Systems and methods for generating policies for an application using a virtualized environment

US 10,528,723 B2
Filed: 05/18/2018
Issued: 01/07/2020
Est. Priority Date: 10/08/2015
Status: Active Grant

First Claim

Patent Images

1. A method of generating policies for applications using virtualized environments, comprising:

installing, by a first program execution restrictor of a virtualized environment in a host system executing on a computing device having one or more processors, a new application in the virtualized environment for execution;

detecting, by the first program execution restrictor, that a program subcomponent is added to the new application during execution of the new application in the virtualized environment;

verifying, by the first program execution restrictor, via a set of policies allowing the new application to add the program subcomponent during execution, an absence of malicious behavior from the program subcomponent that is added to the application during execution in the virtualized environment; and

executing, responsive to verifying the absence of malicious behavior from the program subcomponent, the new application on the host system, the host system having a second program execution restrictor that applies the set of policies while the new application executes on the host system.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided herein are systems and methods for generating policies for a new application using a virtualized environment. Prior to allowing a new application to operate on a host system, the new application may be installed in a virtual environment. A first program execution restrictor of the virtualized environment may determine a set of policies for the new application. The set of policies may allow the new application to add specific program elements during installation and execution in the virtualized environment. The first program execution restrictor may verify an absence of malicious behavior from the new application while the new application executes in the virtualized environment. The new application may be executed on the host system responsive to the verification. The host system may have a second program execution restrictor that applies the set of policies when the new application is allowed to execute on the host system.

11 Citations

20 Claims

1. A method of generating policies for applications using virtualized environments, comprising:
- installing, by a first program execution restrictor of a virtualized environment in a host system executing on a computing device having one or more processors, a new application in the virtualized environment for execution;
  
  detecting, by the first program execution restrictor, that a program subcomponent is added to the new application during execution of the new application in the virtualized environment;
  
  verifying, by the first program execution restrictor, via a set of policies allowing the new application to add the program subcomponent during execution, an absence of malicious behavior from the program subcomponent that is added to the application during execution in the virtualized environment; and
  
  executing, responsive to verifying the absence of malicious behavior from the program subcomponent, the new application on the host system, the host system having a second program execution restrictor that applies the set of policies while the new application executes on the host system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising generating, by the first program execution restrictor, the set of policies for the new application according to a log record of actions of the new application, the log record of actions including addition of subcomponents during installation and execution of the new application.
  - 3. The method of claim 1, further comprising updating, by the first program execution restrictor, the set of policies for the new application based on verifying the absence of malicious behavior from the program subcomponent to be added to the application.
  - 4. The method of claim 1, further comprising providing, by the first program execution restrictor, the set of policies to the host system to apply to the new application executing on the host system, responsive to verifying the absence of malicious behavior from the program subcomponent.
  - 5. The method of claim 1, further comprising migrating, by an agent executing on the host system, the new application from the virtualized environment to the host system, responsive to verifying the absence of malicious behavior from the program subcomponent.
  - 6. The method of claim 1, wherein installing the new application further comprises installing the new application in the virtualized environment for execution prior to allowing the new application to operate on the host system.
  - 7. The method of claim 1, wherein detecting that the program subcomponent is added further comprises detecting, during execution of the new application in the virtualized environment, at least one of a change in storage space for the new application, a referencing of a memory address not allocated to the new application, or a passing of a file through a port of the virtualized environment.
  - 8. The method of claim 1, wherein verifying the absence of malicious behavior further comprises determining that the program subcomponent corresponds to at least one of an unknown element or a potentially unsafe element for the host system.
  - 9. The method of claim 1, wherein verifying the absence of malicious behavior further comprises determining that the program subcomponent is not performing one or more of a plurality of operations predetermined to be malicious, the plurality of operations including accessing a memory address not allocated to the new application, accessing a protected resource, and changing file system permissions of data files.
  - 10. The method of claim 1, wherein executing the new application on the host system further comprises applying to the new application the set of policies provided by the virtualized environment and a second set of policies pre-specified on the host system.

11. A system for generating policies for applications using virtualized environments, comprising:
- a virtualized environment in a host system executed on a computing device having one or more processors, wherein a first program execution restrictor of the virtualized environment is configured to install a new application in the virtualized environment for execution;
  
  the first program execution restrictor of the virtualized environment, configured to;
  
  detect that a program subcomponent is added to the new application during execution of the new application in the virtualized environment;
  
  verify, via a set of policies allowing the new application to add the program subcomponent during execution, an absence of malicious behavior from the program subcomponent that is added to the application during execution in the virtualized environment; and
  
  a second program execution restrictor executed on the host system, configured to apply, responsive to verifying the absence of malicious behavior from the program subcomponent, the set of policies while the new application executes on the host system.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The system of claim 11, wherein the first program execution restrictor is further configured to generate the set of policies for the new application according to a log record of actions of the new application, the log record of actions including addition of program subcomponents during installation and execution of the new application.
  - 13. The system of claim 11, wherein the first program execution restrictor is further configured to update the set of policies for the new application based on verifying the absence of malicious behavior from the program subcomponent to be added to the application.
  - 14. The system of claim 11, wherein the first program execution restrictor is further configured to provide the set of policies to the host system to apply to the new application executing on the host system, responsive to the verification.
  - 15. The system of claim 11, further comprising an agent executable on the host system configured to migrate the new application from the virtualized environment to the host system, responsive to the verification.
  - 16. The system of claim 11, wherein the virtualized environment is further configured to install the new application in the virtualized environment for execution prior to allowing the new application to operate on the host system.
  - 17. The system of claim 11, wherein the first program execution restrictor is further configured to detect, during execution of the new application in the virtualized environment, at least one of a change in storage space for the new application, a referencing of a memory address not allocated to the new application, or a passing of a file through a port of the virtualized environment.
  - 18. The system of claim 11, wherein the first program execution restrictor is further configured to determine that the program subcomponent corresponds to at least one of an unknown element or a potentially unsafe element for the host system.
  - 19. The system of claim 11, wherein the first program execution restrictor is further configured to determine that the program subcomponent is not performing one or more of a plurality of operations predetermined to be malicious, the plurality of operations including accessing a memory address not allocated to the new application, accessing a protected resource, and changing file system permissions of data files.
  - 20. The system of claim 11, wherein the second program execution restrictor is further configured to apply to the new application the set of policies provided by the virtualized environment and a second set of policies pre-specified on the host system.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Guardian LLC
Original Assignee
Digital Guardians Incorporated
Inventors
Fox, John C.
Primary Examiner(s)
Herzog, Madhuri R

Application Number

US15/984,228
Publication Number

US 20180268133A1
Time in Patent Office

599 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Systems and methods for generating policies for an application using a virtualized environment

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for generating policies for an application using a virtualized environment

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links