公开(公告)号：US10311122B1

公开(公告)日：2019-06-04

申请号：US14466547

申请日：2014-08-22

申请人： Bromium, Inc.

发明人： Gaurav Banga ,  Ian Pratt ,  Vikram Kapoor ,  Kiran Bondalapati

IPC分类号： G06F3/14 ,  G06F16/957 ,  G06F3/0484

摘要： Migrating support for a web browsing session between a virtual machine and a host operating system. A web session is supported by a first virtual machine which executes on a computer system. Upon receiving a request for the web session to enter an unprotected mode, support for the web session is migrated from the first virtual machine to a host operating system of the computer system. In unprotected mode, web sessions are supported by the host operating system rather than by a virtual machine. After migrating support for the web session to the host operating system, a visual cue indicating that the unprotected mode is active is displayed. After receiving a request to exit the unprotected mode, support for the web session is migrated from the host operating system to a second virtual machine executing on the computer system and the visual cue is removed.

公开(公告)号：US10275269B1

公开(公告)日：2019-04-30

申请号：US15167853

申请日：2016-05-27

申请人： Bromium, Inc.

发明人： Ian Pratt ,  James Misra McKenzie

IPC分类号： G06F9/455

摘要： Approaches for performing nested virtualization using a hypervisor which does not support nested virtualization. A first hypervisor is loaded upon booting a computing device. The first hypervisor instantiates a first virtual machine, exposes an emulated hardware virtualization support interface to the first virtual machine, and executes a second hypervisor, which does not support nested virtualization, within the first virtual machine. The first hypervisor provides nested virtualization support to the second hypervisor to allow the second hypervisor to execute a third hypervisor within a second virtual machine by the first hypervisor abstracting hardware virtualization support to the third hypervisor.

公开(公告)号：US09792131B1

公开(公告)日：2017-10-17

申请号：US13468781

申请日：2012-05-10

申请人： Krzysztof Uchronski ,  Martin O'Brien ,  Jacob Gorm Hansen ,  Kiran Bondalapati ,  Ian Pratt ,  Gaurav Banga ,  Vikram Kapoor

发明人： Krzysztof Uchronski ,  Martin O'Brien ,  Jacob Gorm Hansen ,  Kiran Bondalapati ,  Ian Pratt ,  Gaurav Banga ,  Vikram Kapoor

IPC分类号： G06F9/455

CPC分类号： G06F9/455 ,  G06F9/45545 ,  G06F9/5027 ,  G06F9/5077 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2209/5018

摘要： Approaches for creating a template virtual machine. An in-memory state of a virtual machine and/or a set of applications executing within the virtual machine are adjusted and/or configured based on the intended use of the template virtual machine. Thereafter, the virtual machine is established as a template virtual machine. The template virtual machine may be used to create one or more virtual machines using a copy-on-write memory process.

公开(公告)号：US09148428B1

公开(公告)日：2015-09-29

申请号：US13419345

申请日：2012-03-13

申请人： Gaurav Banga ,  Sergei Vorobiev ,  Deepak Khajura ,  Ian Pratt ,  Vikram Kapoor ,  Simon Crosby

发明人： Gaurav Banga ,  Sergei Vorobiev ,  Deepak Khajura ,  Ian Pratt ,  Vikram Kapoor ,  Simon Crosby

IPC分类号： H04L29/06 ,  G06F21/00 ,  G06F21/62

CPC分类号： G06F9/3891 ,  G06F9/455 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/6218 ,  G06F2009/45587 ,  G06F2209/5018 ,  H04L63/10 ,  H04L63/105 ,  H04L63/1425 ,  H04L63/20 ,  H04L67/42

摘要： Approaches for managing potentially malicious files using one or more virtual machines. In response to receiving a request to perform an action on a file, a client applies a policy to determine whether the action is deemed trustworthy. The client identifies, without human intervention, a virtual machine, executing or to be executed on the client, in which the action is to be performed based on whether the action is deemed trustworthy. In this way, embodiments allow a user to make use of data deemed untrusted in certain cases without allowing the untrusted data from having unfettered access to the resources of the client. If the requested action is performed in a different virtual machine from which the action was requested, embodiments enable the performance of the action to be performed seamlessly to the user.

