Microsoft – Dzmitry Konanka, Andrei Liahuski, Check Point Software Technologies Inc

Abstract for “System and methodology that provides secure work environment”

A system and method for creating a secure workspace environment are described. One embodiment of a computer system describes a method for creating a secure workspace. This policy specifies how applications can be accessed. The method also includes hooking certain functions of an operating system to gain control over information created during application operation. In response to a request to access the information, the policy determines whether it is compliant with the policy. If the request is compliant with the policy, access to the decrypted version of the information will be granted.

Background for “System and methodology that provides secure work environment”

“1. “1.

“The invention is generally applicable to computers and data processing apps, and more specifically to a system and methodology that provides a secure workspace environment.”

“2. “2.

“The growth of Internet-based remote access technology has led to an increase in users working in unprotected and untrusted environments. Different VPN clients allow home users to connect to corporate networks. Tourists access their email via public kiosks. Wireless services are available at airports to connect sales agents to their databases. Large networks are more than just broadband lines connecting offices across several states or countries. They are also far more complex and less controlled at their end-points (e.g. at individual computers). The number of threats increases with the increase in mobile users. There are many potential threads, including identity theft, phishing attacks and trade secrets theft.

A network of large organizations can be protected using a variety of tools. A firewall, for example, is installed to secure a company’s gateway. To scan all incoming and outgoing mail, anti-virus software is installed to the company’s mail server. Individual end-user computers can also be protected with anti-virus software. Remote users can connect to the company’s network via SSL VPN or IPSEC VPN. IT departments often create and implement security policies to manage these environments. Even though these tools are readily available, IT departments in corporate organizations still have a problem. How do they ensure confidentiality when users connect to corporate networks via untrusted endpoints? Endpoints that cannot easily be controlled by IT departments?

For example, VPN is a good option. VPN solutions exist that can encrypt traffic between an end-point and a corporate gateway. These schemes are easy to break on the endpoint and allow the attacker access to the computer of the target end-point before, during, and after the session. An attacker could install keylogger software to monitor user activity and monitor keyboard movements. An attacker can then steal the password and user name. The attacker can also analyze the web browser cache to retrieve information about the user’s visits and reveal any other session information. After the session ends, the attacker can also examine files. The attacker could analyze files that are used by the user’s computer operating systems (e.g. Microsoft Windows), and even examine the profile stored in temporary folders. The attacker could also analyze files left behind by users after a session has ended, including those used by Microsoft Word, Microsoft Excel and Adobe Acrobat?files. The fundamental problem is still how to create a secure environment on untrusted endpoints such as home computers or web kiosks.

“There have been attempts to solve this problem. They can be divided into three categories, both architecturally and technologically. Each one will be discussed in more detail.

“Policy Enforcement”

“Virtual OS”

A virtual OS (operating systems) is a way to create a more secure operating system within an untrusted system. One common solution is to create a portable USB device that has pre-configured Linux OS. The USB device is used to boot Linux. All session data and temporary files are saved on the USB device. All necessary software is pre-configured on the Linux USB device, including VPN client, email client and spreadsheet application.

“Secure Environment”

This solution aims to create a secure environment by using an application or the operating system. An Internet Explorer plug-in, also known as?BHO?, could be used to encrypt all session data. It is possible to create a plug-in for Internet Explorer (so-called?BHO?) that can encrypt all Internet Explorer session information, including cookies, cache and temporary files. If the protected browser is used, the session data of the user who accesses web pages or web applications will be encrypted and cannot be accessed by the attacker.

“Each of the above described attempts provides a real-world solution that poses serious barriers to attackers, and there are many commercial products that use these concepts. Each of these attempts can be bypassed, or have serious drawbacks. While policy enforcement is an important solution at every endpoint, it cannot be sustained to targeted attacks. An attacker could take popular keylogger software, modify it so that antispyware and antivirus products cannot detect it. Policy enforcement also has a major drawback: it doesn’t delete temporary session data that can later be analyzed by an attacker.

The virtual OS solution is not user-friendly as it doesn’t allow the user to use the same applications that they are used to: Internet Explorer, Microsoft Word Excel, Microsoft Excel or Adobe Acrobat. The solution requires a substantial learning curve for users and can result in increased troubleshooting and support from IT departments. The approach’s physical requirements are also problematic. Some kiosks may not allow you to access USB devices, or even boot from them.

“Currently, all known solutions to secure environments can be bypassed easily or are designed to provide limited protection (e.g. for certain applications, like a plug-in in Internet Explorer). A better solution is therefore sought.

A system and method for creating a secure workspace environment are described. One embodiment of the invention describes a method for creating a secure workspace in an operating system. This allows users to use applications in a secure manner. The method includes hooking certain functions of the operating systems to gain control over information created during application operation. In response to a request to access the information, the policy determines whether it is compliant with the policy. If the policy is satisfied, access to the decrypted version of the information will be granted.

“Another embodiment of the invention provides a secure workspace that allows users to run applications in a secure manner. It includes: a computer under control of an operating system; a policy to configure the secured space; a module to intercept certain functions of the operating system to allow the secured workplace to run under that operating system; the module allowing the secured workspace control over the information created during the operation of applications; an encryption module to prevent unauthorized access; and a decryption unit for authorizing access to the information upon receiving a request to comply with the policy

“Another embodiment of the invention provides a secure desktop environment for users to use application software. It includes: a computer running under an OS, which also includes application software. A configurable policy that specifies permitted operations and allows for access to information; a hooks engines that intercept particular calls to the operating systems. This allows the secured desktop environment control the operation of application software and allow for access control to the information.

“In another embodiment, the present invention describes a method for protecting software programs running under the control of a computer OS. The method includes steps such as: creating a configurable security policy to specify the operations that software programs are allowed; patching specific files of the computer Operating System so that interactions between software programs and the operating system can be monitored for compliance with security policy; and controlling software program operations to prevent violations of security policy.

“Another embodiment of the invention is described, which includes: A configurable security policy to specify the operations of software programs allowed; means for patching specific files of the computer OS system so that interactions between software programs and the operating system can be monitored for compliance with security policy; and means to control software program operations in order not to violate security policy.

“In an alternative embodiment, for instance, a desktop environment that works with an existing operating systems is described. It includes: injectable program code to intercept interactions between computer programs and existing operating systems, and a policy that specifies the behavior that computer programs are allowed to use; a desktop environment that blocks any attempts by computer programs to violate the policy.

“BRIEF DESCRIPTION DES DRAWINGS”

“FIG. “FIG.

“FIG. “FIG.

“FIG. FIG. 2B is a block-diagram that shows a lower view of the components of FIG. 2A.”

“FIGS. 3A-B are a single high-level flowchart that illustrates a method for initializing the secure workspace/desktop of the present invention.

“FIG. “FIG.

“Glossary”

The following definitions are provided for illustration purposes only. They do not limit your ability to understand the discussion.

“Firewall”: A firewall is a group of related programs that are typically located at a network server. They protect the resources of a private networks from other networks. By controlling access to and out of the private network, the firewall can be described as a collection of programs. The term also refers to the security policy that is applied to the programs. The firewall works closely with the router program to examine each packet and decide whether it should be forwarded to its destination. The firewall can also work with a proxy server to make network requests for users. The firewall is usually installed on a computer that is isolated from the rest of a network to ensure that no incoming requests directly access private network resources.

HTTP stands for HyperText Transport Protocol. It is the protocol that enables the Internet to communicate with other sites. HTTP describes how messages are structured and transmitted and what actions browsers and Web servers should take to respond to different commands. When a user enters URLs in a browser, it sends an HTTP command to the Web server, directing it to retrieve and transmit the requested Web pages. Additional information about HTTP can be found in?RFC2616: Hypertext Transfer Protocol?HTTP/1.1. The disclosure is herein incorporated by reference. RFC 2616 is available from the World Wide Web Consortium (W3C), and is available via the Internet (e.g., currently at www.w3.org/Protocols/). Further information about HTTP can be found in technical and trade literature. See, for example, Stallings W., “The Backbone of Web”. BYTE, October 1996. The disclosure is herein incorporated by reference.

“Network”: A group of two or more connected systems. There are many types and types of computer networks. These include local area networks, virtual private networks(VPNs), metropolitan areas networks (MANs), campus networks (CANs), wide area networks [WANs], which includes the Internet. The term “network” is used herein. The term “network” can be used to refer to any group of computer systems or devices that are connected from time to time or permanently.

