Method and apparatus to protect policy state information during the life-time of virtual machines

US 20070239979A1
Filed: 03/29/2006
Published: 10/11/2007
Est. Priority Date: 03/29/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for protecting policy state information during the lifetime of a virtual machine, the computer implemented method comprising:

creating a source policy;

creating a mapping policy; and

creating a binary policy, wherein the source, the mapping and the binary policies are different representations of a security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scheme for protecting policy state information during the lifetime of a virtual machine is presented. In order to protect and preserve the policy state information of the virtual machine, a process creates a source policy, a mapping policy, and a binary policy. These polices are all different representations of a security policy. The different policy representations are chained together via cryptographic hashes.

63 Citations

View as Search Results

20 Claims

1. A computer implemented method for protecting policy state information during the lifetime of a virtual machine, the computer implemented method comprising:
- creating a source policy;
  
  creating a mapping policy; and
  
  creating a binary policy, wherein the source, the mapping and the binary policies are different representations of a security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer implemented method of claim 1, further comprising:
    - deriving the mapping policy from the source policy.
  - 3. The computer implemented method of claim 1, further comprising:
    - deriving the binary policy from the mapping policy,
  - 4. The computer implemented method of claim 1, further comprising:
    - deriving the binary policy from the source policy.
  - 5. The computer implemented method of claim 1, further comprising:
    - chaining the source, the mapping, and the binary polices together via cryptographic hashes.
  - 6. The computer implemented method of claim 5, further comprising:
    - performing a cryptographic hash on the source policy to form a source hash.
  - 7. The computer implemented method of claim 6, wherein a user defined extension is combined with the source policy before the cryptographic hash is performed.
  - 8. The computer implemented method of claim 6, further comprising:
    - performing a cryptographic hash on the mapping policy combined with the source hash to form a mapping hash.
  - 9. The computer implemented method of claim 8, wherein a user defined extension is combined with the mapping policy and the source hash before the cryptographic hash is performed.
  - 10. The computer implemented method of claim 8, wherein the binary policy comprises policy encoding combined with the mapping hash.

11. A computer implemented method for verifying policy state information of a virtual machine, the computer implemented method comprising:
- receiving a mapping policy file and binary policy file of a source process;
  
  determining if a cryptographic hash of a binary policy file of a target process matches a cryptographic hash of the binary policy file of the source process; and
  
  in response to a determination that the cryptographic hash of the binary policy file of a target process matches the cryptographic hash of the binary policy file of the source process, declaring that security policies are compatible.
- View Dependent Claims (12, 13)
- - 12. The computer implemented method of claim 11, further comprising:
    - in response to a determination that the cryptographic hash of the binary policy file of a target process does not match the cryptographic hash of the binary policy file of the source process, determining if a cryptographic hash of a mapping policy embedded in the received binary policy file matches a cryptographic hash of the received mapping policy file;
      
      in response to the cryptographic hash of the mapping policy embedded in the received binary policy file matching the cryptographic hash of the received mapping policy file, retrieving a source policy name and cryptographic hash from the received mapping policy file;
      
      in response to retrieving the source policy name, locating a source policy file;
      
      in response to locating the source policy file, determining if a cryptographic hash of a source policy embedded in the received mapping policy file matches a cryptographic hash of the source policy file of the source process;
      
      in response to the cryptographic hash of the source policy embedded in the received mapping policy file matching the cryptographic hash of the source policy of the source process, mapping security identifiers in the received binary policy file to symbolic names of the security identifiers;
      
      in response to mapping the security identifiers in the received binary policy file to symbolic names of the security identifiers, translating source policy identifiers of the source process into source policy identifiers of the target process;
      
      in response to translating the source policy identifiers of the source process into the source policy identifiers of the target process, determining if the source policy identifiers of the source process exist in the source policy identifiers of the target process; and
      
      in response to the source policy identifiers of the source process existing in the source policy identifiers of the target process, declaring that security policies are compatible.
  - 13. The computer implemented method of claim 11, further comprising:
    - synchronizing results by the source process and the target process.

14. A computer program product comprising a computer usable medium including computer usable program code for protecting policy state information during the lifetime of a virtual machine, the computer program product comprising:
- computer usable program code for creating a source policy;
  
  computer usable program code for creating a mapping policy; and
  
  computer usable program code for creating a binary policy, wherein the source, the mapping and the binary policies are different representations of a security policy.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computer program product of claim 14, further comprising:
    - computer usable program code for chaining the source, the mapping, and the binary polices together via cryptographic hashes.
  - 16. The computer program product of claim 15, further comprising:
    - computer usable program code for performing a cryptographic hash on the source policy to form a source hash.
  - 17. The computer program product of claim 16, wherein a user defined extension is combined with the source policy before the cryptographic hash is performed.
  - 18. The computer program product of claim 16, further comprising:
    - computer usable program code for performing a cryptographic hash on the mapping policy combined with the source hash to form a mapping hash.
  - 19. The computer program product of claim 18, wherein a user defined extension is combined with the mapping policy and the source hash before the cryptographic hash is performed.

20. A data processing system for protecting policy state information during the lifetime of a virtual machine, said data processing system comprising:
- a storage device for storing computer usable program code; and
  
  a processor for executing the computer usable program code for creating a source policy;
  
  creating a mapping policy; and
  
  creating a binary policy, wherein the source, the mapping and the binary policies are different representations of a security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wrp IP Management, LLC
Original Assignee
International Business Machines Corporation
Inventors
Berger, Stefan, Sailer, Reiner, Perez, Ronald, Valdez, Enriquillo, Jaeger, Trent

Granted Patent

US 7,856,653 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/150
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/12 Applying verification of th...

Method and apparatus to protect policy state information during the life-time of virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

63 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to protect policy state information during the life-time of virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

63 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links