Abstract: Securely performing file operations. A method includes determining a licensing characteristic assigned to a file. When the licensing characteristic assigned to the file meets or exceeds a predetermined licensing condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the guest operating system. When the licensing characteristic assigned to the file does not meet or exceed the predetermined licensing condition, then the method includes performing the file operation on the file in the guest operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: A layered composite boot device, and a corresponding layered composite file system, can be implemented by a boot manager. Requests directed to the layered composite boot device and file system, can be serviced from a primary device and file system that are encapsulated by the layered composite boot device and file system. The primary device and file system can correspond to a virtualized file system within a container environment, thereby enabling changes within the container environment to affect early stages of operating system booting in the container environment. Should such requests not be serviceable from the primary layers, the composite device and file system can comprise secondary layers that can correspond to a container host connection and the host file system, providing fallback to existing data if changes within the container environment were not made, thereby enabling booting to proceed in a traditional manner.

Abstract: Environment type validation can provide a tamper-resistant validation of the computing environment within which the environment type validation is being performed. Such information can then be utilized to perform policy management, which can include omitting verifications in order to facilitate the sharing of policy, such as application licenses, from a host computing environment into a container virtual computing environment. The environment type validation can perform multiple checks, including verification of the encryption infrastructure of the computing environment, verification of code integrity mechanisms of that computing environment, checks for the presence of functionality evidencing a hypervisor, checks for the presence or absence of predetermined system drivers, or other like operating system components or functionality, checks for the activation or deactivation of resource management stacks, and checks for the presence or absence of predetermined values in firmware.

Abstract: Techniques of migrating containerized software packages between source and destination computing devices are disclosed herein. In one embodiment, a method includes receiving, at a destination device, a request to migrate a source container currently executing on the source device to the destination device. The method also includes synchronizing a list of handles utilized by the source container on the source device between the destination device and the source device and instantiating, in the destination device, a destination container using a copy of an image, a memory snapshot, and the synchronized list of handles of the source container on the source device. Upon completion of instantiating the destination container, the destination device can transmit a remote display output of the application to be surfaced on the source device in place of the local display output generated by the source container.

Abstract: Computing systems, devices, and methods of dynamic image composition for container deployment are disclosed herein. One example technique includes receiving a request for accessing a file from a container process. In response to receiving the request, the technique includes querying a mapping table corresponding to the container process to locate an entry corresponding to a file identifier of the requested file. The entry also includes data identifying a file location on the storage device from which the requested file is accessible. The technique further includes retrieving a copy of the requested file according to the file location identified by the data in the located entry in the mapping table and providing the retrieved copy of the requested file to the container process, thereby allowing the container process to access the requested file.

Abstract: Memory is partitioned and isolated in container-based memory enclaves. The container-based memory enclaves have attestable security guarantees. During provisioning of the container-based memory enclaves from a container image, a purported link in the container to a memory address of the enclave is modified to verifiably link to an actual memory address of the host, such as partitioned memory enclave. In some instances, enclave attestation reports can be validated without transmitting corresponding attestation requests to remote attestation services, based on previous attestation of one or more previous container attestation reports from a similar container and without requiring end-to-end attestation between the container and remote attestation service for each new attestation request.

Abstract: A host operating system running on a computing device monitors resource access by an application running in a container that is isolated from the host operating system. In response to detecting resource access by the application, a security event is generated describing malicious activity that occurs from the accessing the resource. This security event is analyzed to determine a threat level of the malicious activity. If the threat level does not satisfy a threat level threshold, the host operating system allows the application to continue accessing resources and continues to monitor resource access. When the threat level satisfies the threat level threshold, the operating system takes corrective action to prevent the malicious activity from spreading beyond the isolated container. Through the use of security events, the host operating system is protected from even kernel-level attacks without using resources required to run anti-virus software in the isolated container.

Abstract: Securely performing file operations. A method includes determining a trust characteristic assigned to a file. When the trust characteristic assigned to the file meets or exceeds a predetermined trust condition, then the method includes performing a file operation on the file in a host operating system while preventing the file operation from being performed in the container operating system. When the trust characteristic assigned to the file does not meet or exceed the predetermined trust condition, then the method includes performing the file operation on the file in the container operating system while preventing the file operation from being performed directly in the host operating system.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

Abstract: Techniques of deferred container deployment are disclosed herein. In one embodiment, a method includes receiving, at a computing device, a container image corresponding to the container. The container image includes a first set of files identified by symbolic links individually directed to a file in the host filesystem on the computing device and a second set of files identified by hard links. The method also includes in response to receiving the container image, at the computing device, storing the received container image in a folder of the host filesystem on the computing device without resolving the symbolic links of the first set of the files until runtime of the requested container.