Portal: A portal gives you an individual or customized view of multiple resources (e.g. Web sites) as well as services. Portals typically provide a single point of access (e.g., a browser page) that allows access to a variety of information and applications. Portals combine information from many different sources (e.g. Web sites and applications), allowing users to quickly access information without needing to navigate to multiple Web sites. Portals allow users to view information and applications in a customized way. This is done by grouping and organizing information and services to present to users.

TCP/IP is Transmission Control Protocol/Internet Protocol. It refers to the set of communication protocols that connect hosts on the Internet. TCP/IP utilizes several protocols. The two most important ones are TCP and IP. TCP/IP is part of the UNIX operating systems and is used by Internet. It is the standard for data transmission over networks. TCP/IP is explained in?RFC1180: A TCP/IP Tutorial?. The disclosure of this document is hereby incorporated into the reference. A copy of RFC 1180 is available via the Internet (e.g., currently at www.ietf.org/rfc/rfc1180.txt).”

“Thread”: A thread is a sequential flow of control within an operating system. Multi-threading is a feature that allows programmers to create programs that can run concurrently from multiple threads. Some systems have a one-to-1 relationship between the task, the program, and the task. However, multi-threaded systems allow a program to be broken down into multiple tasks. Multi-threaded programs can have multiple threads that run through different code paths at the same time.

URL: URL stands for Uniform Resource Locator. It is the global address of documents on the World Wide Web. The address’s first part indicates the protocol to use. The second part specifies the IP address, or the domain name, where the resource is located.

“Winsock”: Windows Sockets 2 is a Microsoft-provided interface. It allows programmers to create advanced Internet and intranet applications that can transmit data over the wire. This protocol does not matter what network protocol they are using. Winsock gives programmers access to advanced Microsoft Windows networking capabilities, such as multicasting and Quality of Service (QOS). Winsock is based on the Windows Open System Architecture model. It defines a standard service provider (SPI), which connects the application programming interface, (API) with its exported functions to the protocol stacks. It employs the sockets paradigm, which was first introduced by Berkeley Software Distribution (BSD), UNIX. Later, it was adapted to Windows Sockets 1. Windows Sockets 2 apps are backward-compatible with this version. Winsock programming used TCP/IP as its foundation. TCP/IP is not compatible with all programming methods. Windows Sockets 2 API provides functions to support multiple protocols. Further information about Winsock can be found at Microsoft Corporation’s?Winsock Reference?. The disclosure is herein incorporated by reference. A copy of this documentation is available via the Internet (e.g., currently at msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/winsock_reference.asp).”

“XML”: XML is an acronym for Extensible Markup Language. It was developed by the World Wide Web Consortium, (W3C). XML is a simplified version of the Standard Generalized Markup Language, (SGML), which is a system to organize and tag elements in a document. XML was specifically designed for Web documents. This allows designers to create custom tags that allow for the definition, transmission validation, interpretation, and transmission of data between applications as well as between organizations. For more information on XML, please refer to?Extensible Markup Language 1.0 (Oct. 6, 2000), a recommendation specification from W3C. The disclosure is hereby incorporated into the reference. A copy of this specification is available via the Internet (e.g., currently at www.w3.org/TR/REC-xml).”

“Introduction”

“We will now describe exemplary embodiments according to the invention, as shown in the figures. This description will concentrate on the preferred embodiment of the invention. It is implemented in desktop or server software (e.g. driver, application, etc.) that runs in an Internet-connected environment and uses an operating system such as Microsoft Windows. However, the present invention is not limited to any specific application or environment. The system and methods of this invention can be beneficially implemented on a wide range of platforms including Macintosh and Linux. The following description is not intended to limit the scope of the exemplary embodiments. Block diagrams and flowcharts are used to describe the exemplary embodiments. The flowcharts show that each block represents both a method and an apparatus element. The implementation of the apparatus element can be done in hardware, software or firmware.

“Computer-based Implementation”

“Basic System Hardware and Software (e.g. for Desktop and Server Computers).”

“The invention can be implemented on any conventional or general-purpose computing system such as an IBM compatible personal computer (PC), or server computer. FIG. FIG. 1 shows a block diagram that illustrates a computer system, such as an IBM-compatible one. It may include software-implemented processes. System 100 includes a central processing unit (CPU) or processor (102), a random access memory (RAM), 103, and a keyboard (106), a printer (107), a pointing device (108), a display adapter (104), connected to a display device (105), a removable (massive) storage device (115), a communication port (COMM), interface (110), modem 112, a controller (NIC), or network interface card (NIC), 111 (e., Ethernet). A real-time system clock, although not shown separately, is included in the system 100.

“CPU 101” is a processor belonging to the Intel Pentium microprocessor family. Any other processor can be used to implement the invention. The CPU 101 communicates via a bidirectional system bus with other components of system (including any required input/output (I/O), controller circuitry, and other?glue? logic). The bus is a network that includes address lines to address system memory. It allows data transfer between the components. Intel Corporation of Santa Clara (Calif.) provides a description of Pentium-class microprocessors, including their instruction set, bus architecture and control lines. Random-access memory 101 serves as the working storage for CPU 101. A typical configuration uses RAM of at least sixty-four megabytes. You can use more or less memory without departing from this invention’s scope. The read-only memory (ROM), 103 includes the basic input/output code (BIOS). This is a set of low-level routines that operating systems and application programs can use to interact directly with the hardware. It includes reading characters from the keyboard and printing them.

“Mass storage devices 115 and 116 provide persistent storage for fixed or removable media such as magnetic, optical, magnetic-optical storage system, flash memory or any other mass storage technology. Mass storage can be shared over a network or it could be dedicated mass storage. FIG. FIG. The main hard drive for the system is usually the fixed storage 116.

“In basic operation, program code (including the one that implements the methodology of the present invention) is loaded from removable storage 115 to fixed storage 116 into main (RAM) memory 101 for execution by CPU 101. The system 100 can accept input from both a keyboard (106) and pointing device (108), as well speech-based input from an unidentified voice recognition system (not illustrated). The keyboard 106 allows selection of applications, input of keyboard-based data or input, as well as selection and manipulation individual data objects on the screen or display device. The pointing device (108), which can be a mouse, trackball, pen device or similar, allows selection and manipulation of objects displayed on the screen. These input devices allow manual input of any process on the system.

“The computer system 100 displays text, graphics images, and other data on the display device. 105. The display device 105 is driven by the video adapter104, which is located between the display 105, the system’s bus and the processor 102. The video adapter104, which contains video memory that is accessible to the CPU 101 provides circuitry to convert pixel data stored within the video memory into a raster signal for use with a cathode-ray tube (CRT), raster, or liquid crystal display monitor (LCD). The printer 107 or another output device can provide a hard copy of the displayed information or any other information in the system 100. For example, printer 107 could include an HP LaserJet printer, which can be purchased from Hewlett Packard in Palo Alto, Calif., to create hard copies of the system’s output.

The system communicates with other devices (e.g. other computers) using the network interface card 111. This card is connected to a network (e.g. Ethernet network, Bluetooth wireless network or the like) and/or modem 112. Examples of modem 112 are available from 3Com, Santa Clara, Calif. The system 100 may also communicate with local occasionally-connected devices (e.g., serial cable-linked devices) via the communication (COMM) interface 110, which may include a RS-232 serial port, a Universal Serial Bus (USB) interface, or the like. The interface 110 will be used to connect laptop computers, hand-held organizers, digital cameras and other devices.

A variety of vendors sell IBM-compatible personal computers or server computers. Representative vendors include Dell Computers in Round Rock, Texas, Hewlett-Packard, Palo Alto (Calif.), and IBM of Armonk. Apple-compatible computers (e.g. Macintosh) are also available at Apple Computer of Cupertino and Sun Solaris workstations from Sun Microsystems, Mountain View, Calif.

“A software system is usually provided to control the operation of the computer network 100. The operating system (or kernel) is responsible for managing low-level aspects of computer operations, such as execution of processes and memory allocation. It can also be stored on fixed storage (e.g. hard disk) 116. An operating system such as Microsoft Windows 9x or Microsoft Windows NT, Microsoft Windows 2000 or Microsoft Windows XP can provide the OS. Or, an alternative operating system such as those mentioned previously. The OS is often used in conjunction with device drivers, such as?Winsock? Driver?Windows’ implementation a TCP/IP stack and the system BIOS microcode, ROM-based microcode), are used to interconnect with peripheral devices. A number of applications, such as client software or?programs, may be executed. The computer system 100 may also provide instructions (i.e. set of processor executable instructions) for execution. You can ‘load? the application or any other software that is intended to be used on the computer system. You can either download the application(s) or other software from an Internet site (e.g., a Web server) into memory 102. A graphical user interface (GUI), is used to receive user commands and data in an graphical format (e.g., “point-and-click?”). fashion. These inputs can be used by the computer system to execute instructions from OS or application(s). The results of operations from OS and applications can also be displayed via the graphical user interface.

