The present invention is generally directed to implementing a security solution using a layering system. A layering system is a tool that enables an operating system, user applications, and user data to be layered on the user's computing device. When using a layering system, layered applications and data are executed natively on the user's computing device without the use of a virtual machine or other sandboxed execution environment. This native execution will therefore cause the layered applications to appear, both to the user and to other applications, as if they were being executed in a “normal” manner. This is in contrast to many types of virtualization techniques such as terminal services and application virtualization where it is typically clear that the applications are executed in a separate environment.
U.S. patent application Ser. Nos. 14/719,248 and 14/719,256 are both directed to a layering system and provide a background for the present invention. The content of these applications is therefore incorporated by reference. It is noted that both of these applications are commonly owned and would not constitute prior art to the present invention. Therefore, this background should not be construed as admitting prior art, but should be construed as describing various features on which the present invention is based and that may even form part of the present invention.
As is described in the '248 and '256 applications, a layer is a collection of data or resources which enables the collection to be isolated or set apart from the data or resources in another layer. To summarize this layering, FIG. 1 provides simplified examples of a user data layer 101 and an application layer 102. It is noted that a layer containing an operating system may also exist. Each layer can be stored in a manner that allows the layer to be separately mounted for access. For example, each layer may comprise a separate partition of a disk (including of a virtual disk). The ability to separately mount a layer allows the layering system to selectively provide access to particular layers. It will be assumed that the layering system determines that user data layer 101 and application layer 102 should be mounted in response to the user logging in to a computing device on which the layering system executes or which the layering system otherwise controls.
As shown in FIG. 1 and for simplicity, application layer 102 includes a single application, WINWORD.EXE, which is the executable for Microsoft Word. Word also requires a number of registry settings to execute properly, and therefore, application layer 102 also includes such registry settings. It is noted that these registry settings, which would normally be stored within the registry of the operating system, could be stored within application layer 102 in a registry hive. Of course, a typical installation of Word would require a number of other files and/or settings which are not depicted. Application layer 102 also includes layer metadata which describes the content of application layer 102 (e.g., which describes that the layer includes WINWORD.EXE and whatever structure is used to store the Word registry settings). This layer metadata is critical because it allows the layering system to quickly determine what exists on the layer.
User data layer 101 is structured in a similar way. However, as a user data layer, it stores the user's files which in this case constitute two Word documents: Report.docx and Summary.docx. As with application layer 102, user data layer 101 may also store a number of other files including configuration files that may be particular to this user (e.g., a template file for Word). User data layer 101 also includes layer metadata which defines the content of the layer. Again, this layer metadata is critical because it allows the layering system to quickly determine what exists on the layer.
As mentioned above, a layer can be a separately mountable portion of a storage device (whether physical or virtual) such as a partition. Accordingly, when the user logs on to a computing device, the layering system can mount layers 101 and 102 so that the user will have access to MS Word and his documents which are included in these layers. However, if a different user were to log in to the same computing device, the layering system could instead mount an application layer and user data layer pertaining to the different user so that the different user can only access the applications and user data defined in those layers.
The process by which the user accesses the data and resources included on each layer is provided in the '248 and '256 applications and will not be described in detail in this specification. By way of an overview, the layering system includes a file system filter driver and a registry filter driver which can function to intercept and redirect file system and registry operations as appropriate. In particular, these filters can be registered with the OS so that they will receive all file system and registry operations respectively. If a file system or registry operation pertains to content of a layer rather than to content of the file system or registry directly provided by the OS, the filters can redirect the operation to the corresponding layer. The '248 and '256 applications provide a number of examples of this type of redirection.
The result of this redirection is that, from the user perspective, the files of the layers do not appear to be stored in a different manner than any other file would typically be stored by the OS. For example, if the user data layer 101 were assigned a partition of E:, the layering system could cause the files to appear as if they were stored in the typical C: partition. In other words, the fact that multiple partitions may be loaded is abstracted (and even hidden) from the user perspective. It is again reiterated that the use of layer metadata to define what is stored on each layer allows this process to be carried out efficiently as is described in the '248 and '256 applications.
FIGS. 2A and 2B each illustrate an example of how the layering system can function. Each of these examples involve the layering file system filter driver (or LFFD) 201 and its role in determining whether to redirect a file open request. It is noted that a similar process would be carried out by the layering registry filter driver (or LRFD) if the operation pertained to the registry.
As shown in FIGS. 2A and 2B, it will be assumed that the operating system provides a file system 200 for handling I/O to the various mounted partitions. It will also be assumed that the operating system has mounted a C: partition and that the layering system has mounted an E: partition that corresponds to user data layer 101. In the following description, the E: partition and user data layer 101 (or simply layer) will be used interchangeably). However, it is noted that a partition is not the only structure that can be employed for a layer. It is also important to note that because the E: partition was mounted by the layering system, it will not appear in the same manner as the C: partition. In particular, the user will not be able to see the separate E: partition. Instead, the layering system may cause the contents of the E: partition to appear as if they were stored on the C: partition.
Accordingly, if the user selects to open the Report.docx file that is stored on the E: partition, a file open request 210 of C:\Docs\Report.docx may be generated. As is described in the '248 and '256 applications, LFFD 201 is registered as a filter driver for file system 200 and therefore will receive the opportunity to evaluate file open request 210. LFFD 201 can evaluate the target of file open request 210 against the layer metadata of the E: partition (and possibly against layer metadata of any other mounted layer) to determine if the request pertains to the layer. In this case, it will be assumed that the layer metadata indicates that the E: partition includes the path \Docs and that the Report.docx file is stored in the path. As a result, LFFD 201 can modify file open request 210 to create modified file open request 210a of E:\Docs\Report.docx. Modified file open request 210a is then passed to file system 200 which will open Report.docx from the appropriate location on the E: partition. LFFD 201 can perform this type of rerouting for any I/O that pertains to content stored on the E: partition. The determination of whether I/O pertains to content on a particular layer is based on the layer metadata for that particular layer.
FIG. 2B illustrates the case where LFFD 201 determines that a file open request 220 does not pertain to a layer (or at least does not pertain to a layer separate from the layer that includes the operating system). In this example, file open request 220 is directed to File.txt which is stored in a Downloads folder that is assumed to exist on the C: partition. Upon receiving file open request 220, LFFD 201 will evaluate the request against the layer metadata for the E: partition and determine that the E: partition does not include a path of \Downloads. Accordingly, LFFD 201 can allow file open request 220 to pass to file system 200 without modification since the request already includes the correct path to File.txt.
To summarize, LFFD 201 selectively modifies I/O requests so that they are directed to the appropriate layer. In the case of registry access, the LRFD would perform similar functionality to ensure that the registry access is directed to the appropriate layer. It is again reiterated that this rerouting is necessary because the layering system causes the layers to be hidden from the user's perspective while still being visible to the operating system.