Patent Grant
7159210
The subject matter of the present application may also be related to the following U.S. Patent Applications: “Operation of Trusted State in Computing,” Ser. No. 09/728,827, filed Nov. 28, 2000; “Performance of a Service on a Computing Platform,” Ser. No. 09/920,554, filed Aug. 1, 2001; “Secure E-mail Handling Using a Compartmented Operating System,” Ser. No. 10/075,444, filed Feb. 15, 2002; “Electronic Communication,” Ser. No. 10/080,466, filed Feb. 22, 2002; “Demonstrating Integrity of a Compartment of a Compartmented Operating System,” Ser. No. 10/165,840, filed Jun. 7, 2002; “Multiple Trusted Computing Environments with Verifiable Environment Entities,” Ser. No. 10/175,183, filed Jun. 18, 2002; “Renting a Computing Environment on a Trusted Computing Platform,” Ser. No. 10/175,185, filed Jun. 18, 2002; “Interaction with Electronic Services and Markets,” Ser. No. 10/175,395, filed Jun. 18, 2002; “Multiple Trusted Computing Environments,” Ser. No. 10/175,542, filed Jun. 18, 2002; “Privacy of Data on a Computer Platform,” Ser. No. 10/206,812, filed Jul. 26, 2002; “Trusted Operating System,” Ser. No. 10/240,137, filed Sept. 26, 2002; “Trusted Gateway System,” Ser. No. 10/240,139, filed Sep. 26, 2002; and “Apparatus and Method for Creating a Trusted Environment,” Ser. No. 10/303,690, filed Nov. 21, 2002.
The present invention relates to a method for running a process, and to a computing platform for performing the method.
A computing platform operates under the control of a host operating system. A process runs on the host operating system to perform computing operations. However, the host operating system is vulnerable to subversion by the process, both through a deliberate attack or inadvertently due to errors in the process. The process performs operations, some of which can be trusted to run securely on the host operating system, and some of which are insecure and cannot be trusted.
In practical situations, many processes run on the computing platform simultaneously, such that subversion of the host operating system by one process can potentially affect many others. It is therefore desired to increase security for the computing platform and provide a measure of isolation between the process and the host operating system.
It is known to provide a virtual machine to run on the host operating system. The virtual machine usually includes a guest operating system. The guest operating system commonly is a replica of a second type of operating system such that the computing platform using the host operating system can run processes which are native to the second operating system. The process runs on the guest operating system, and is isolated from the host operating system by the virtual machine. Whilst reasonably secure due to this level of isolation, a virtual machine has a high degree of overhead. In a practical computing environment, it is very inefficient to run a large number of processes on a guest operating system.
An aim of the present invention is to provide a method for running a process performing both secure and insecure operations. One preferred aim is to run a process safely, ideally with a low risk of subversion of a host operating system. Also, a preferred aim is to provide a method that allows a guest operating system to be used efficiently and effectively. Another aim of the present invention is to provide a computing platform for performing the method.
According to a first aspect of the present invention there is provided a method for running a process, comprising the steps of: (a) providing a host operating system; (b) running a process directly on the host operating system; (c) selectively providing a guest operating system when the process attempts a predetermined operation; and (d) running the process on the guest operating system.
Preferably, in the step (b) the process runs within a compartment of the host operating system.
Preferably, in the step (c) operations attempted by the process are divided into a first set which are allowed to run directly on the host operating system and a second set which are not allowed to run directly on the host operating system. Preferably, the step (c) comprises identifying an attempt to perform an operation falling into the second set. Preferably, in the step (c) the guest operating system is provided within a compartment of the host operating system. Preferably, the guest operating system is provided by a virtual machine session.
Optionally, the method comprises the step of closing the guest operating system in response to a condition caused by running the process on the guest operating system. Preferably, the guest operating system is provided within a compartment of the host operating system, and the step (e) comprises closing the compartment.