The above-described computer hardware, software and other components are provided to illustrate the fundamental components of the server and desktop computers that can be used in the implementation of the invention. The following descriptions will show examples where at least one computer can communicate with another computer over a network such as one or several?clients. There are many?servers (e.g. desktop computers) that can communicate with them. (e.g. Web servers) over Internet. However, the present invention is not limited to any particular device or environment. The invention does not require a distinction between client and server, but it is useful for providing a framework. The present invention can be used in any type or environment that supports the methods of the invention, as described below.

“Overview”

“In accordance to the present invention, a fully secure environment is provided within the framework of the user?s usual operating system (hostOS, such as Microsoft Windows). To prevent unauthorized access, the main input/output (I/O), functions of the host OS have been hooked up or intercepted. All information, including session data, that applications save to disk is encrypted. This prevents malicious or unauthorized users from accessing data or information created in the secure environment.

This process is transparent for both users and applications. The applications believe they are using the usual OS functions and that information is being stored to their usual storages. The secured environment is viewed by the user as a virtual desktop. A Secured Desktop. It is possible to switch between secure and unsecure desktops by using hotkeys or GUI elements. The present invention allows the user to control all the OS functions running on the Secured Desktop by intercepting them all. This allows the user to allow or deny any application from performing any action. This method can be used with a configurable security policy to specify the behavior or actions that software programs are allowed to perform. It is possible, for example, to limit the number of applications that can run on the virtual desktop. The present invention can prevent any non-compliant software from being launched (i.e. computer programs that violate the policy). It also bans malicious software (e.g. spyware and computer viruses) which could steal information or damage the system.

“In the preferred embodiment, a Secure Workspace System is (SWS), which provides a secure area for web sessions with clear visual separation from other areas. The workspace protects session information during active sessions and cleans up after each session ends. The workspace allows protection in user-space mode without the need to develop device drivers. Guests user rights are required to use the Secure Workspace System. The workspace does API hooking at the lowest level possible in the user space (e.g. native Windows NT API (NTDLL), so applications that use this layer directly will not be bypassed by the hooking mechanism.”

“System Components”

The Secure Workspace System (SWS), which works at the client application level, prevents unauthorised access to confidential user information. SWS creates a secure, virtual desktop that the user can use. It also intercepts file/registry operations and files for all applications installed on this desktop. All sensitive data stored on the user’s machine is encrypted and deleted when the session ends.

“FIG. “FIG. The SWS 200 secure workspace is a desktop environment or secure workspace that includes the main application (210), secure workspace hook(s), 220, hooks engine 2225 and secure workspace manager 223. Secure workspace manager 227 acts as the central module for configuring and controlling the SWS. Manager 227 creates an’secure? new workspace. The manager 227 creates a new?secure? user profile and secure desktop, and then initializes them according a secure workspace policy. The policy (cpsws.xml file) allows you to define the SWS look (e.g. start menu, shortcuts and the like), the list and security settings that each application can access on the secure workspace (e.g. access rights for folders and WinNT kernel objects, etc.). Special displayable indicators, such as a distinctive desktop wallpaper, are included in the workspace. They are displayed when the user switches to the secure workspace. This provides visual feedback about whether the system is in secure mode.

“During operation, manager 227 starts a normal Windows shell (e.g. explorer.exe), with an injection of hooks engine (cpsws.dll). The hooks engine 225 injects itself into the?process creation? routines and injects itself automatically into any newly created processes. Each application 210 on the secure desk receives a workspace hook 220. The injected DLL hooks API invocations in the Microsoft Windows environment are overwritten with JMP instructions to replace hooked NTDLL Routines entry points. This redirects them to code within the cpsws.dll. The system can then be sure that all calls to the NTDLL API, including those coming from Win32 DLL and the application with GetProcAddress, import table, or Win32 DLL, will be intercepted first by the SWS. The SWS 200 can control the interaction of each application with the underlying operating systems 230 and information storage 240.

“In the current preferred embodiment, hooks engine 22 monitors the following API functions”

“ZwClose\nZwQueryObject\nZwQueryVolumeInformationFile\nZwSetVolumeInformationFile\nZwQueryQuotaInformationFile\nZwSetQuotaInformationFile\nZwDuplicateObject\nZwCreateFile\nZwOpenFile\nZwDeleteFile\nZwFlushBuffersFile\nZwCancelIoFile\nZwReadFile\nZwReadFileScatter\nZwWriteFile\nZwWriteFileGather\nZwLockFile\nZwUnlockFile\nZwQueryAttributesFile\nZwQueryFullAttributesFile\nZwQueryInformationFile\nZwSetInformationFile\nZwQueryDirectoryFile\nZwNotifyChangeDirectoryFile\nZwFsControlFile\nZwQueryEaFile\nZwSetEaFile\nZwCreateSection\nZwOpenSection\nZwQuerySection\nZwExtendSection\nZwMapViewOfSection\nZwUnmapViewOfSection\nZwAreMappedFilesTheSame\nZwCreateProcess\nZwOpenProcess\nZwTerminateProcess\nZwCreateMutant\nZwOpenMutant\nZwCreateSemaphore\nZwOpenSemaphore\nZwCreateEvent\nZwOpenEvent\nCreateProcessW\nCreateProcessA\nWinExec\nExitWindowsEx\nStartDocA\nStartDocW\nZwCreateKey\nZwOpenKey.\nCoGetClassObject\nCoLoadLibrary\nCoCreateInstance\nCoCreateInstanceEx\nSetClipboardData\nGetClipboardData”

According to the policy (cpsws.xml), access to various system resources can be allowed or denied. Hooks engine 227 allows applications to be started on the secure desktop and create files and registry keys within a secured user profile. These items will be encrypted on a host file system and deleted after the session ends.

“FIG. “FIG. 2A. FIG. 2A to FIG. 2B.) 2B.) The cpsws.dll file is loaded into all secured processes, as shown. It writes code stubs to (i.e. it applies code patches) every necessary ntdll.dll export function during loading into the target process. These stub functions are used to redirect or dispatch function calls to cpsws.dll routines, rather than the original ntdll functions.

“As shown in the diagram, all loaded in-process modules, including system modules like kernel32.dll and shell32.dll (even main executable) can communicate with NT kernel via ntdll.dll. The ntdll.dll hooking mechanism allows for maximum user-space control over all data flows between a secured application and hardware persistent storage. The cpsws.dll is able to dispatch all file-related functions, even those that are used by the application. The cpsws.dll decrypts all data and stores it in encrypted form to the target persistent storage.

“The cpsws.dll also controls the creation of out-ofprocess COM objects. This is done by hooking specific ole32.dll function functions that are used to create objects. It intercepts out-of-process servers for COM and creates them itself. SetClipboardData or GetClipboardData may also be connected to enable secure applications to encrypt data copied to the clipboard. The preferred embodiment includes additional kernel32.dll or shell32.dll functions that can be hooked up to allow for higher-level file operations and process creation. The SWS can display alert messages to users about rejected operations such as denied program startup, denied saving files to unsecure locations, and so forth.

“Initializing Secure Desktop/Workspace”

“FIGS. 3A-B are a single high-level flowchart that illustrates a method 300 for creating a secure desktop/workspace according to the present invention. Step 301 is when the secure workspace manager 227, cpsws.exe, is launched with the following parameters.

“/url=?main_page_url? After secured desktop starts,?URL will be displayed in default browser.

“/cookie=?server;cookiename=cookievalue? ?secured cookie that will be embedded in each HTTP(-S), request to the specified server.

“/shell=?shell_id? “/shell=?shell_id”

Step 302. “The policy file (cpsws.xml), may now be loaded. Step 303 is when the secure workspace manager (cpsws.exe), creates a pipe-server that listens and sends requests to injected applications. Secure cookies are used by the pipe server to authenticate client connections. Only processes that were started with the SWS’s DLL can use this pipe. At step 304, the hooks engines 225 (cpsws.dll), is loaded into the SWS. This process is known as “self-injection”. The hooks engine (cpsws.dll), hooks all required API (for Windows: ntdll.dll kernel32.dll user32.dll and the like) and injects itself into any child process that is created from an already-injected process. This is illustrated in step 305.

