公开(公告)号：US10311122B1

公开(公告)日：2019-06-04

申请号：US14466547

申请日：2014-08-22

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Ian Pratt ,  Vikram Kapoor ,  Kiran Bondalapati

IPC: G06F3/14 ,  G06F16/957 ,  G06F3/0484

Abstract: Migrating support for a web browsing session between a virtual machine and a host operating system. A web session is supported by a first virtual machine which executes on a computer system. Upon receiving a request for the web session to enter an unprotected mode, support for the web session is migrated from the first virtual machine to a host operating system of the computer system. In unprotected mode, web sessions are supported by the host operating system rather than by a virtual machine. After migrating support for the web session to the host operating system, a visual cue indicating that the unprotected mode is active is displayed. After receiving a request to exit the unprotected mode, support for the web session is migrated from the host operating system to a second virtual machine executing on the computer system and the visual cue is removed.

公开(公告)号：US09384022B1

公开(公告)日：2016-07-05

申请号：US13945177

申请日：2013-07-18

Applicant: Bromium, Inc.

Inventor： Vikram Kapoor ,  Deepak Khajuria

IPC: G06F9/455

CPC classification number: G06F9/45533 ,  G06F9/451

Abstract: Approaches for rendering a file within a display mode. A guest module, executing within a virtual machine, determines that a process executing within the virtual machine is requesting to display a file. The guest module sends a request to display the file to a host module which executes within a host operating system. After the host module receives the request, the host module determines whether a user initiated the display of the file. Upon the host module determining that the file is permitted to be displayed, the host module determines a particular display mode for the file. Thereafter, the host module causes the file to be displayed in the particular display mode. Files may be automatically displayed in a configurable display mode in a secure manner.

Abstract translation: 在显示模式下渲染文件的方法。 在虚拟机内执行的访客模块确定在虚拟机内执行的进程正在请求显示文件。 访客模块向主机操作系统中执行的主机模块发送显示文件的请求。 在主机模块接收到请求之后，主机模块确定用户是否发起了文件的显示。 当主机模块确定文件被允许显示时，主机模块确定文件的特定显示模式。 此后，主机模块使文件以特定显示模式显示。 文件可以以可配置的显示模式以安全的方式自动显示。

公开(公告)号：US09348636B2

公开(公告)日：2016-05-24

申请号：US14478889

申请日：2014-09-05

Applicant: Bromium, Inc.

Inventor： Deepak Khajuria ,  Kiran Bondalapati ,  Vikram Kapoor ,  Gaurav Banga ,  Ian Pratt

IPC: G06F9/455 ,  G06F17/30

CPC classification number: G06F9/45558 ,  G06F17/30233 ,  G06F2009/45595

Abstract: Approaches for transferring a file using a virtualized application. A virtualized application executes within a virtual machine residing on a physical machine. When the virtualized application is instructed to download a file stored external to the physical machine, the virtualized application displays an interface which enables at least a portion of a file system, maintained by a host OS, to be browsed while preventing files stored within the virtual machine to be browsed. Upon the virtualized application receiving input identifying a target location within the file system, the virtualized application stores the file at the target location. The virtualized application may also upload a file stored on the physical machine using an interface which enables at least a portion of a file system of a host OS to be browsed while preventing files in the virtual machine to be browsed.

Abstract translation: 使用虚拟化应用程序传输文件的方法。 虚拟化应用程序在驻留在物理机器上的虚拟机中执行。 当指示虚拟化应用程序下载存储在物理机外部的文件时，虚拟化应用程序显示一个接口，该接口使得能够浏览由主机OS维护的文件系统的至少一部分，同时防止存储在虚拟机中的文件 机器被浏览。 在虚拟化应用程序接收到识别文件系统中的目标位置的输入时，虚拟应用程序将文件存储在目标位置。 虚拟化应用还可以使用允许在主机OS的文件系统的至少一部分被浏览的同时上传存储在物理机上的文件，同时防止虚拟机中的文件被浏览。

公开(公告)号：US20140380315A1

公开(公告)日：2014-12-25

申请号：US14478889

申请日：2014-09-05

Applicant: Bromium, Inc.

Inventor： Deepak Khajuria ,  Kiran Bondalapati ,  Vikram Kapoor ,  Gaurav Banga ,  Ian Pratt

IPC: G06F9/455 ,  G06F17/30

CPC classification number: G06F9/45558 ,  G06F17/30233 ,  G06F2009/45595

Abstract: Approaches for transferring a file using a virtualized application. A virtualized application executes within a virtual machine residing on a physical machine. When the virtualized application is instructed to download a file stored external to the physical machine, the virtualized application displays an interface which enables at least a portion of a file system, maintained by a host OS, to be browsed while preventing files stored within the virtual machine to be browsed. Upon the virtualized application receiving input identifying a target location within the file system, the virtualized application stores the file at the target location. The virtualized application may also upload a file stored on the physical machine using an interface which enables at least a portion of a file system of a host OS to be browsed while preventing files in the virtual machine to be browsed.