According to a second aspect of the present invention there is provided a method for running a process, comprising the steps of: (a) providing a host operating system; (b) providing a process which attempts an operation; (c) monitoring attempted operations of the process by comparing against a first set and a second set; (d) where the attempted operation falls into the first set, allowing the attempted operation to execute directly on the host operating system; and (e) where the attempted operation falls into the second set, providing a guest operating system, and allowing the attempted operation to execute on the guest operating system.
According to a third aspect of the present invention there is provided a computing platform for running a process, comprising: a host operating system for running a process; and a guest operating system selectively provided for running the process when the process attempts a predetermined operation.
Preferably, the host operating system provides a compartment for containing the process.
Preferably, operations attempted by the process fall either into a first set allowed to run directly on the host operating system or a second set not allowed to run directly on the host operating system. Preferably, the host operating system identifies an attempt to perform an operation falling into the second set, and in response provides the guest operating system. Preferably, the host operating system provides a compartment for containing the guest operating system. Preferably, the guest operating system is provided by a virtual machine session running on the host operating system.
For a better understanding of the invention, and to show how embodiments of the same may be carried into effect, reference will now be made, by way of example, to the accompanying diagrammatic drawings in which:
In the preferred embodiment the hardware 21 includes a trusted device 213. The trusted device 213 functions to bind the identity of the computing platform 20 to reliably measured data that provides an integrity metric of the platform and especially of the host operating system 22. WO 00/48063 (Hewlett-Packard) discloses an example trusted computing platform suitable for use in preferred embodiments of the present invention.
Referring to
In the preferred embodiment, the process 23 runs within a compartment 24 provided by the host operating system 22. The compartment 24 serves to confine the process 23, by placing strict controls on the resources of the computing platform available to the process, and the type of access that the process 23 has to those resources. Controls implemented by a compartment are very difficult to override or subvert from user space by a user or application responsible for running the process 23.
Compartmented operating systems have been available for several years in a form designed for handling and processing classified (military) information, using a containment mechanism enforced by a kernel of the operating system with mandatory access controls. The operating system attaches labels to the resources and enforces a policy which governs the allowed interaction between these resources based on their label values. Most compartmented operating systems apply a policy based on the Bell-LaPadula model discussed in the paper “Applying Military Grade Security to the Internet” by C I Dalton and J F Griffin published in Computer Networks and ISDN Systems 29 (1997) 1799–1808.
The preferred embodiment of the present invention adopts a simple and convenient form of operating system compartment. Each resource of the computing platform which it is desired to protect is given a label indicating the compartment to which that resource belongs. Mandatory access controls are performed by the kernel of the host operating system to ensure that resources from one compartment cannot interfere with resources from another compartment. Access controls can follow relatively simple rules, such as requiring an exact match of the label. Examples of resources include data structures describing individual processes, shared memory segments, semaphores, message queues, sockets, network packets, network interfaces and routing table entries.
Communication between compartments is provided using narrow kernel level controlled interfaces to a transport mechanism such as TCP/UDP. Access to these communication interfaces is governed by rules specified on a compartment by compartment basis. At appropriate points in the kernel, access control checks are performed such as through the use of hooks to a dynamically loadable security module that consults a table of rules indicating which compartments are allowed to access the resources of another compartment. In the absence of a rule explicitly allowing a cross compartment access to take place, an access attempt is denied by the kernel. The rules enforce mandatory segmentation across individual compartments, except for those compartments that have been explicitly allowed to access another compartment's resources. A communication interface from a compartment to a network resource is provided in a similar manner. In the absence of an explicit rule, access from a compartment to a network resource is denied.
Suitably, each compartment is allocated an individual section of a file system of the computing platform. For example, the section is a chroot of the main file system. Processes running within a particular compartment only have access to that section of the file system. Through kernel controls, the process is restricted to the predetermined section of file system and cannot escape. In particular, access to the root of the file system is denied.
Advantageously, a compartment provides a high level of containment, whilst reducing implementation costs and changes required in order to implement an existing application within the compartment.