“As shown in step 306, the method proceeds with creating a virtual user profile (according the policy) as follows:

“At step 307 the method creates virtual desktops, such as via Windows’ CreateDesktop(.) WinAPI function. At step 308, the method creates and initializes an empty Discretionary access Control List (DACL), security descriptor, and assigns it to the new desktop. This will prevent any other applications from installing or starting input hooks on the secure Desktop. As indicated in step 309, any additional initialization can be done (e.g. get current wallpaper). At step 310, the machine’s shell (e.g. explorer.exe), is started on the virtual desktop created. The hooks engine (cpsws.dll), injected the shell (explorer.exe). The system of the invention can control the applications that are running on the virtual desktop. If all previous operations were successful, the method 300 switches the operation of the machine on the newly created desktop.

“API hooks”

“(a) API Hooks Initialization (dll)”

“During processing of Windows’ DllMain function, (i.e. the optional entry point to a Windows dynamic link library (DLL),) the hooks engine.cpsws.dll hooks into a list functions of ntdll.dll kernel32.dll and ole32.dll (i.e. operating system applications programming interface, (API) executable file). It then waits for the parent process to write a secure cookie in its memory (e.g. using WriteMemory API). This allows the present invention to distinguish pipes clients in the SWS.

“(b) API Hooks Process (dll).”

“The API hooks processing proceeds in the following manner. Each thread that was created by the secured application is moved to the secure desktop. The desktop handle can be retrieved using the hooks engine (cpsws.dll), which uses Windows DLL thread attach program logic (i.e. specifying the Windows DLL_THREAD_ATTACH Flag). The?process creation? The?process creation? function allows injection of cpsws.dll when a new process starts. Once a new process is created, the hooks engine (cpsws.dll), writes a secure token into its memory. This can be used by a child process to create an authorization password for the pipe-server.

“File functions can be intercepted in order to enable virtualization” The file system is encrypted as follows. The hooks engine (cpsws.dll), which is used to ask the system to create a file, checks the file path to determine whether it is permitted by policy. If the request is granted, the secure workspace manager cpsws.exe generates a random string to correspond to the requested file name. This allows the file to physically be created with a secure file name.

“On write operation the hooks engine (cpsws.dll), checks whether the user has the rights to modify files in the target directory according to the policy file. The SWS encrypts any data that is available if sufficient rights are present. It then writes the data to a secure file. File is also saved with additional information such as encryption algorithm ID and file size (recorded in housekeeping information for encryption algorithms that can encrypt data using blocks of constant length). The hooks engine (cpsws.dll), internally uses this additional data, which is not visible to the app.

“On read operation, hooks engine (cpsws.dll), reads information from file header and then reads a corresponding portion of data from file (which can sometimes be larger than requested due to block encryption). Now the file information can be decrypted, and sent back to the requester as encrypted data. A?files listing request will be answered. The hooks engine (cpsws.dll), which responds to a?files listing? request, verifies that the user has the rights to list this directory. The SWS checks if the user has enough rights and reads the appropriate information from the file headers and returns the actual filename and its size (recall was written in a field within the file header).

The SWS creates an in-memory section corresponding to the memory-mapped section that is created by an application. It also keeps track of the file’s size. The system can now decrypt the contents of this file and give the caller (or application) a handle to it. An application may specify a section name. The hooks engine (cpsws.dll), which can be used to change the name of an application, can be called. It will create separate sections on the secure and default desktops. The policy file (cpsws.xml) should be used to specify the desired behavior. The SWS fulfills calls for file mapped to memory files by calling the usual ReadFile or WriteFile functions. The section is closed when an application requests it. Data stored in the section are flushed to the appropriate file.

“De-Initialization the Secure Desktop/Workspace”

The SWS of this invention can be shut down if it is properly requested. It may query all active applications to terminate them, then delete all secure data from local storages. This prevents information leaks. Below are detailed instructions on how to de-initialize.

“Security Analysis”

“The prevention and detection of information leaks by the SWS will be addressed now.”

“System Swap File.”

“The OS may save the memory pages of secure desktop applications into a global swap file. This problem is not solved by the SWS in the current preferred embodiment. The issue could be solved by other changes. The swap file may be written to OS-supported volume encryption, such as Microsoft Windows Vista Windows full volume encrypted. In deployments that already have large amounts of physical RAM (RAM), data paged to disk by virtual memory management (VMM), may not be significant. The SWS could also be used to replace the OS’s native Swap file with an encrypted version, as those who are skilled in the art know.

“Registry Keys”

“In the preferred embodiment, the SWS doesn’t encrypt registry entries created on secure desktop applications. These files are deleted after a session ends. It is possible, however, that sensitive data may be left in the current user’s file (ntuser.dat) during an unexpected session termination. This issue can be solved by encryption registry items the same as files.

“Analyzing secure user profiles”

“Content and names are encrypted on the host system for files created using the secure desktop. However, the corresponding encryption/decryption key is stored in memory (subject to swapping via the swap file); similarly, the directory structure is potentially visible outside the secure desktop. The disadvantage of using electronic codebook (ECB mode) is that the same plaintext blocks can be encrypted to the identical ciphertext block; this approach doesn’t hide data patterns. This issue can be solved by using cipher block chaining (CBC). Each block of plaintext in the cipher block chaining (CBC), mode is XORed to the previous ciphertext blocks before it’s encrypted. Each ciphertext block depends on the plaintext blocks that precede it. Additional protection is provided by the use of a fully virtual file system that does not correlate with the host computer’s real file system.

“Leaks through Non-Controlled API”

“Applications running in the secure desktop can send sensitive data via non-controlled API to non-secured apps on the default desktop (e.g. non-hooked out of-process COM servers that were started by main system SVCHOST.EXE). This problem can be solved by hooking all API call that can exchange sensitive data. This prevents applications that could leak information from being started on the secure desktop.

“Detailed Internal Operation”

The following description describes method steps/program logic which can be implemented by processor-executable instruction, for controlling the operation of a device that is under processor control. The processor-executable instruction may be stored on a computer readable medium such as CD, DVD or flash memory. You can also store the processor-executable instruction as a set downloadable instructions that you can download and install from an Internet location (e.g. Web server).

“Additional DLL Loader?

“The present invention provides an additional DLL loader to allow new processes to be started with the forced loading of an additional file in the address space. This is accomplished by creating a new suspended process, allocating a small address space in its memory space and writing to it code that loads the required DLL. The code then jumps to the beginning of the process execution code. This causes the context of the created thread to be changed so that the instruction pointer register of the computer processor (e.g. Intel x86 Extended Instruction Pointer EIP register) points at the newly created code. The thread can now be resumed. The process thread now executes the code to load the DLL into the process (space), and then continues the normal processing of executable codes. This can be done in the following manner (e.g. illustrated by these pseudocode snippets:

“1: typedef struct DLL_LOADER?\n2: \n3: unsigned char LoaderCode[LOADER_CODE_SIZE];\n4: char DllPathName[MAX_PATH];\n5: DLL_LOADER, *PDLL_LOADER;\n6:\n7: void\n8: AddAsmInstruction\n9: (PBYTE &pTemp, int InstructionId, int InstructionOperand)\n10: \n11: memcpy(pTemp, asm_instruction_code_table[InstructionId],\nasm_instruction_code_size[InstructionId]);\n12: pTemp += asm_instruction_code_size[InstructionId]\n13: memcpy(pTemp, &InstructionOperand,sizeof(int));\n14: pTemp += sizeof(int);\n15: \n16:\n17: void\n18: StartProcessWithDll\n19: (LPTCSTR pszProcessImage, LPTCSTR pszDllPathName)\n20: \n21: STARTUPINFO si;\n22: PROCESS_INFORMATION pi;\n23: CreateProcess(pszProcessImage, pszProcessImage, NULL, NULL,\nFALSE, CREATE_SUSPENDED, NULL, NULL, &si, p);\n24: CONTEXT context;\n25: GetThreadContext(pi.hThread, &context);\n26: PVOID pDllLoaderRemote=VirtualAllocEx(pi.hProcess, NULL,\nsizeof(DLL_LOADER), NEW_CODE,\nPAGE_EXECUTE_READWRITE);\n27: DLL_LOADER DllLoaderLocal;\n28: strcpy(DllLoaderLocal.DllPathName,pszDllPathName);\n29: PBYTE pTemp=(PBYTE)&pDllLoaderLocal\n30: AddAsmInstruction(pTemp, ASM_PUSH, pDllLoaderRemote +\nLOADER_CODE_SIZE);//push pointer to DllPathName to stack\n31: AddAsmInstruction(pTemp, ASM_CALL, &LoadLibrary);//call\nLoadLibrary with pushed parameter\n32: AddAsmInstruction(pTemp, ASM_JMP, context.eip);//jmp to original\nprocess code\n33: WriteProcessMemory(pi.hProcess, pDllLoaderRemote,\n&pDllLoaderLocal, sizeof(pDllLoaderLocal), NULL);\n34: context.eip = pDllLoaderRemote;\n35: ResumeThread(pi.hThread);\n36: ”

Summary for “System and methodology that provides secure work environment”

“1. “1.