Abstract translation: 使用虚拟化应用程序传输文件的方法。 虚拟化应用程序在驻留在物理机器上的虚拟机中执行。 当指示虚拟化应用程序下载存储在物理机外部的文件时，虚拟化应用程序显示一个接口，该接口使得能够浏览由主机OS维护的文件系统的至少一部分，同时防止存储在虚拟机中的文件 机器被浏览。 在虚拟化应用程序接收到识别文件系统中的目标位置的输入时，虚拟应用程序将文件存储在目标位置。 虚拟化应用还可以使用允许在主机OS的文件系统的至少一部分被浏览的同时上传存储在物理机上的文件，同时防止虚拟机中的文件被浏览。

公开(公告)号：US09923926B1

公开(公告)日：2018-03-20

申请号：US14864692

申请日：2015-09-24

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Sergei Vorobiev ,  Deepak Khajuria ,  Vikram Kapoor ,  Ian Pratt ,  Simon Crosby

IPC: H04L29/06 ,  G06F21/00

CPC classification number: G06F9/3891 ,  G06F9/455 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/6218 ,  G06F2009/45587 ,  G06F2209/5018 ,  H04L63/10 ,  H04L63/105 ,  H04L63/1425 ,  H04L63/20 ,  H04L67/42

Abstract: Approaches for managing potentially malicious files using one or more isolated environments. In response to receiving a request to perform an action on a file, a client applies a policy to determine whether the action is deemed trustworthy. The client identifies, without human intervention, an isolated environment, executing or to be executed on the client, in which the action is to be performed based on whether the action is deemed trustworthy. In this way, embodiments allow a user to make use of data deemed untrusted in certain cases without allowing the untrusted data from having unfettered access to the resources of the client. If the requested action is performed in a different isolated environment from which the action was requested, embodiments enable the performance of the action to be performed seamlessly to the user.

公开(公告)号：US09384026B1

公开(公告)日：2016-07-05

申请号：US14168672

申请日：2014-01-30

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Ian Pratt ,  Vikram Kapoor ,  Prakash Buddhiraja ,  Kiran Bondalapati

IPC: G06F9/455 ,  H04L29/06 ,  H04L29/08

CPC classification number: G06F9/45533 ,  G06F9/45558 ,  G06F2009/45587 ,  H04L63/10 ,  H04L63/102 ,  H04L67/10

Abstract: Approaches for selectively sharing cookies between virtual machines responsible for retrieving web content. A request to display a web page is received. The web page includes top-level content served by a top-level domain and secondary content served by one or more other domains. A determination that at least a portion of the web page should be retrieved from within a virtual machine is made. A policy is consulted to identify a set of cookies to inject into the virtual machine. The policy considers whether the virtual machine is responsible for retrieving one or more of top-level content and secondary content in identifying the set of cookies to inject into the virtual machine. After injecting the set of cookies into the virtual machine, the portion of the web page is retrieved from within the virtual machine.

Abstract translation: 在负责检索网页内容的虚拟机之间有选择地共享Cookie的方法。 接收到显示网页的请求。 该网页包括由顶级域提供的顶层内容和由一个或多个其他域提供的辅助内容。 确定应从虚拟机中检索网页的至少一部分。 咨询了一个策略，以确定要注入虚拟机的一组Cookie。 该策略考虑虚拟机是否负责检索一个或多个顶级内容和辅助内容，以识别要注入虚拟机的一组Cookie。 将该组Cookie注入虚拟机后，从虚拟机中检索该网页的部分。

公开(公告)号：US09245108B1

公开(公告)日：2016-01-26

申请号：US14326175

申请日：2014-07-08

Applicant: Bromium, Inc.

Inventor： Deepak Khajuria ,  Mahesh Pisal ,  Krzysztof Uchronski ,  Vikram Kapoor ,  Ian Pratt ,  Gaurav Banga

IPC: H04L29/06 ,  G06F21/00 ,  G06F21/50

CPC classification number: G06F21/50 ,  G06F9/45545 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/53 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2209/5018

Abstract: Approaches for an operating system to ascertain whether files stored its file system have been deemed trustworthy. When an operating system receives a request to perform an operation involving a file that is stored within the file system maintained by the operating system, the operating system requests the file from a driver. In turn, the driver consults a set of trust data to identify whether the file has been previously deemed trustworthy. Upon the driver determining that the file has been deemed trustworthy, the driver provides the file to the operating system in a first format. On the other hand, upon the driver determining that the file has not been deemed trustworthy, the driver provides the file to the operating system in a second format that is different than the first format. Advantageously, the file is stored in a single format in the file system.