The process 23 performs a wide variety of different operations most of which pose no threat to the security of the computing platform 20 and can be safely performed directly on the host operating system 22, preferably using the constraints of a compartment 24. However, some predetermined operations can potentially affect the security of the host operating system 22, such as loading a kernel module or using system privileges. If the process 23 is allowed to perform one of these predetermined operations, compromise of the security of the platform 20 can result.
Referring to
Preferably, the guest operating system is provided only when the process 23 attempts to perform one of the predetermined operations that can affect the security of the host operating system 22. That is, whilst the process 23 performs operations falling within a first set the process is allowed to operate directly on the host operating system as shown in
Advantageously, the guest operating system 25 is provided only when required to protect the security of the host operating system 22, thereby minimising overhead associated with the guest operating system 22 such that the process 23 runs more efficiently. Should problems occur the host operating system 22 can safely shut down the offending guest operating system 25. In the preferred embodiment the host operating system shuts down the compartment 24 containing the guest operating system 25.
The guest operating system 25 is suitably provided as a virtual machine session. A virtual machine session is an application which provides an image of the computing platform 20, or appropriate parts thereof. The virtual machine session provides a virtual guest operating system, such that, as far as the process 23 is concerned, the process 23 runs on the guest operating system 25 equivalent to running on the host operating system 22. For the purposes of the present invention, the guest operating system is preferably a replica of the host operating system, or at least necessary parts thereof.
An example virtual machine application is sold under the trade mark VMware by VMware, Inc. of Palo Alto, Calif., USA.
A preferred method for running a process will now be described with reference to
In step 301 a host operating system is provided. Suitably, this is the host operating system 22.
In step 302 a process 23 runs on the host operating system 22 and attempts to perform a first operation. Preferably, the host operating system 22 provides a compartment 24, and the process 23 is contained by the compartment 24.
At step 303 operations attempted by the process are monitored. Preferably, the operation attempted by the process is compared with a list of operations falling into a first set and a second set.
If the attempted operation falls within the first set then the process is determined as one which will not affect security of the host operating system. At step 304 execution of the operation is allowed directly on the host operating system 22. This can be termed a trusted or secure operation. The method returns to step 302 and the next operation is attempted by the process. Processes which consist entirely of operations which fall within the first set are allowed to run entirely direct on the host operating system 22 giving a significant speed advantage.
If the attempted operation falls into the predetermined second set representing operations which can potentially affect security of the host operating system 22, the method proceeds to step 305.
In step 305 a guest operating system 25 is provided. Preferably, the guest operating system 25 is provided within a compartment 24 for confining the guest operating system. Preferably the guest operating system is provided through a virtual machine session. The compartment 24 confines the virtual machine session, and therefore also confines the process 23.
In step 306 the process runs on the guest operating system 25. The attempted operation is executed by the guest operating system 25. The attempted operation, which was previously disallowed because it fell into the predetermined second set, is now allowed because the process is running on the guest operating system 25. The process 23 can only affect the guest operating system, and cannot affect the host operating system 22. The process will now remain running on the guest operating system 25.
Although the guest operating system 25 involves significant additional overhead, the guest operating system is invoked only when the process 23 attempts to perform predetermined operations, which in practice is relatively rarely. Migration of the process 23 from the host operating system to the guest operating system can be performed in any suitable manner and will be familiar to the skilled person.
Optionally, in step 307 the guest operating system 25 is closed by the host operating system 22. Suitably, the guest operating system 25 is closed in response to a condition arising as a result of executing the attempted operation on the quest operating system. That is, where the process attempts an untrusted or insecure operation and a dangerous condition arises, then the guest operating system 25 is closed down. Preferably, the host operating system 22 simply closes the relevant compartment 24 containing the guest operating system 25.
