Search

BR-112018074347-B1 - A method performed by a host operating system running on a host device, and a device.

BR112018074347B1BR 112018074347 B1BR112018074347 B1BR 112018074347B1BR-112018074347-B1

Abstract

The present invention relates to a host operating system running on a computing device that monitors network communications for the computing device to identify network resources requested by the computing device. The host operating system compares the configured network resources against security policies to determine if the configured network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access of untrusted network resources to isolated containers, the host operating system is protected from kernel-level attacks or infections that may result from an untrusted network resource.

Inventors

  • NANIN NARAYAN PAI
  • POORNANANDA R. GADDEHOSUR
  • HARI R. PULAPAKA
  • VIKRAM MANGALORE RAO
  • CHARLES G. JEFFRIES
  • Giridhar Viswanathan
  • BENJAMIN M. SCHULTZ
  • FREDERICK J. SMITH
  • Lars Reuther
  • MICHAEL B. EBERSOL
  • Gerardo Diaz Cuellar
  • IVAN DIMITROV PASHOV

Assignees

  • MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date
20260317
Application Date
20170525
Priority Date
20160602

Claims (15)

  1. 1. A method performed by a host operating system running on a host device, characterized in that it comprises: executing (602) an application on the host operating system; detecting (604) that an application running on the host operating system is attempting to access a network resource accessible to the host device via a network; determining (606) whether the network resource is a trusted network resource or an untrusted network resource; and in response to the determination that the network resource is an untrusted network resource: activating (608), by the host operating system, a container that is isolated from the host operating system and configured to run a version of the application; and allowing the version of the application running in the container to access the untrusted network resource; and in response to determining that access to the untrusted network resource has ended, suspending (622) the container until it is needed to handle one or more additional untrusted network resources.
  2. 2. A method according to claim 1, characterized in that it further comprises allowing the application version running in the container to access one or more additional untrusted network resources and preventing the application running in the container from accessing trusted network resources.
  3. 3. A method according to claim 1 or 2, characterized in that the container includes an instance of the host operating system and a kernel that is separate and isolated from a host operating system kernel.
  4. 4. A method according to any one of claims 1 to 3, characterized in that it further comprises receiving at least one policy that includes at least one enumerated list of trusted network resources, wherein determining that the network resource is an untrusted network resource comprises comparing the network resource against the enumerated list of trusted network resources, the enumerated list of trusted network resources being identified based on one or more of the network resource's file type, a network location associated with the network resource, or an application type that attempts to access the network resource.
  5. 5. A method according to any one of claims 1 to 4, characterized in that the container is activated for a user who is logged on to the host operating system, the method further comprising determining that a different user is logged on to the host operating system and activating, for that different user, a different container that is isolated from the host operating system and the container.
  6. 6. A method according to any one of claims 1 to 5, characterized in that it further comprises determining that the application is attempting to access the network resource through an untrusted network interface and, in response to determining that the application is attempting to access it through the untrusted network interface: restricting network communications to the application on the host operating system to a virtual private network interface (VPN); allowing the device version running in the container to perform network communications through the untrusted network interface; and indicating to a container network stack that network communications to the container are isolated to the untrusted network interface.
  7. 7. A method, according to any one of claims 1 to 6, characterized in that it further comprises intercepting a response to a web proxy prompt for user credentials and inserting one or more user credentials into the response to the web proxy prompt without communicating one or more user credentials to the container.
  8. 8. A method, according to any one of claims 1 to 7, characterized in that it further comprises scanning one or more untrusted network resources that are accessed in the container and using antivirus software on the host operating system to assign one or more risk levels to one or more untrusted network resources and quarantining, cleaning, or deleting one or more of those untrusted network resources if the assigned risk level indicates that the untrusted network resource is malicious.
  9. 9. A method, according to any one of claims 1 to 8, characterized in that it further comprises monitoring activity associated with the untrusted network resource in the container and updating local policy in the host operating system based on the monitored activity.
  10. 10. A method, according to any one of claims 1 to 9, characterized in that suspending the container comprises preserving the state of any one or more network resources within the container.
  11. 11. A method, according to any one of claims 1 to 10, characterized in that activating a container comprises identifying a suspended container and resuming processing of the suspended container.
  12. 12. A method according to any one of claims 1 to 11, characterized in that the container is enabled for network resource communications through a first network communication interface, the method further comprising enabling a second container for network resource communications through a second network communication interface.
  13. 13. Device comprising: one or more processors; and one or more computer-readable storage media (706) storing a method, the device characterized in that the method comprises: executing a web application on a host operating system of the device; detecting, by the host operating system, that an application running on the host operating system is attempting to access a network resource accessible to the host device over a network; determining, by the host operating system, whether the network resource is a trusted network resource or an untrusted network resource by comparing the network resource with a policy received from a management and monitoring service that is located remotely from the device; in response to the determination that the network resource is an untrusted network resource: activating, by the host operating system, a container that is isolated from the host operating system and configured to run the version of the web application; allowing, by the host operating system, the version of the web application running in the container to access the untrusted network resource; in response to determining that access to the untrusted network resource has terminated, suspending, by the host operating system, the container until it is needed to handle one or more resources additional unreliable network.
  14. 14. Device according to claim 13, characterized in that the operations further comprise detecting an update to the host operating system and, in response to the detection of the update to the host operating system, removing the container and creating a new container that reflects one or more updated binaries of the host operating system.
  15. 15. Device according to claim 13 or 14, characterized in that the host operating system is configured to determine that the network resource and one or more additional untrusted network resources are untrusted based on one or more of the network resource's file type, a network location associated with the network resource, an application type that attempts to access the network resource, an antivirus scan of the network resource, or based on a query from a cloud-based service that maintains a list of malicious network resources.