Abstract: Techniques of migrating containerized software packages between source and destination computing devices are disclosed herein. In one embodiment, a method includes receiving, at a destination device, a request to migrate a source container currently executing on the source device to the destination device. The method also includes synchronizing a list of handles utilized by the source container on the source device between the destination device and the source device and instantiating, in the destination device, a destination container using a copy of an image, a memory snapshot, and the synchronized list of handles of the source container on the source device. Upon completion of instantiating the destination container, the destination device can transmit a remote display output of the application to be surfaced on the source device in place of the local display output generated by the source container.

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.

Abstract: Facilities are provided to secure guest runtime environments (GREs). Security policy specifications may be associated with GREs. A GRE's security policy may be specific to the GRE and may also include security policy inherited from higher levels such as a host operating environment. The security policy of a GRE specifies restrictions and/or permissions for activities that may be performed within the scope of execution of the GRE. A GRE's security policy may limit what the GRE's guest software may do within the GRE. Restrictions/permissions may be applied to objects such as files, configuration data, and the like. Security specifications may be applied to execution initiated within a GRE. A GRE's security specification may restrict/permit executable objects from loading and executing within the GRE. The executability or accessibility of objects may be conditioned on factors such as the health/integrity of the GRE, the host system, requested files, and others.

Abstract: Deploying containers constrained by power profiles on a host system. A method includes identifying a container template, a set of reusable stored characteristics, to be used for deploying a container instance. The method further includes obtaining a power profile, defining at least one power consumption threshold, for the container instance based on at least one of the set of reusable stored characteristics of the container template or other information about the container instance. The method further includes deploying the container instance on the host system by applying the set of reusable stored characteristics and the power profile by applying one or more configuration layers which causes power to the container instance to be at least one of regulated or monitored based on information in the power profile.

Abstract: Different containers are used for different usage sessions, a container referring to a virtualization layer for a computing device and used for isolation as well as hardware resource partitioning. A usage session refers to the time span beginning when one or more users begin to use the computing device, and ending when the one or more users cease using the computing device. During a particular usage session that uses a container, all interaction with the computing device is maintained in the container. The container is deleted when the usage session ends, leaving no data from the usage session behind after the usage session ends. Additionally, some usage sessions need not be run in containers, so data generated during such usage sessions is maintained after usage session ends. The host operating system automatically determines which usage sessions to run in containers and which usage sessions to run separate from any containers.

Abstract: Techniques for secure sharing of data in computing systems are disclosed herein. In one embodiment, a method includes when exchanging data between the host operating system and the guest operating system, encrypting, at a trusted platform module (TPM) of the host, data to be exchanged with a first key to generate encrypted data. The method also includes transmitting the encrypted data from the host operating system to the guest operating system and decrypting, at the guest operating system, the transmitted encrypted data using a second key previously exchanged between the TPM of the host and a virtual TPM of the guest operating system.

Abstract: Techniques for memory assignment for guest operating systems are disclosed herein. In one embodiment, a method includes generating a license blob containing data representing a product key copied from a record of license information in the host storage upon receiving a user request to launch an application in the guest operating system. The method also includes storing the generated license blob in a random memory location accessible by the guest operating system. The guest operating system can then query the license blob for permission to launch the application and launching the application in the guest operating system without having a separate product key for the guest operating system.

Abstract: Securely storing, installing, or launching applications. A method includes determining a trust characteristic or a license characteristic assigned to an application. When the trust characteristic or the license characteristic meets or exceeds a predetermined trust condition or a predetermined license condition, then the method includes at least one of storing, installing or launching the application in a first, more secure operating system while preventing the application from, being at least one of stored, installed or launched in a second, less secure operating system. When the trust characteristic or the license characteristic does not meet or exceed the predetermined trust condition or the predetermined license condition, then the method includes at least one of storing, installing or launching the application in the second less secure operating system while preventing the application from being at least one of stored, installed or launched in the first, more secure operating system.

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.