A method and computer platform have been described for running a process selectively either directly on the host operating system or on the guest operating system, depending on operations performed by the process. A good efficiency is achieved whilst maintaining a high level of security.
| Number | Date | Country | Kind |
|---|---|---|---|
| 0114882.4 | Jun 2001 | GB | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 4799156 | Shavit et al. | Jan 1989 | A |
| 4926476 | Covey | May 1990 | A |
| 5029206 | Marino et al. | Jul 1991 | A |
| 5032979 | Hecht et al. | Jul 1991 | A |
| 5038281 | Peters | Aug 1991 | A |
| 5144660 | Rose | Sep 1992 | A |
| 5359659 | Rosenthal | Oct 1994 | A |
| 5361359 | Tajalli et al. | Nov 1994 | A |
| 5404532 | Allen et al. | Apr 1995 | A |
| 5421006 | Jablon et al. | May 1995 | A |
| 5440723 | Arnold et al. | Aug 1995 | A |
| 5444850 | Chang | Aug 1995 | A |
| 5473692 | Davis | Dec 1995 | A |
| 5504814 | Miyahara | Apr 1996 | A |
| 5530758 | Marino et al. | Jun 1996 | A |
| 5572590 | Chess | Nov 1996 | A |
| 5619571 | Sandstrom et al. | Apr 1997 | A |
| 5680547 | Chang | Oct 1997 | A |
| 5692124 | Holden et al. | Nov 1997 | A |
| 5694590 | Thuraisingham et al. | Dec 1997 | A |
| 5787175 | Carter | Jul 1998 | A |
| 5809145 | Slik et al. | Sep 1998 | A |
| 5815665 | Teper et al. | Sep 1998 | A |
| 5841869 | Merkling et al. | Nov 1998 | A |
| 5844986 | Davis | Dec 1998 | A |
| 5845068 | Winiger | Dec 1998 | A |
| 5867646 | Benson et al. | Feb 1999 | A |
| 5889989 | Robertazzi et al. | Mar 1999 | A |
| 5903732 | Reed et al. | May 1999 | A |
| 5917360 | Yasutake | Jun 1999 | A |
| 5922074 | Richard et al. | Jul 1999 | A |
| 5933498 | Schneck et al. | Aug 1999 | A |
| 5960177 | Tanno | Sep 1999 | A |
| 5987608 | Roskind | Nov 1999 | A |
| 6006332 | Rabne et al. | Dec 1999 | A |
| 6012080 | Ozden et al. | Jan 2000 | A |
| 6023765 | Kuhn | Feb 2000 | A |
| 6067559 | Allard et al. | May 2000 | A |
| 6078948 | Podgorny et al. | Jun 2000 | A |
| 6081830 | Schindler | Jun 2000 | A |
| 6081894 | Mann | Jun 2000 | A |
| 6100738 | Illegems | Aug 2000 | A |
| 6125114 | Blanc et al. | Sep 2000 | A |
| 6138239 | Veil | Oct 2000 | A |
| 6211583 | Humphreys | Apr 2001 | B1 |
| 6272631 | Thomlinson et al. | Aug 2001 | B1 |
| 6275848 | Arnold | Aug 2001 | B1 |
| 6289462 | McNabb et al. | Sep 2001 | B1 |
| 6292900 | Ngo et al. | Sep 2001 | B1 |
| 6327652 | England et al. | Dec 2001 | B1 |
| 6330670 | England et al. | Dec 2001 | B1 |
| 6334118 | Benson | Dec 2001 | B1 |
| 6367012 | Atkinson et al. | Apr 2002 | B1 |
| 6393412 | Deep | May 2002 | B1 |
| 6477702 | Yellin et al. | Nov 2002 | B1 |
| 6505300 | Chan et al. | Jan 2003 | B1 |
| 6513156 | Bak et al. | Jan 2003 | B1 |