Description

History [0001] Computer device infections typically occur when users browse the internet to untrusted websites or when they download or open untrusted network resources such as applications and documents. These infections allow attackers to steal user credentials or even take control of the computing device to adapt it for the attacker's own purposes. While one solution to combat these attacks at the kernel level is to disable network access for the computing device, this severely limits the functionality of many modern computing devices. Furthermore, in a work environment, disabling network access hinders employee productivity and job satisfaction. As a compromise, many employers allow limited network access, preventing employees from accessing untrusted network resources. However, this limited network access results in higher administrative costs for the employer, as the employer must constantly update the policy, defining which network resources are untrusted. This can lead to frustration with the use of computing devices by both users and the employer. Summary [0002] This Summary is provided to introduce a selection of concepts in a simplified form, which are described below in the Detailed Description. This Summary is not intended to identify key features or essential characteristics of the claimed object, nor is it intended to be used to limit the scope of the claimed object. [0003] Depending on one or more aspects, an application runs on a host operating system. In response to detecting that the application is attempting to access a network resource, the host operating system determines whether the network resource is a trusted network resource or an untrusted network resource. In response to determining that the network resource is an untrusted network resource, the host operating system activates a container that is isolated from the host operating system and is configured to run the device version within the container. The host operating system then allows the device version to run in the container to access the untrusted network resource. [0004] Based on one or more aspects, the initialization of a host operating system is detected. In response to the detection of the host operating system initialization, it is determined whether the host operating system includes a container base image. As discussed herein, a container base image refers to a close copy of the host operating system version, patch level, and configuration. In response to the determination that the host operating system does not include a container base image, a container base image is created. After creating the container base image, a user login to the host operating system is detected. In response to the detection of the user login to the host operating system, a container corresponding to the container base image is activated, and the activated container is suspended. In response to the detection of access to an untrusted network resource, the suspended container is resumed, and the resumed container is allowed to access the untrusted network resource. [0005] In one or more respects, a web application runs on a device's host operating system. As discussed herein, a web application is configured to access one or more network resources stored remotely from the device running the host operating system. In response to the detection that the web application is accessing a network resource, the network resource is determined to be an untrusted resource by comparing the network resource to a policy received from a management and monitoring service that is located remotely from the device. In response to the determination that the network resource is an untrusted network resource, the host operating system activates a container that is configured to run a version of the web application and that is isolated from the host operating system. After the container is activated, the host operating system allows the version of the web application running in the container to access the untrusted network resource. The host operating system allows the version of the web application running in the container to access additional untrusted network resources and prevents the version of the web application running in the container from accessing trusted network resources. Brief description of the drawings [0006] The detailed description is provided with reference to the attached figures. In the figures, the leftmost digit(s) of a reference number identifies the number in which the reference number first appears. The use of the same reference numbers in different instances in the description and in the figures may indicate similar or identical items. The entities represented in the figures may be indicative of one or more entities, and thus reference may be made interchangeably to single or plural forms of the entities in the discussion. [0007] Figure 1 illustrates an example of a system that implements hardware-based virtualized security isolation acco