Systems and methods for generating policies for an application using a virtualized environment

US 9,977,896 B2
Filed: 10/08/2015
Issued: 05/22/2018
Est. Priority Date: 10/08/2015
Status: Active Grant

First Claim

Patent Images

1. A method for generating policies for a new application using a virtualized environment prior to executing on a host operating system of a client device, the method comprising:

installing, responsive to a request to install a new application on a host system and prior to allowing the new application to operate on the host system, the new application in a virtualized environment for execution;

determining, for a first program execution restrictor of the virtualized environment, a set of policies for the new application, the set of policies allowing the new application to add specific program elements during execution of the new application in the virtualized environment;

detecting, by the first program execution restrictor, that the specific program elements are added to the new application during execution of the new application in the virtualized environment;

verifying, via the first program execution restrictor applying the set of policies, an absence of malicious behavior from the specific program elements detected to be added to the new application during execution of the new application in the virtualized environment, wherein malicious behavior includes accessing a memory address restricted from the new application; and

executing, responsive to the verification, the new application on the host system, the host system having a second program execution restrictor that applies the set of policies when the new application executes on the host system.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

10 Citations

View as Search Results

20 Claims

1. A method for generating policies for a new application using a virtualized environment prior to executing on a host operating system of a client device, the method comprising:
- installing, responsive to a request to install a new application on a host system and prior to allowing the new application to operate on the host system, the new application in a virtualized environment for execution;
  
  determining, for a first program execution restrictor of the virtualized environment, a set of policies for the new application, the set of policies allowing the new application to add specific program elements during execution of the new application in the virtualized environment;
  
  detecting, by the first program execution restrictor, that the specific program elements are added to the new application during execution of the new application in the virtualized environment;
  
  verifying, via the first program execution restrictor applying the set of policies, an absence of malicious behavior from the specific program elements detected to be added to the new application during execution of the new application in the virtualized environment, wherein malicious behavior includes accessing a memory address restricted from the new application; and
  
  executing, responsive to the verification, the new application on the host system, the host system having a second program execution restrictor that applies the set of policies when the new application executes on the host system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising intercepting, by an agent executing on the host system, the request to install the new application on the host system.
  - 3. The method of claim 1, further comprising directing, by an agent executing on the host system, the new application to the virtualized environment for installation responsive to the request to install the new application on the host system.
  - 4. The method of claim 1, further comprising using a process monitor of the virtualized environment to detect for malicious behavior by the new application in the virtualized environment.
  - 5. The method of claim 1, further comprising generating, by the first program execution restrictor, a log record of actions by the new application to add program elements during installation and execution of the new application.
  - 6. The method of claim 5, further comprising determining, by a policy generator, the set of policies using the generated log record.
  - 7. The method of claim 1, wherein determining the set of policies comprises detecting an attempt by the new application to add a first program element, and generating a first policy that allows the new application to add the first program element if the first program element is known to be safe.
  - 8. The method of claim 1, wherein the verifying comprises detecting if the new application attempts to add a program element that is at least one of unknown or potentially unsafe for the host system.
  - 9. The method of claim 1, further comprising providing, by the virtualization environment, the set of policies to the second program execution restrictor of the host system responsive to the verification.
  - 10. The method of claim 1, further comprising requesting, by an agent executing on the host system, the virtualization environment to transition the new application to the host system after verifying the absence of malicious behavior.

11. A system for generating policies for a new application using a virtualized environment prior to executing on a host operating system of a client device, the system comprising:
- a virtualized environment executed on a computing device having one or more processors, configured to install a new application in the virtualized environment for execution, responsive to a request to install the new application on a host system and prior to allowing the new application to operate on the host system;
  
  a first program execution restrictor executing in the virtualized environment, the first program execution restrictor configured to;
  
  determine a set of policies for the new application, the set of policies allowing the new application to add specific program elements during execution of the new application in the virtualized environment;
  
  detect that the specific program elements are added to the new application during execution of the new application in the virtualized environment; and
  
  verify, via the set of policies, an absence of malicious behavior from the specific program elements detected to be added to the new application during execution of the new application in the virtualized environment, wherein malicious behavior includes accessing a memory address restricted from the new application, wherein the new application is allowed to execute on the host system responsive to the verification; and
  
  a second program execution restrictor executing on the host system, the second program execution restrictor configured to apply the set of policies when the new application executes on the host system.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, further comprising an agent executing on the host system, the agent configured to intercept the request to install the new application on the host system.
  - 13. The system of claim 11, further comprising an agent executing on the host system, the agent configured to direct the new application to the virtualized environment for installation responsive to the request to install the new application on the host system.
  - 14. The system of claim 11, further comprising a process monitor of the virtualized environment, the process monitor utilized to detect for malicious behavior by the new application in the virtualized environment.
  - 15. The system of claim 11, wherein the first program execution restrictor is configured to generate a log record of actions by the new application to add program elements during installation execution of the new application.
  - 16. The system of claim 15, further comprising a policy generator configured to determine, using the generated log record, the set of policies.
  - 17. The system of claim 11, wherein the first program execution restrictor is configured to detect an attempt by the new application to add a first program element, and to determine a first policy that allows the new application to add the first program element if the first program element is known to be safe.
  - 18. The system of claim 11, wherein the first program execution restrictor is configured to detect, as part of the verification, if the new application attempts to add a program element that is at least one of unknown or potentially unsafe for the host system.
  - 19. The system of claim 11, wherein the virtualization environment is configured to provide the set of policies to the second program execution restrictor of the host system responsive to the verification.
  - 20. The system of claim 11, further comprising an agent executing on the host system, the agent configured to request the virtualization environment to transition the new application to the host system after verifying the absence of malicious behavior.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Guardian LLC
Original Assignee
Digital Guardian, Inc.
Inventors
Fox, John C.
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US14/878,415
Publication Number

US 20170103201A1
Time in Patent Office

957 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for generating policies for an application using a virtualized environment

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

10 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for generating policies for an application using a virtualized environment

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

10 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links