Seamless management of untrusted data using isolated environments

US 9,923,926 B1
Filed: 09/24/2015
Issued: 03/20/2018
Est. Priority Date: 03/13/2012
Status: Active Grant

First Claim

Patent Images

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using isolated environments, which when executed by one or more processors, cause:

in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and

the client instantiating, without human intervention and based on the policy, an isolated environment in which the action is to be performed against the file,wherein the policy determines which resources of the client, other than the file or a resource required to provide access to the file, are accessible to the isolated environment, upon instantiation of the isolated environment, based on the request to perform an action on the file.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Approaches for managing potentially malicious files using one or more isolated environments. In response to receiving a request to perform an action on a file, a client applies a policy to determine whether the action is deemed trustworthy. The client identifies, without human intervention, an isolated environment, executing or to be executed on the client, in which the action is to be performed based on whether the action is deemed trustworthy. In this way, embodiments allow a user to make use of data deemed untrusted in certain cases without allowing the untrusted data from having unfettered access to the resources of the client. If the requested action is performed in a different isolated environment from which the action was requested, embodiments enable the performance of the action to be performed seamlessly to the user.

112 Citations

31 Claims

1. One or more non-transitory computer-readable storage mediums storing one or more sequences of instructions for managing potentially malicious files using isolated environments, which when executed by one or more processors, cause:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, an isolated environment in which the action is to be performed against the file,wherein the policy determines which resources of the client, other than the file or a resource required to provide access to the file, are accessible to the isolated environment, upon instantiation of the isolated environment, based on the request to perform an action on the file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 2. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further cause:
    - upon determining that the action is deemed untrustworthy, performing a responsive action, wherein the responsive action includes one or more of;
      
      disallowing access to the file, adding an entry describing characteristics of the untrustworthy action to an audit log to facilitate future analysis, and issuing an alert to an authority to request permission to access the file.
  - 3. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the file originates from an untrusted domain, then the action is deemed untrustworthy.
  - 4. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action is to be performed by a mime-type handler associated with the file, then the action is deemed untrustworthy.
  - 5. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a process that previously interpreted an untrustworthy file, then the action is deemed untrustworthy.
  - 6. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves an entirety of the file being interpreted, then the action is deemed untrustworthy.
  - 7. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - upon determining that the action is deemed untrustworthy, storing data indicating that the file is untrustworthy.
  - 8. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - detecting, without human intervention, an attempt to interpret the contents of the file.
  - 9. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a portion of the file being interpreted, then the action is deemed trustworthy.
  - 10. The one or more non-transitory computer-readable storage mediums of claim 9, wherein the portion is a header of the file, a specified portion of the total number of bytes of the file, or a specified portion of the total number of blocks of the file.
  - 11. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the isolated environment is a first isolated environment, wherein the action originated in a second isolated environment, and wherein the policy specifies that the action is to be performed in a different isolated environment other than the second isolated environment.
  - 12. The one or more non-transitory computer-readable storage mediums of claim 11, wherein a user is informed by the client that the action is performed but not informed by the client that the action is performed in a different isolated environment than the first isolated environment or the second isolated environment.
  - 13. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - upon determining that the action is deemed untrustworthy, storing data indicating that a process associated with the action is untrustworthy.
  - 14. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the action involves a process that has communicated with untrusted data or an untrusted network over the Internet, then the action is deemed untrustworthy.
  - 15. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy indicates that if the file is located in a particular location, then the file or action is deemed untrustworthy.
  - 16. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that actions initiated by a user are deemed trustworthy, and wherein the policy specifies that actions not associated with user-initiated action are deemed untrustworthy.
  - 17. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that if the file is created by a process in a set of identified processes, then the action is deemed untrustworthy.
  - 18. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies that if the file is created by a process in a set of identified processes, then the action is deemed trustworthy.
  - 19. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the policy specifies a preferred API level to interact with the file, and wherein if the action arises from any API level other than the preferred API level, then the action is deemed untrustworthy.
  - 20. The one or more non-transitory computer-readable storage mediums of claim 19, wherein the preferred API level is one of a number of API levels comprising an Explorer Shell Interface API level, a Win32 API level API, and a Kernel API level.
  - 21. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - providing notification, to a user, that the action is deemed untrustworthy; and
      
