Hardware-based virtualized security isolation techniques

摘要

A host operating system running on a computing device monitors network communications for a computing device to identify network resources requested by the computing device. The host operating system compares the requested network resource with a security policy to determine whether the requested network resource is trusted. When an unreliable network resource is identified, the host operating system accesses an unreliable network resource in an isolated container from the host operating system kernel using the techniques discussed herein. By constraining access to untrusted network resources to isolated containers, the host operating system is protected from kernel level attacks or infections that can result from unreliable network resources.