This invention relates to creating one or more highly secure application security environments in computing systems. An Application Security Environment is an environment in which a user or a group of users can run one or more tasks or one or more processes or one or more applications and in which the privileges of the tasks or processes or applications run by a user or a user group can be more constrained than the privileges of the user or the user group. An application could consist of one or more tasks or processes. A process could consist of one or more threads.
Current technologies provide protection using operating system software and a malicious program or user can get access as a privileged user with limited access restrictions and run programs on behalf of other users or read confidential user data or corrupt user data. It requires hardware support to provide complete protection for user data from malicious programs.
There are different methods for access control such as non-privileged users in UNIX or Windows operating systems who cannot execute privileged instructions or access all parts of volatile or non-volatile memories (storage). But a malicious program or user can sometimes exploit security weaknesses in an operating system, to get access as a privileged user. This will allow malicious users to impersonate privileged users and gain access to critical data belonging to other users or corrupt users' data. The security systems in UNIX and Windows operating systems do not allow limiting privileges assigned to a privileged user.
A high level of application protection is provided by Application Security Environments such as Solaris containers and HPUX Security Containers. Each container ideally has only a subset of the privileges and compromising the security of most of the containers poses only a limited risk. However, when either the operating system security is compromised or when the security of a container that is used to create other containers is compromised, it will result in significant risk to both the computer users' identity and data.
There is a serious risk to users' data and users' identity when their laptops are stolen or when someone gains access to a user's computer in the user's absence.
There is a serious risk to users' data and users' identity when a privileged user is malicious. The privileged user may create containers that compromise both users' identity and users' data.
There are many methods for protecting computer users and user data which do not require manual action for enabling and disabling protection; Such protections can be compromised by malicious privileged users or by malicious programs by emulating the required software behavior.
U.S. Pat. No. 6,330,648 illustrates a method of adding protection against malicious programs by using a manually controlled hardware with two states. By default the protection is enabled and has a mechanism to manually switch off the protection. This invention will not be able to provide protection for portions of storage belonging to each Application Security Environment, as is possible using our invention. In addition, manual action can enable only one hardware. So for a system administrator who wants to install a software update on a large number of machines in a data center, the solution provided by this invention is very cumbersome and requires the system administrator to manually disable protection for each computer the administrator needs to update. Another drawback of the invention is that the solution cannot be used with mass memories which are already manufactured.
US Patent Application 20060117156 illustrates a method of adding protection for non-volatile memories against malicious programs by using a manually controlled hardware with two or more states, but only two states are used for protection. One state has protection enabled and the other state has protection disabled. This invention will not be able to provide protection for portions of storage belonging to each Application Security Environment, as is possible using our invention. In addition, manual action can enable only one hardware. So for a system administrator who wants to install a software update on a large number of machines in a data center, the solution provided by this invention is very cumbersome and requires the system administrator to manually disable protection for each computer the administrator needs to update.
U.S. patent application Ser. Nos. 11/514,807, 11/515,619 and 11/519,178 illustrate different manually controlled hardware solutions that protect data on mass-memories for each user. These patent applications propose dividing mass-memories into different areas and protecting these areas against malicious access. But these solutions cannot provide fine grained protection for each Application Security Environment. The privileges get enabled at user level and if any of the programs that are run by a user is malicious when the state corresponding to the user corresponds to low protection, it can cause serious risk to the user's data and user's identity.
FIG. 1 shows an example of a computer 01001 with multiple users and multiple Application Security Environments each containing multiple processes. There are 3 Application Security Environments in the computer. Application Security Environment P 01002 contains two processes A 01005 and D 01006. Application Security Environment Q 01003 contains two processes C 01007 and E 01008. Application Security Environment R 01004 contains two processes B 01009 and F 01010. The Application Security Environment P 01002 and Q 01003 are owned by User Y 01011. The Application Security Environment R 01004 is owned by User Group X 01012.