Usable Execution Isolation in Layered Security Systems

Background: Traditional computing systems have a single environment for all work. This comingles data assets of varying sensitivity. This can lead to malicious software, like ransomware, affecting highly sensitive assets even when the user was engaged in unrelated activity. Organizations may try to manage such risks by greatly restricting computing environments, but this can affect overall user productivity. With multiple, isolated environments, organizations can customize the security permissions for each to enable sensitive operations in tightly controlled spaces while allowing greater user freedom in tool use for less sensitive data assets.

Summary: The invention consists of techniques to facilitate the use of isolated VMs for performing work in a corporate environment. The system extends the base, open-source Qubes operating system to provide user interfaces that help users determine the relevant VM to use when accessing a resource. Additional technologies will facilitate high-speed interactions and the use of server resources to minimize perceived user latency.

Key Features/Benefits


  • Organizations can set tight controls for sensitive assets that may otherwise not be feasible in practice.
  • Organizations can provide users with flexible “free for all” environments to enhance productivity for data and workflows with limited security goals.
  • The approaches we use make it easier for people to understand the appropriate environment for storing assets and understand the risks associated with those assets.

Applications: The technology can be used on end-user machines within organizations. The underlying technology can be used on systems with virtualization acceleration and sufficient RAM (typically 16GB or more).63/245,524

Faculty/PhD/Staff Inventor(s)
Research Category
Cyber Data & Security Science and Engineering
Patent Status
Case Number