“The invention is generally applicable to computers and data processing apps, and more specifically to a system and methodology that provides a secure workspace environment.”

“2. “2.

“The growth of Internet-based remote access technology has led to an increase in users working in unprotected and untrusted environments. Different VPN clients allow home users to connect to corporate networks. Tourists access their email via public kiosks. Wireless services are available at airports to connect sales agents to their databases. Large networks are more than just broadband lines connecting offices across several states or countries. They are also far more complex and less controlled at their end-points (e.g. at individual computers). The number of threats increases with the increase in mobile users. There are many potential threads, including identity theft, phishing attacks and trade secrets theft.

A network of large organizations can be protected using a variety of tools. A firewall, for example, is installed to secure a company’s gateway. To scan all incoming and outgoing mail, anti-virus software is installed to the company’s mail server. Individual end-user computers can also be protected with anti-virus software. Remote users can connect to the company’s network via SSL VPN or IPSEC VPN. IT departments often create and implement security policies to manage these environments. Even though these tools are readily available, IT departments in corporate organizations still have a problem. How do they ensure confidentiality when users connect to corporate networks via untrusted endpoints? Endpoints that cannot easily be controlled by IT departments?

For example, VPN is a good option. VPN solutions exist that can encrypt traffic between an end-point and a corporate gateway. These schemes are easy to break on the endpoint and allow the attacker access to the computer of the target end-point before, during, and after the session. An attacker could install keylogger software to monitor user activity and monitor keyboard movements. An attacker can then steal the password and user name. The attacker can also analyze the web browser cache to retrieve information about the user’s visits and reveal any other session information. After the session ends, the attacker can also examine files. The attacker could analyze files that are used by the user’s computer operating systems (e.g. Microsoft Windows), and even examine the profile stored in temporary folders. The attacker could also analyze files left behind by users after a session has ended, including those used by Microsoft Word, Microsoft Excel and Adobe Acrobat?files. The fundamental problem is still how to create a secure environment on untrusted endpoints such as home computers or web kiosks.

“There have been attempts to solve this problem. They can be divided into three categories, both architecturally and technologically. Each one will be discussed in more detail.

“Policy Enforcement”

“Virtual OS”

A virtual OS (operating systems) is a way to create a more secure operating system within an untrusted system. One common solution is to create a portable USB device that has pre-configured Linux OS. The USB device is used to boot Linux. All session data and temporary files are saved on the USB device. All necessary software is pre-configured on the Linux USB device, including VPN client, email client and spreadsheet application.

“Secure Environment”

This solution aims to create a secure environment by using an application or the operating system. An Internet Explorer plug-in, also known as?BHO?, could be used to encrypt all session data. It is possible to create a plug-in for Internet Explorer (so-called?BHO?) that can encrypt all Internet Explorer session information, including cookies, cache and temporary files. If the protected browser is used, the session data of the user who accesses web pages or web applications will be encrypted and cannot be accessed by the attacker.

“Each of the above described attempts provides a real-world solution that poses serious barriers to attackers, and there are many commercial products that use these concepts. Each of these attempts can be bypassed, or have serious drawbacks. While policy enforcement is an important solution at every endpoint, it cannot be sustained to targeted attacks. An attacker could take popular keylogger software, modify it so that antispyware and antivirus products cannot detect it. Policy enforcement also has a major drawback: it doesn’t delete temporary session data that can later be analyzed by an attacker.

The virtual OS solution is not user-friendly as it doesn’t allow the user to use the same applications that they are used to: Internet Explorer, Microsoft Word Excel, Microsoft Excel or Adobe Acrobat. The solution requires a substantial learning curve for users and can result in increased troubleshooting and support from IT departments. The approach’s physical requirements are also problematic. Some kiosks may not allow you to access USB devices, or even boot from them.

“Currently, all known solutions to secure environments can be bypassed easily or are designed to provide limited protection (e.g. for certain applications, like a plug-in in Internet Explorer). A better solution is therefore sought.

A system and method for creating a secure workspace environment are described. One embodiment of the invention describes a method for creating a secure workspace in an operating system. This allows users to use applications in a secure manner. The method includes hooking certain functions of the operating systems to gain control over information created during application operation. In response to a request to access the information, the policy determines whether it is compliant with the policy. If the policy is satisfied, access to the decrypted version of the information will be granted.

“Another embodiment of the invention provides a secure workspace that allows users to run applications in a secure manner. It includes: a computer under control of an operating system; a policy to configure the secured space; a module to intercept certain functions of the operating system to allow the secured workplace to run under that operating system; the module allowing the secured workspace control over the information created during the operation of applications; an encryption module to prevent unauthorized access; and a decryption unit for authorizing access to the information upon receiving a request to comply with the policy

“Another embodiment of the invention provides a secure desktop environment for users to use application software. It includes: a computer running under an OS, which also includes application software. A configurable policy that specifies permitted operations and allows for access to information; a hooks engines that intercept particular calls to the operating systems. This allows the secured desktop environment control the operation of application software and allow for access control to the information.

“In another embodiment, the present invention describes a method for protecting software programs running under the control of a computer OS. The method includes steps such as: creating a configurable security policy to specify the operations that software programs are allowed; patching specific files of the computer Operating System so that interactions between software programs and the operating system can be monitored for compliance with security policy; and controlling software program operations to prevent violations of security policy.

“Another embodiment of the invention is described, which includes: A configurable security policy to specify the operations of software programs allowed; means for patching specific files of the computer OS system so that interactions between software programs and the operating system can be monitored for compliance with security policy; and means to control software program operations in order not to violate security policy.

“In an alternative embodiment, for instance, a desktop environment that works with an existing operating systems is described. It includes: injectable program code to intercept interactions between computer programs and existing operating systems, and a policy that specifies the behavior that computer programs are allowed to use; a desktop environment that blocks any attempts by computer programs to violate the policy.

“BRIEF DESCRIPTION DES DRAWINGS”

“FIG. “FIG.

“FIG. “FIG.

“FIG. FIG. 2B is a block-diagram that shows a lower view of the components of FIG. 2A.”

“FIGS. 3A-B are a single high-level flowchart that illustrates a method for initializing the secure workspace/desktop of the present invention.

“FIG. “FIG.

“Glossary”

The following definitions are provided for illustration purposes only. They do not limit your ability to understand the discussion.

“Firewall”: A firewall is a group of related programs that are typically located at a network server. They protect the resources of a private networks from other networks. By controlling access to and out of the private network, the firewall can be described as a collection of programs. The term also refers to the security policy that is applied to the programs. The firewall works closely with the router program to examine each packet and decide whether it should be forwarded to its destination. The firewall can also work with a proxy server to make network requests for users. The firewall is usually installed on a computer that is isolated from the rest of a network to ensure that no incoming requests directly access private network resources.

HTTP stands for HyperText Transport Protocol. It is the protocol that enables the Internet to communicate with other sites. HTTP describes how messages are structured and transmitted and what actions browsers and Web servers should take to respond to different commands. When a user enters URLs in a browser, it sends an HTTP command to the Web server, directing it to retrieve and transmit the requested Web pages. Additional information about HTTP can be found in?RFC2616: Hypertext Transfer Protocol?HTTP/1.1. The disclosure is herein incorporated by reference. RFC 2616 is available from the World Wide Web Consortium (W3C), and is available via the Internet (e.g., currently at www.w3.org/Protocols/). Further information about HTTP can be found in technical and trade literature. See, for example, Stallings W., “The Backbone of Web”. BYTE, October 1996. The disclosure is herein incorporated by reference.

“Network”: A group of two or more connected systems. There are many types and types of computer networks. These include local area networks, virtual private networks(VPNs), metropolitan areas networks (MANs), campus networks (CANs), wide area networks [WANs], which includes the Internet. The term “network” is used herein. The term “network” can be used to refer to any group of computer systems or devices that are connected from time to time or permanently.

Portal: A portal gives you an individual or customized view of multiple resources (e.g. Web sites) as well as services. Portals typically provide a single point of access (e.g., a browser page) that allows access to a variety of information and applications. Portals combine information from many different sources (e.g. Web sites and applications), allowing users to quickly access information without needing to navigate to multiple Web sites. Portals allow users to view information and applications in a customized way. This is done by grouping and organizing information and services to present to users.