      in response to receiving user input which indicates that the untrustworthy action is to be performed in the same isolated environment in which the action arose, performing said action against said file in said virtual machine.
  - 22. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - the client denying the performance of the action upon determining that the policy indicates that the file is a member of a protected set of files and the action is a member of a prohibited set of actions.
  - 23. The one or more non-transitory computer-readable storage mediums of claim 1, wherein said policy is a first policy, and wherein execution of the one or more sequences of instructions further causes:
    - in response to determining that the file or action is deemed untrustworthy using a second policy, consulting a third policy to identify a responsive action to perform.
  - 24. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - creating a name space entity for the file that is separate from the file; and
      
      in response to receiving an access request for the file through a particular API level, processing the access request by providing the name space entity to the requestor rather than the file.
  - 25. The one or more non-transitory computer-readable storage mediums of claim 1, wherein execution of the one or more sequences of instructions further causes:
    - upon deeming the file untrustworthy, rendering the file deemed to be untrustworthy as a native file; and
      
      permitting a normal file operation to be performed on the file deemed to be untrustworthy, wherein the normal file operation is performed in the isolated environment.
  - 26. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the action comprises encrypting the file after the file has been deemed untrustworthy, and wherein execution of the one or more sequences of instructions further causes:
    - preventing the file deemed to be untrustworthy from being decrypted unless the file is decrypted within a particular isolated environment instantiated for that purpose.
  - 27. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the resources of the client that are accessible to the isolated environment are those resources necessary to view or edit the file.
  - 28. The one or more non-transitory computer-readable storage mediums of claim 1, wherein the instantiation of the isolated environment does not require booting of the isolated environment.
  - 29. The one or more non-transitory computer-readable storage mediums of claim 1, wherein said file is in a set of files deemed untrustworthy, and wherein each file in said set of files deemed untrustworthy is opened in a separate isolated environment based on said policy.

30. A client, comprising:
- one or more processors;
  
  one or more non-transitory storage mediums storing one or more sequences of instructions for managing potentially malicious files using isolated environments, which when executed by the one or more processors, causes;
  
  in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, an isolated environment in which the action is to be performed against the file,wherein the policy determines which resources of the client, other than the file or a resource required to provide access to the file, are accessible to the isolated environment, upon instantiation of the isolated environment, based on the request to perform an action on the file.

31. A method for managing potentially malicious files using isolated environments, comprising:
- in response to receiving a request to perform an action on a file, a client applying a policy to determine whether the action is deemed trustworthy; and
  
  the client instantiating, without human intervention and based on the policy, an isolated environment in which the action is to be performed against the file,wherein the policy determines which resources of the client, other than the file or a resource required to provide access to the file, are accessible to the isolated environment, upon instantiation of the isolated environment, based on the request to perform an action on the file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Original Assignee
Bromium (HP Inc.)
Inventors
Banga, Gaurav, Vorobiev, Sergei, Khajuria, Deepak, Kapoor, Vikram, Pratt, Ian, Crosby, Simon
Primary Examiner(s)
Lewis, Lisa

Application Number

US14/864,692
Time in Patent Office

908 Days
Field of Search
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 2009/45587   Isolation or security of vi...

G06F 21/6218   to a system of files or obj...

G06F 2209/5018   Thread allocation

G06F 9/3891   organised in groups of unit...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

G06F 9/5077   Logical partitioning of res...

H04L 63/10   for controlling access to d...

H04L 63/105   Multiple levels of security

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

Seamless management of untrusted data using isolated environments

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

112 Citations

31 Claims

Specification

Use Cases

Quick Links

Others

Seamless management of untrusted data using isolated environments

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

112 Citations

31 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others