摘要翻译： 使用一个或多个虚拟机管理潜在恶意文件的方法。 响应于接收到对文件执行动作的请求，客户端应用策略来确定该动作是否被认为是可信赖的。 客户机在没有人为干预的情况下识别虚拟机，在客户机上执行或执行，根据该动作是否被认为可信赖地执行该动作。 以这种方式，实施例允许用户在某些情况下使用被认为不受信任的数据，而不允许不受信任的数据不受限制地访问客户端的资源。 如果在请求动作的不同的虚拟机中执行所请求的动作，则实施例使得能够对用户无缝地执行动作的执行。

公开(公告)号：US20150178198A1

公开(公告)日：2015-06-25

申请号：US14140438

申请日：2013-12-24

申请人： Bromium, Inc.

发明人： Ian Pratt ,  Christian Limpach

IPC分类号： G06F12/08 ,  G06F12/02

CPC分类号： G06F12/08 ,  G06F9/45558 ,  G06F12/0223 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/652

摘要： Approaches for performing memory management by a hypervisor. A host operating system and a hypervisor are executed on a device. The host operating system is not configured to access physical memory addressed above four gigabytes. The hypervisor manages memory for a device, including memory addressed above four gigabytes. When the hypervisor instantiates a virtual machine, the hypervisor may allocate memory pages for the newly instantiated virtual machine by preferentially using any unassigned memory addressed above four gigabytes before using memory allocated from the host (and hence addressed below four gigabytes).

摘要翻译： 管理程序执行内存管理的方法。 在设备上执行主机操作系统和管理程序。 主机操作系统未配置为访问四千兆字节以上的物理内存。 虚拟机管理程序管理设备的内存，包括四吉字节以上的内存。 当虚拟机管理程序实例化虚拟机时，虚拟机管理程序可以在使用从主机分配的内存之前优先使用四千兆字节以上的任何未分配的存储器（并因此在四千兆字节以下寻址）来为新实例化的虚拟机分配存储器页面。

公开(公告)号：US09021476B1

公开(公告)日：2015-04-28

申请号：US13526755

申请日：2012-06-19

申请人： Ian Pratt

发明人： Ian Pratt

IPC分类号： G06F9/455 ,  G06F9/50

CPC分类号： G06F9/45558 ,  G06F9/45533 ,  G06F9/468 ,  G06F9/5016 ,  G06F9/5077 ,  G06F21/53 ,  G06F21/62 ,  G06F21/64 ,  G06F2009/45587

摘要： Approaches for ensuring the privacy and integrity of a hypervisor. A host operating system manages a set of resources. The host operating system is prevented from accessing a portion of the resources belonging to or allocated by the hypervisor. The host operating system may be prevented from accessing resources belonging to or allocated by the hypervisor by transferring execution of the host operating system into a virtual machine container that does not have sufficient privilege to access any portion of the memory pages in which the hypervisor is executing.

摘要翻译： 确保管理程序的隐私和完整性的方法。 主机操作系统管理一组资源。 防止主机操作系统访问属于或由管理程序分配的资源的一部分。 可以通过将主机操作系统的执行转移到没有足够权限访问管理程序正在执行的存储器页面的任何部分的虚拟机容器中来防止主机操作系统访问属于或由管理程序分配的资源 。

公开(公告)号：US08972980B2

公开(公告)日：2015-03-03

申请号：US13115354

申请日：2011-05-25

申请人： Gaurav Banga ,  Ian Pratt ,  Kiran Bondalapati ,  Vikram Kapoor

发明人： Gaurav Banga ,  Ian Pratt ,  Kiran Bondalapati ,  Vikram Kapoor

IPC分类号： G06F9/455 ,  G06F9/445 ,  G06F9/44 ,  G06F9/50 ,  G06F21/00

CPC分类号： G06F9/5077 ,  G06F9/45545 ,  G06F9/5027 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2209/5018

摘要： Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. Selected resources such as files are displayed to the virtual machines according to user and organization policies and controls. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.