| 6609248 | Srivastava et al. | Aug 2003 | B1 |
| 6671716 | Diedrechsen et al. | Dec 2003 | B1 |
| 6681304 | Vogt et al. | Jan 2004 | B1 |
| 6732276 | Cofler et al. | May 2004 | B1 |
| 6751680 | Langerman et al. | Jun 2004 | B1 |
| 6757824 | England | Jun 2004 | B1 |
| 6757830 | Tarbotton et al. | Jun 2004 | B1 |
| 6775779 | England et al. | Aug 2004 | B1 |
| 6892307 | Wood et al. | May 2005 | B1 |
| 6931545 | Ta et al. | Aug 2005 | B1 |
| 6948069 | Teppler | Sep 2005 | B1 |
| 6965816 | Walker | Nov 2005 | B1 |
| 20010037450 | Metlitski et al. | Nov 2001 | A1 |
| 20020012432 | England et al. | Jan 2002 | A1 |
| 20020023212 | Proudler | Feb 2002 | A1 |
| 20020042874 | Arora | Apr 2002 | A1 |
| 20020069354 | Fallon et al. | Jun 2002 | A1 |
| 20020184486 | Kerschenbaum et al. | Dec 2002 | A1 |
| 20020184520 | Bush et al. | Dec 2002 | A1 |
| 20030009685 | Choo et al. | Jan 2003 | A1 |
| 20030014466 | Berger et al. | Jan 2003 | A1 |
| 20040045019 | Bracha et al. | Mar 2004 | A1 |
| 20040073617 | Milliken et al. | Apr 2004 | A1 |
| 20040148514 | Fee et al. | Jul 2004 | A1 |
| 20050256799 | Warsaw et al. | Nov 2005 | A1 |
| Number | Date | Country |
|---|---|---|
| 2 187 855 | Jun 1997 | CA |
| 0 421 409 | Apr 1991 | EP |
| 0 510 244 | Oct 1992 | EP |
| 0 580 350 | Jan 1994 | EP |
| 0 825 511 | Feb 1998 | EP |
| 0 849 657 | Jun 1998 | EP |
| 0 849 680 | Jun 1998 | EP |
| 0 465 016 | Dec 1998 | EP |
| 0 893 751 | Jan 1999 | EP |
| 0 895 148 | Feb 1999 | EP |
| 0 926 605 | Jun 1999 | EP |
| 0 992 958 | Apr 2000 | EP |
| 1 030 237 | Aug 2000 | EP |
| 1 049 036 | Nov 2000 | EP |
| 1 055 990 | Nov 2000 | EP |
| 1 056 010 | Nov 2000 | EP |
| 1 076 279 | Feb 2001 | EP |
| 1 107 137 | Jun 2001 | EP |
| 2 317 476 | Mar 1998 | GB |
| 2 336 918 | Nov 1999 | GB |
| 0020441.2 | Aug 2000 | GB |
| 2 353 885 | Mar 2001 | GB |
| 2 361 153 | Oct 2001 | GB |
| 9325024 | Dec 1993 | WO |
| 9411967 | May 1994 | WO |
| 9524696 | Sep 1995 | WO |
| 9527249 | Oct 1995 | WO |
| 9729416 | Aug 1997 | WO |
| 9815082 | Apr 1998 | WO |
| 9826529 | Jun 1998 | WO |
| 9836517 | Aug 1998 | WO |
| 9840809 | Sep 1998 | WO |
| 9844402 | Oct 1998 | WO |
| 9845778 | Oct 1998 | WO |
| 0019324 | Apr 2000 | WO |
| 0031644 | Jun 2000 | WO |
| 0048062 | Aug 2000 | WO |
| 0048063 | Aug 2000 | WO |
| 0052900 | Sep 2000 | WO |
| 0054125 | Sep 2000 | WO |
| 0054126 | Sep 2000 | WO |
| 0058859 | Oct 2000 | WO |
| 0073880 | Dec 2000 | WO |
| 0073904 | Dec 2000 | WO |
| 0073913 | Dec 2000 | WO |
| 0109781 | Feb 2001 | WO |
| 0113198 | Feb 2001 | WO |
| 0123980 | Apr 2001 | WO |
| 0127722 | Apr 2001 | WO |
| 0165334 | Sep 2001 | WO |
| 0165366 | Sep 2001 | WO |
| Number | Date | Country | |
|---|---|---|---|
| 20020194241 A1 | Dec 2002 | US |