TCP/IP is Transmission Control Protocol/Internet Protocol. It refers to the set of communication protocols that connect hosts on the Internet. TCP/IP utilizes several protocols. The two most important ones are TCP and IP. TCP/IP is part of the UNIX operating systems and is used by Internet. It is the standard for data transmission over networks. TCP/IP is explained in?RFC1180: A TCP/IP Tutorial?. The disclosure of this document is hereby incorporated into the reference. A copy of RFC 1180 is available via the Internet (e.g., currently at www.ietf.org/rfc/rfc1180.txt).”

“Thread”: A thread is a sequential flow of control within an operating system. Multi-threading is a feature that allows programmers to create programs that can run concurrently from multiple threads. Some systems have a one-to-1 relationship between the task, the program, and the task. However, multi-threaded systems allow a program to be broken down into multiple tasks. Multi-threaded programs can have multiple threads that run through different code paths at the same time.

URL: URL stands for Uniform Resource Locator. It is the global address of documents on the World Wide Web. The address’s first part indicates the protocol to use. The second part specifies the IP address, or the domain name, where the resource is located.

“Winsock”: Windows Sockets 2 is a Microsoft-provided interface. It allows programmers to create advanced Internet and intranet applications that can transmit data over the wire. This protocol does not matter what network protocol they are using. Winsock gives programmers access to advanced Microsoft Windows networking capabilities, such as multicasting and Quality of Service (QOS). Winsock is based on the Windows Open System Architecture model. It defines a standard service provider (SPI), which connects the application programming interface, (API) with its exported functions to the protocol stacks. It employs the sockets paradigm, which was first introduced by Berkeley Software Distribution (BSD), UNIX. Later, it was adapted to Windows Sockets 1. Windows Sockets 2 apps are backward-compatible with this version. Winsock programming used TCP/IP as its foundation. TCP/IP is not compatible with all programming methods. Windows Sockets 2 API provides functions to support multiple protocols. Further information about Winsock can be found at Microsoft Corporation’s?Winsock Reference?. The disclosure is herein incorporated by reference. A copy of this documentation is available via the Internet (e.g., currently at msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/winsock_reference.asp).”

“XML”: XML is an acronym for Extensible Markup Language. It was developed by the World Wide Web Consortium, (W3C). XML is a simplified version of the Standard Generalized Markup Language, (SGML), which is a system to organize and tag elements in a document. XML was specifically designed for Web documents. This allows designers to create custom tags that allow for the definition, transmission validation, interpretation, and transmission of data between applications as well as between organizations. For more information on XML, please refer to?Extensible Markup Language 1.0 (Oct. 6, 2000), a recommendation specification from W3C. The disclosure is hereby incorporated into the reference. A copy of this specification is available via the Internet (e.g., currently at www.w3.org/TR/REC-xml).”

“Introduction”

“We will now describe exemplary embodiments according to the invention, as shown in the figures. This description will concentrate on the preferred embodiment of the invention. It is implemented in desktop or server software (e.g. driver, application, etc.) that runs in an Internet-connected environment and uses an operating system such as Microsoft Windows. However, the present invention is not limited to any specific application or environment. The system and methods of this invention can be beneficially implemented on a wide range of platforms including Macintosh and Linux. The following description is not intended to limit the scope of the exemplary embodiments. Block diagrams and flowcharts are used to describe the exemplary embodiments. The flowcharts show that each block represents both a method and an apparatus element. The implementation of the apparatus element can be done in hardware, software or firmware.

“Computer-based Implementation”

“Basic System Hardware and Software (e.g. for Desktop and Server Computers).”

“The invention can be implemented on any conventional or general-purpose computing system such as an IBM compatible personal computer (PC), or server computer. FIG. FIG. 1 shows a block diagram that illustrates a computer system, such as an IBM-compatible one. It may include software-implemented processes. System 100 includes a central processing unit (CPU) or processor (102), a random access memory (RAM), 103, and a keyboard (106), a printer (107), a pointing device (108), a display adapter (104), connected to a display device (105), a removable (massive) storage device (115), a communication port (COMM), interface (110), modem 112, a controller (NIC), or network interface card (NIC), 111 (e., Ethernet). A real-time system clock, although not shown separately, is included in the system 100.

“CPU 101” is a processor belonging to the Intel Pentium microprocessor family. Any other processor can be used to implement the invention. The CPU 101 communicates via a bidirectional system bus with other components of system (including any required input/output (I/O), controller circuitry, and other?glue? logic). The bus is a network that includes address lines to address system memory. It allows data transfer between the components. Intel Corporation of Santa Clara (Calif.) provides a description of Pentium-class microprocessors, including their instruction set, bus architecture and control lines. Random-access memory 101 serves as the working storage for CPU 101. A typical configuration uses RAM of at least sixty-four megabytes. You can use more or less memory without departing from this invention’s scope. The read-only memory (ROM), 103 includes the basic input/output code (BIOS). This is a set of low-level routines that operating systems and application programs can use to interact directly with the hardware. It includes reading characters from the keyboard and printing them.

“Mass storage devices 115 and 116 provide persistent storage for fixed or removable media such as magnetic, optical, magnetic-optical storage system, flash memory or any other mass storage technology. Mass storage can be shared over a network or it could be dedicated mass storage. FIG. FIG. The main hard drive for the system is usually the fixed storage 116.

“In basic operation, program code (including the one that implements the methodology of the present invention) is loaded from removable storage 115 to fixed storage 116 into main (RAM) memory 101 for execution by CPU 101. The system 100 can accept input from both a keyboard (106) and pointing device (108), as well speech-based input from an unidentified voice recognition system (not illustrated). The keyboard 106 allows selection of applications, input of keyboard-based data or input, as well as selection and manipulation individual data objects on the screen or display device. The pointing device (108), which can be a mouse, trackball, pen device or similar, allows selection and manipulation of objects displayed on the screen. These input devices allow manual input of any process on the system.

“The computer system 100 displays text, graphics images, and other data on the display device. 105. The display device 105 is driven by the video adapter104, which is located between the display 105, the system’s bus and the processor 102. The video adapter104, which contains video memory that is accessible to the CPU 101 provides circuitry to convert pixel data stored within the video memory into a raster signal for use with a cathode-ray tube (CRT), raster, or liquid crystal display monitor (LCD). The printer 107 or another output device can provide a hard copy of the displayed information or any other information in the system 100. For example, printer 107 could include an HP LaserJet printer, which can be purchased from Hewlett Packard in Palo Alto, Calif., to create hard copies of the system’s output.

The system communicates with other devices (e.g. other computers) using the network interface card 111. This card is connected to a network (e.g. Ethernet network, Bluetooth wireless network or the like) and/or modem 112. Examples of modem 112 are available from 3Com, Santa Clara, Calif. The system 100 may also communicate with local occasionally-connected devices (e.g., serial cable-linked devices) via the communication (COMM) interface 110, which may include a RS-232 serial port, a Universal Serial Bus (USB) interface, or the like. The interface 110 will be used to connect laptop computers, hand-held organizers, digital cameras and other devices.

A variety of vendors sell IBM-compatible personal computers or server computers. Representative vendors include Dell Computers in Round Rock, Texas, Hewlett-Packard, Palo Alto (Calif.), and IBM of Armonk. Apple-compatible computers (e.g. Macintosh) are also available at Apple Computer of Cupertino and Sun Solaris workstations from Sun Microsystems, Mountain View, Calif.

“A software system is usually provided to control the operation of the computer network 100. The operating system (or kernel) is responsible for managing low-level aspects of computer operations, such as execution of processes and memory allocation. It can also be stored on fixed storage (e.g. hard disk) 116. An operating system such as Microsoft Windows 9x or Microsoft Windows NT, Microsoft Windows 2000 or Microsoft Windows XP can provide the OS. Or, an alternative operating system such as those mentioned previously. The OS is often used in conjunction with device drivers, such as?Winsock? Driver?Windows’ implementation a TCP/IP stack and the system BIOS microcode, ROM-based microcode), are used to interconnect with peripheral devices. A number of applications, such as client software or?programs, may be executed. The computer system 100 may also provide instructions (i.e. set of processor executable instructions) for execution. You can ‘load? the application or any other software that is intended to be used on the computer system. You can either download the application(s) or other software from an Internet site (e.g., a Web server) into memory 102. A graphical user interface (GUI), is used to receive user commands and data in an graphical format (e.g., “point-and-click?”). fashion. These inputs can be used by the computer system to execute instructions from OS or application(s). The results of operations from OS and applications can also be displayed via the graphical user interface.