摘要翻译： 在客户端上执行不受信任的软件的方法，而不会在使用微型虚拟化的情况下使用独立的上下文来执行不受信任的软件。 响应于接收到执行应用的请求，识别用于在客户机上实例化虚拟机的模板。 在模板被识别之后，没有人为干预，就会使用要在其中执行应用程序的模板来实例化一个虚拟机。 可以基于请求的性质从多个模板中选择模板，因为每个模板描述适合于不同类型活动的虚拟机的特征。 所选资源（如文件）将根据用户和组织策略和控件显示给虚拟机。 当客户端确定应用程序已停止执行时，客户端将在不进行人为干预的情况下停止执行虚拟机。

公开(公告)号：US10430591B1

公开(公告)日：2019-10-01

申请号：US15714100

申请日：2017-09-25

申请人： Bromium, Inc.

发明人： Ian Pratt ,  Rahul C. Kashyap ,  Adrian Taylor ,  James M. McKenzie

IPC分类号： G06F21/00 ,  G06F21/57 ,  G06F21/55 ,  H04L29/06 ,  G06F9/455 ,  G06F21/56

摘要： Approaches for monitoring a host operating system. A threat model is stored and maintained in an isolated execution environment. The threat model identifies for any process executing on a host operating system how trustworthy the process should be deemed based on a pattern of observed behavior. The execution of the process and those processes in a monitoring circle relationship thereto are monitored. The monitoring circle relationship includes a parent process, any process in communication with a member of monitoring circle relationship, and any process instantiated by a present member of monitoring circle relationship. Observed process behavior is correlated with the threat model. Upon determining that a particular process has behaved in a manner inconsistent with a pattern of allowable behavior identified by the threat model for that process, a responsive action is taken.

公开(公告)号：US10095530B1

公开(公告)日：2018-10-09

申请号：US14798228

申请日：2015-07-13

申请人： Bromium, Inc.

发明人： Gaurav Banga ,  Ian Pratt ,  Rahul Kashyap

IPC分类号： G06F9/455 ,  H04L29/06 ,  G06F21/56 ,  G06F9/44

摘要： Approaches for transferring control to a bit set. At a point of ingress, prior to transferring control to the bit set, a determination is made as to whether the bit set is recognized as being included within a set of universally known malicious bit sets. If the bit set is not so recognized, then another determination is made as to whether the bit set is recognized as being included within a set of locally known virtuous bit sets. If the bit set is recognized as being included within a set of locally known virtuous bit sets, then control is not transferred to the bit set. Upon determining that the bit set is not included within the set of locally known virtuous bit sets, then the bit set is copied into a micro-virtual machine and control is transferred to the bit set within the micro-virtual machine.

公开(公告)号：US09921860B1

公开(公告)日：2018-03-20

申请号：US14038551

申请日：2013-09-26

申请人： Bromium, Inc.

发明人： Gaurav Banga ,  Sergei Vorobiev ,  Deepak Khajuria ,  Vikram Kapoor ,  Ian Pratt ,  Simon Crosby ,  Adrian Taylor

IPC分类号： G06F9/455

CPC分类号： G06F9/45533 ,  G06F9/445 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/6218 ,  G06F2009/45587 ,  G06F2209/5018

摘要： Approaches for launching an application within a virtual machine. In response to receiving a request to launch an application, a device instantiates, without human intervention and based on a policy, a virtual machine in which the application is to be launched. The policy determines which resources of a device, such as a mobile device or computer system, are accessible to the virtual machine. The policy may, but need not, determine whether the virtual machine has access to a type of resource which obligates the user of the device to make a monetary payment for the user of the resource.