customizing at least one of the one or more templates based on the behavior of the one or more processes in the isolated environment.
  - 18. The apparatus of claim 11, wherein execution of the one or more sequences of instructions further causes:
    - monitoring the behavior of one or more processes executing in the isolated environment; and
      
      updating the policy based on the behavior of the one or more processes in the isolated environment.
  - 19. The apparatus of claim 11, wherein said isolated environment is instantiated on the same physical machine as said one or more processors.
  - 20. The apparatus of claim 11, wherein said isolated environment is instantiated on a different physical machine than said one or more processors.

21. A method, comprising:
- in response to receiving a request to perform an action, instantiating an isolated without receiving an explicit user instruction to instantiate said isolated environment by performing;
  
  identifying one or more templates from multiple pre-existing templates for use in instantiating said isolated environment based on a policy, wherein each of the multiple pre-existing templates describes isolated environment characteristics configured for different types of activity,wherein said policy additionally considers the provenance of executable code associated with said action in one or more of (a) identifying said one or more templates for use in instantiating said isolated environment or (b) determining whether to instantiate said isolated environment; and
  
  after instantiating said isolated environment using said one or more templates, performing said action in said isolated environment.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Banga, Gaurav, Bondalapati, Kiran, Pratt, Ian, Kapoor, Vikram
Primary Examiner(s)
WU, BENJAMIN C

Application Number

US14/828,267
Time in Patent Office

610 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 2209/5018   Thread allocation

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

H04L 63/20   for managing network securi...

Automated provisioning of secure virtual execution environment using virtual machine templates based on source code origin

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

168 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Automated provisioning of secure virtual execution environment using virtual machine templates based on source code origin

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

168 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links