基本信息:
- 专利标题: HARDWARE-BASED VIRTUALIZED SECURITY ISOLATION
- 专利标题(中):基于硬件的虚拟化安全隔离
- 申请号:PCT/US2017/034354 申请日:2017-05-25
- 公开(公告)号:WO2017210065A1 公开(公告)日:2017-12-07
- 发明人: PAI, Navin Narayan , JEFFRIES, Charles G. , VISWANATHAN, Giridhar , SCHULTZ, Benjamin M. , SMITH, Frederick J. , REUTHER, Lars , EBERSOL, Michael B. , DIAZ CUELLAR, Gerardo , PASHOV, Ivan Dimitrov , GADDEHOSUR, Poornananda R. , PULAPAKA, Hari R. , RAO, Vikram Mangalore
- 申请人: MICROSOFT TECHNOLOGY LICENSING, LLC
- 申请人地址: One Microsoft Way Redmond, Washington 98052-6399 US
- 专利权人: MICROSOFT TECHNOLOGY LICENSING, LLC
- 当前专利权人: MICROSOFT TECHNOLOGY LICENSING, LLC
- 当前专利权人地址: One Microsoft Way Redmond, Washington 98052-6399 US
- 代理机构: MINHAS, Sandip et al.
- 优先权: US15/171,917 20160602
- 主分类号: G06F21/53
- IPC分类号: G06F21/53
摘要:
A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.
摘要(中):
运行在计算设备上的主机操作系统监视计算设备的网络通信,以识别计算设备请求的网络资源。 主机操作系统将请求的网络资源与安全策略进行比较,以确定请求的网络资源是否可信。 当识别不可信网络资源时,主机操作系统使用本文讨论的技术访问与主机操作系统内核隔离的容器内的不可信网络资源。 通过将访问不受信任的网络资源限制在隔离的容器中,主机操作系统即使受到内核级别的攻击或可能由不可信网络资源导致的感染,也能受到保护。
IPC结构图谱:
| G | 物理 |
| --G06 | 计算;推算;计数 |
| ----G06F | 电数字数据处理 |
| ------G06F21/00 | 防止未授权行为的保护计算机或计算机系统的安全装置 |
| --------G06F21/10 | .保护分布式程序或内容,例如版权资料的出售或许可 |
| ----------G06F21/52 | ..在程序执行过程中,例如堆栈完整性、缓冲区溢出或防止不必要的数据擦除 |
| ------------G06F21/53 | ...通过在一个限定环境下执行,例如沙箱或者安全虚拟机 |