The above-described computer hardware, software and other components are provided to illustrate the fundamental components of the server and desktop computers that can be used in the implementation of the invention. The following descriptions will show examples where at least one computer can communicate with another computer over a network such as one or several?clients. There are many?servers (e.g. desktop computers) that can communicate with them. (e.g. Web servers) over Internet. However, the present invention is not limited to any particular device or environment. The invention does not require a distinction between client and server, but it is useful for providing a framework. The present invention can be used in any type or environment that supports the methods of the invention, as described below.

“Overview”

“In accordance to the present invention, a fully secure environment is provided within the framework of the user?s usual operating system (hostOS, such as Microsoft Windows). To prevent unauthorized access, the main input/output (I/O), functions of the host OS have been hooked up or intercepted. All information, including session data, that applications save to disk is encrypted. This prevents malicious or unauthorized users from accessing data or information created in the secure environment.

This process is transparent for both users and applications. The applications believe they are using the usual OS functions and that information is being stored to their usual storages. The secured environment is viewed by the user as a virtual desktop. A Secured Desktop. It is possible to switch between secure and unsecure desktops by using hotkeys or GUI elements. The present invention allows the user to control all the OS functions running on the Secured Desktop by intercepting them all. This allows the user to allow or deny any application from performing any action. This method can be used with a configurable security policy to specify the behavior or actions that software programs are allowed to perform. It is possible, for example, to limit the number of applications that can run on the virtual desktop. The present invention can prevent any non-compliant software from being launched (i.e. computer programs that violate the policy). It also bans malicious software (e.g. spyware and computer viruses) which could steal information or damage the system.

“In the preferred embodiment, a Secure Workspace System is (SWS), which provides a secure area for web sessions with clear visual separation from other areas. The workspace protects session information during active sessions and cleans up after each session ends. The workspace allows protection in user-space mode without the need to develop device drivers. Guests user rights are required to use the Secure Workspace System. The workspace does API hooking at the lowest level possible in the user space (e.g. native Windows NT API (NTDLL), so applications that use this layer directly will not be bypassed by the hooking mechanism.”

“System Components”

The Secure Workspace System (SWS), which works at the client application level, prevents unauthorised access to confidential user information. SWS creates a secure, virtual desktop that the user can use. It also intercepts file/registry operations and files for all applications installed on this desktop. All sensitive data stored on the user’s machine is encrypted and deleted when the session ends.

“FIG. “FIG. The SWS 200 secure workspace is a desktop environment or secure workspace that includes the main application (210), secure workspace hook(s), 220, hooks engine 2225 and secure workspace manager 223. Secure workspace manager 227 acts as the central module for configuring and controlling the SWS. Manager 227 creates an’secure? new workspace. The manager 227 creates a new?secure? user profile and secure desktop, and then initializes them according a secure workspace policy. The policy (cpsws.xml file) allows you to define the SWS look (e.g. start menu, shortcuts and the like), the list and security settings that each application can access on the secure workspace (e.g. access rights for folders and WinNT kernel objects, etc.). Special displayable indicators, such as a distinctive desktop wallpaper, are included in the workspace. They are displayed when the user switches to the secure workspace. This provides visual feedback about whether the system is in secure mode.

“During operation, manager 227 starts a normal Windows shell (e.g. explorer.exe), with an injection of hooks engine (cpsws.dll). The hooks engine 225 injects itself into the?process creation? routines and injects itself automatically into any newly created processes. Each application 210 on the secure desk receives a workspace hook 220. The injected DLL hooks API invocations in the Microsoft Windows environment are overwritten with JMP instructions to replace hooked NTDLL Routines entry points. This redirects them to code within the cpsws.dll. The system can then be sure that all calls to the NTDLL API, including those coming from Win32 DLL and the application with GetProcAddress, import table, or Win32 DLL, will be intercepted first by the SWS. The SWS 200 can control the interaction of each application with the underlying operating systems 230 and information storage 240.

“In the current preferred embodiment, hooks engine 22 monitors the following API functions”

“ZwClose\nZwQueryObject\nZwQueryVolumeInformationFile\nZwSetVolumeInformationFile\nZwQueryQuotaInformationFile\nZwSetQuotaInformationFile\nZwDuplicateObject\nZwCreateFile\nZwOpenFile\nZwDeleteFile\nZwFlushBuffersFile\nZwCancelIoFile\nZwReadFile\nZwReadFileScatter\nZwWriteFile\nZwWriteFileGather\nZwLockFile\nZwUnlockFile\nZwQueryAttributesFile\nZwQueryFullAttributesFile\nZwQueryInformationFile\nZwSetInformationFile\nZwQueryDirectoryFile\nZwNotifyChangeDirectoryFile\nZwFsControlFile\nZwQueryEaFile\nZwSetEaFile\nZwCreateSection\nZwOpenSection\nZwQuerySection\nZwExtendSection\nZwMapViewOfSection\nZwUnmapViewOfSection\nZwAreMappedFilesTheSame\nZwCreateProcess\nZwOpenProcess\nZwTerminateProcess\nZwCreateMutant\nZwOpenMutant\nZwCreateSemaphore\nZwOpenSemaphore\nZwCreateEvent\nZwOpenEvent\nCreateProcessW\nCreateProcessA\nWinExec\nExitWindowsEx\nStartDocA\nStartDocW\nZwCreateKey\nZwOpenKey.\nCoGetClassObject\nCoLoadLibrary\nCoCreateInstance\nCoCreateInstanceEx\nSetClipboardData\nGetClipboardData”

According to the policy (cpsws.xml), access to various system resources can be allowed or denied. Hooks engine 227 allows applications to be started on the secure desktop and create files and registry keys within a secured user profile. These items will be encrypted on a host file system and deleted after the session ends.

“FIG. “FIG. 2A. FIG. 2A to FIG. 2B.) 2B.) The cpsws.dll file is loaded into all secured processes, as shown. It writes code stubs to (i.e. it applies code patches) every necessary ntdll.dll export function during loading into the target process. These stub functions are used to redirect or dispatch function calls to cpsws.dll routines, rather than the original ntdll functions.

“As shown in the diagram, all loaded in-process modules, including system modules like kernel32.dll and shell32.dll (even main executable) can communicate with NT kernel via ntdll.dll. The ntdll.dll hooking mechanism allows for maximum user-space control over all data flows between a secured application and hardware persistent storage. The cpsws.dll is able to dispatch all file-related functions, even those that are used by the application. The cpsws.dll decrypts all data and stores it in encrypted form to the target persistent storage.

“The cpsws.dll also controls the creation of out-ofprocess COM objects. This is done by hooking specific ole32.dll function functions that are used to create objects. It intercepts out-of-process servers for COM and creates them itself. SetClipboardData or GetClipboardData may also be connected to enable secure applications to encrypt data copied to the clipboard. The preferred embodiment includes additional kernel32.dll or shell32.dll functions that can be hooked up to allow for higher-level file operations and process creation. The SWS can display alert messages to users about rejected operations such as denied program startup, denied saving files to unsecure locations, and so forth.

“Initializing Secure Desktop/Workspace”

“FIGS. 3A-B are a single high-level flowchart that illustrates a method 300 for creating a secure desktop/workspace according to the present invention. Step 301 is when the secure workspace manager 227, cpsws.exe, is launched with the following parameters.

“/url=?main_page_url? After secured desktop starts,?URL will be displayed in default browser.

“/cookie=?server;cookiename=cookievalue? ?secured cookie that will be embedded in each HTTP(-S), request to the specified server.

“/shell=?shell_id? “/shell=?shell_id”

Step 302. “The policy file (cpsws.xml), may now be loaded. Step 303 is when the secure workspace manager (cpsws.exe), creates a pipe-server that listens and sends requests to injected applications. Secure cookies are used by the pipe server to authenticate client connections. Only processes that were started with the SWS’s DLL can use this pipe. At step 304, the hooks engines 225 (cpsws.dll), is loaded into the SWS. This process is known as “self-injection”. The hooks engine (cpsws.dll), hooks all required API (for Windows: ntdll.dll kernel32.dll user32.dll and the like) and injects itself into any child process that is created from an already-injected process. This is illustrated in step 305.

“As shown in step 306, the method proceeds with creating a virtual user profile (according the policy) as follows:

“At step 307 the method creates virtual desktops, such as via Windows’ CreateDesktop(.) WinAPI function. At step 308, the method creates and initializes an empty Discretionary access Control List (DACL), security descriptor, and assigns it to the new desktop. This will prevent any other applications from installing or starting input hooks on the secure Desktop. As indicated in step 309, any additional initialization can be done (e.g. get current wallpaper). At step 310, the machine’s shell (e.g. explorer.exe), is started on the virtual desktop created. The hooks engine (cpsws.dll), injected the shell (explorer.exe). The system of the invention can control the applications that are running on the virtual desktop. If all previous operations were successful, the method 300 switches the operation of the machine on the newly created desktop.