Abstract translation: 操作系统的方法，以确定存储其文件系统的文件是否被认为是值得信赖的。 当操作系统接收到执行涉及由操作系统维护的文件系统中存储的文件的操作的请求时，操作系统从驱动程序请求该文件。 反过来，驾驶员会咨询一组信任数据，以确定该文件以前是否被认为是值得信赖的。 在驾驶员确定文件被认为是可信赖的时候，驾驶员以第一格式将文件提供给操作系统。 另一方面，在驾驶员确定文件尚未被认为可信赖的情况下，驾驶员以与第一格式不同的第二格式向操作系统提供该文件。 有利地，文件以文件系统中的单一格式存储。

公开(公告)号：US09116733B2

公开(公告)日：2015-08-25

申请号：US14610282

申请日：2015-01-30

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Kiran Bondalapati ,  Ian Pratt ,  Vikram Kapoor

IPC: G06F9/455 ,  G06F21/53 ,  G06F21/00 ,  G06F21/57 ,  G06F21/56

CPC classification number: G06F9/45533 ,  G06F9/455 ,  G06F9/45545 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/00 ,  G06F21/53 ,  G06F21/56 ,  G06F21/566 ,  G06F21/577 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2209/5018 ,  H04L63/20

Abstract: Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.

Abstract translation: 在客户端上执行不受信任的软件的方法，而不会在使用微型虚拟化的情况下使用独立的上下文来执行不受信任的软件。 响应于接收到执行应用的请求，识别用于在客户机上实例化虚拟机的模板。 在模板被识别之后，没有人为干预，就会使用要在其中执行应用程序的模板来实例化一个虚拟机。 可以基于请求的性质从多个模板中选择模板，因为每个模板描述适合于不同类型活动的虚拟机的特征。 当客户端确定应用程序已停止执行时，客户端将在不进行人为干预的情况下停止执行虚拟机。

公开(公告)号：US09110701B1

公开(公告)日：2015-08-18

申请号：US14170281

申请日：2014-01-31

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Kiran Bondalapati ,  Ian Pratt ,  Vikram Kapoor

IPC: G06F9/455 ,  G06F9/50 ,  G06F21/53

CPC classification number: G06F9/45533 ,  G06F9/45558 ,  G06F9/5077 ,  G06F21/53 ,  G06F2009/45587

Abstract: Approaches for transferring data to a client by safely receiving the data in or more virtual machines. In response to the client determining that digital content is to be received or processed by the client, the client identifies one or more virtual machines, executing or to be executed on the client, into which the digital content is to be stored. In doing so, the client may consult policy data that defines one or more policies for determining into which virtual machine the digital content should be stored. In this way, digital content, such as executable code or interpreted data, of unknown trustworthiness may be safely received by the client without the possibility of any malicious code therein from affecting any undesirable consequence upon the client.

Abstract translation: 通过在或多个虚拟机中安全接收数据来将数据传输到客户端的方法。 响应于客户端确定要由客户端接收或处理数字内容，客户机识别数字内容要存储在其中的客户机上执行或要执行的一个或多个虚拟机。 在这样做时，客户端可以咨询定义一个或多个策略的策略数据，以确定数字内容应该存储在哪个虚拟机中。 以这种方式，客户端可以安全地接收到具有未知可信度的数字内容，例如可执行代码或解释数据，而不存在任何恶意代码在客户端上不会产生任何不良后果的可能性。

公开(公告)号：US20150143374A1

公开(公告)日：2015-05-21

申请号：US14610282

申请日：2015-01-30

Applicant: Bromium, Inc.

Inventor： Gaurav Banga ,  Kiran Bondalapati ,  Ian Pratt ,  Vikram Kapoor

IPC: G06F9/455 ,  H04L29/06 ,  G06F21/53

CPC classification number: G06F9/45533 ,  G06F9/455 ,  G06F9/45545 ,  G06F9/45558 ,  G06F9/5027 ,  G06F9/5077 ,  G06F21/00 ,  G06F21/53 ,  G06F21/56 ,  G06F21/566 ,  G06F21/577 ,  G06F2009/45562 ,  G06F2009/45587 ,  G06F2209/5018 ,  H04L63/20

Abstract: Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.

Abstract translation: 在客户端上执行不受信任的软件的方法，而不会在使用微型虚拟化的情况下使用独立的上下文来执行不受信任的软件。 响应于接收到执行应用的请求，识别用于在客户机上实例化虚拟机的模板。 在模板被识别之后，没有人为干预，就会使用要在其中执行应用程序的模板来实例化一个虚拟机。 可以基于请求的性质从多个模板中选择模板，因为每个模板描述适合于不同类型活动的虚拟机的特征。 当客户端确定应用程序已停止执行时，客户端将在不进行人为干预的情况下停止执行虚拟机。