“API hooks”

“(a) API Hooks Initialization (dll)”

“During processing of Windows’ DllMain function, (i.e. the optional entry point to a Windows dynamic link library (DLL),) the hooks engine.cpsws.dll hooks into a list functions of ntdll.dll kernel32.dll and ole32.dll (i.e. operating system applications programming interface, (API) executable file). It then waits for the parent process to write a secure cookie in its memory (e.g. using WriteMemory API). This allows the present invention to distinguish pipes clients in the SWS.

“(b) API Hooks Process (dll).”

“The API hooks processing proceeds in the following manner. Each thread that was created by the secured application is moved to the secure desktop. The desktop handle can be retrieved using the hooks engine (cpsws.dll), which uses Windows DLL thread attach program logic (i.e. specifying the Windows DLL_THREAD_ATTACH Flag). The?process creation? The?process creation? function allows injection of cpsws.dll when a new process starts. Once a new process is created, the hooks engine (cpsws.dll), writes a secure token into its memory. This can be used by a child process to create an authorization password for the pipe-server.

“File functions can be intercepted in order to enable virtualization” The file system is encrypted as follows. The hooks engine (cpsws.dll), which is used to ask the system to create a file, checks the file path to determine whether it is permitted by policy. If the request is granted, the secure workspace manager cpsws.exe generates a random string to correspond to the requested file name. This allows the file to physically be created with a secure file name.

“On write operation the hooks engine (cpsws.dll), checks whether the user has the rights to modify files in the target directory according to the policy file. The SWS encrypts any data that is available if sufficient rights are present. It then writes the data to a secure file. File is also saved with additional information such as encryption algorithm ID and file size (recorded in housekeeping information for encryption algorithms that can encrypt data using blocks of constant length). The hooks engine (cpsws.dll), internally uses this additional data, which is not visible to the app.

“On read operation, hooks engine (cpsws.dll), reads information from file header and then reads a corresponding portion of data from file (which can sometimes be larger than requested due to block encryption). Now the file information can be decrypted, and sent back to the requester as encrypted data. A?files listing request will be answered. The hooks engine (cpsws.dll), which responds to a?files listing? request, verifies that the user has the rights to list this directory. The SWS checks if the user has enough rights and reads the appropriate information from the file headers and returns the actual filename and its size (recall was written in a field within the file header).

The SWS creates an in-memory section corresponding to the memory-mapped section that is created by an application. It also keeps track of the file’s size. The system can now decrypt the contents of this file and give the caller (or application) a handle to it. An application may specify a section name. The hooks engine (cpsws.dll), which can be used to change the name of an application, can be called. It will create separate sections on the secure and default desktops. The policy file (cpsws.xml) should be used to specify the desired behavior. The SWS fulfills calls for file mapped to memory files by calling the usual ReadFile or WriteFile functions. The section is closed when an application requests it. Data stored in the section are flushed to the appropriate file.

“De-Initialization the Secure Desktop/Workspace”

The SWS of this invention can be shut down if it is properly requested. It may query all active applications to terminate them, then delete all secure data from local storages. This prevents information leaks. Below are detailed instructions on how to de-initialize.

“Security Analysis”

“The prevention and detection of information leaks by the SWS will be addressed now.”

“System Swap File.”

“The OS may save the memory pages of secure desktop applications into a global swap file. This problem is not solved by the SWS in the current preferred embodiment. The issue could be solved by other changes. The swap file may be written to OS-supported volume encryption, such as Microsoft Windows Vista Windows full volume encrypted. In deployments that already have large amounts of physical RAM (RAM), data paged to disk by virtual memory management (VMM), may not be significant. The SWS could also be used to replace the OS’s native Swap file with an encrypted version, as those who are skilled in the art know.

“Registry Keys”

“In the preferred embodiment, the SWS doesn’t encrypt registry entries created on secure desktop applications. These files are deleted after a session ends. It is possible, however, that sensitive data may be left in the current user’s file (ntuser.dat) during an unexpected session termination. This issue can be solved by encryption registry items the same as files.

“Analyzing secure user profiles”

“Content and names are encrypted on the host system for files created using the secure desktop. However, the corresponding encryption/decryption key is stored in memory (subject to swapping via the swap file); similarly, the directory structure is potentially visible outside the secure desktop. The disadvantage of using electronic codebook (ECB mode) is that the same plaintext blocks can be encrypted to the identical ciphertext block; this approach doesn’t hide data patterns. This issue can be solved by using cipher block chaining (CBC). Each block of plaintext in the cipher block chaining (CBC), mode is XORed to the previous ciphertext blocks before it’s encrypted. Each ciphertext block depends on the plaintext blocks that precede it. Additional protection is provided by the use of a fully virtual file system that does not correlate with the host computer’s real file system.

“Leaks through Non-Controlled API”

“Applications running in the secure desktop can send sensitive data via non-controlled API to non-secured apps on the default desktop (e.g. non-hooked out of-process COM servers that were started by main system SVCHOST.EXE). This problem can be solved by hooking all API call that can exchange sensitive data. This prevents applications that could leak information from being started on the secure desktop.

“Detailed Internal Operation”

The following description describes method steps/program logic which can be implemented by processor-executable instruction, for controlling the operation of a device that is under processor control. The processor-executable instruction may be stored on a computer readable medium such as CD, DVD or flash memory. You can also store the processor-executable instruction as a set downloadable instructions that you can download and install from an Internet location (e.g. Web server).

“Additional DLL Loader?

“The present invention provides an additional DLL loader to allow new processes to be started with the forced loading of an additional file in the address space. This is accomplished by creating a new suspended process, allocating a small address space in its memory space and writing to it code that loads the required DLL. The code then jumps to the beginning of the process execution code. This causes the context of the created thread to be changed so that the instruction pointer register of the computer processor (e.g. Intel x86 Extended Instruction Pointer EIP register) points at the newly created code. The thread can now be resumed. The process thread now executes the code to load the DLL into the process (space), and then continues the normal processing of executable codes. This can be done in the following manner (e.g. illustrated by these pseudocode snippets:

“1: typedef struct DLL_LOADER?\n2: \n3: unsigned char LoaderCode[LOADER_CODE_SIZE];\n4: char DllPathName[MAX_PATH];\n5: DLL_LOADER, *PDLL_LOADER;\n6:\n7: void\n8: AddAsmInstruction\n9: (PBYTE &pTemp, int InstructionId, int InstructionOperand)\n10: \n11: memcpy(pTemp, asm_instruction_code_table[InstructionId],\nasm_instruction_code_size[InstructionId]);\n12: pTemp += asm_instruction_code_size[InstructionId]\n13: memcpy(pTemp, &InstructionOperand,sizeof(int));\n14: pTemp += sizeof(int);\n15: \n16:\n17: void\n18: StartProcessWithDll\n19: (LPTCSTR pszProcessImage, LPTCSTR pszDllPathName)\n20: \n21: STARTUPINFO si;\n22: PROCESS_INFORMATION pi;\n23: CreateProcess(pszProcessImage, pszProcessImage, NULL, NULL,\nFALSE, CREATE_SUSPENDED, NULL, NULL, &si, p);\n24: CONTEXT context;\n25: GetThreadContext(pi.hThread, &context);\n26: PVOID pDllLoaderRemote=VirtualAllocEx(pi.hProcess, NULL,\nsizeof(DLL_LOADER), NEW_CODE,\nPAGE_EXECUTE_READWRITE);\n27: DLL_LOADER DllLoaderLocal;\n28: strcpy(DllLoaderLocal.DllPathName,pszDllPathName);\n29: PBYTE pTemp=(PBYTE)&pDllLoaderLocal\n30: AddAsmInstruction(pTemp, ASM_PUSH, pDllLoaderRemote +\nLOADER_CODE_SIZE);//push pointer to DllPathName to stack\n31: AddAsmInstruction(pTemp, ASM_CALL, &LoadLibrary);//call\nLoadLibrary with pushed parameter\n32: AddAsmInstruction(pTemp, ASM_JMP, context.eip);//jmp to original\nprocess code\n33: WriteProcessMemory(pi.hProcess, pDllLoaderRemote,\n&pDllLoaderLocal, sizeof(pDllLoaderLocal), NULL);\n34: context.eip = pDllLoaderRemote;\n35: ResumeThread(pi.hThread);\n36: ”

Click here to view the patent on Google Patents.