Configurable access control security for virtualization

US 20090222880A1
Filed: 03/03/2008
Published: 09/03/2009
Est. Priority Date: 03/03/2008
Status: Abandoned Application

First Claim

Patent Images

1. A system to provide security for a computer, comprising:

one or more containers configured to contain one or more virtual machines;

a plurality of virtual machine images;

a configurable security policy that controls access to the one or more containers and controls system resources available to the one or more containers;

a loader that loads a first virtual machine image into a first container based on the access granted by the configurable security policy; and

a user interface configured to receive security configuration information, wherein the configurable security policy is configurable based on the security configuration information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.

121 Citations

25 Claims

1. A system to provide security for a computer, comprising:
- one or more containers configured to contain one or more virtual machines;
  
  a plurality of virtual machine images;
  
  a configurable security policy that controls access to the one or more containers and controls system resources available to the one or more containers;
  
  a loader that loads a first virtual machine image into a first container based on the access granted by the configurable security policy; and
  
  a user interface configured to receive security configuration information, wherein the configurable security policy is configurable based on the security configuration information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system of claim 1, wherein the access to the system resources granted to the first container is not changed when the first virtual machine image is loaded into the first container.
  - 3. The system of claim 1, wherein the configurable security policy controls which of the one or more virtual machines can be included in the container.
  - 4. The system of claim 1, wherein the configurable security policy comprises a mandatory access control security policy.
  - 5. The system of claim 1, wherein the loader reconfigures the first virtual machine image to correspond to the access granted to the first container by the configurable security policy.
  - 6. The system of claim 1, wherein the first virtual machine image is received from a remote source over a network.
  - 7. The system of claim 1, wherein the configurable security policy controls access to the one or more containers on a per-user basis, such that a first user can access a first set of containers and a second user cannot access the first set of containers.
  - 8. The system of claim 7, wherein the first virtual machine image is retrieved from a remote source over a network based on a user logged into the system.
  - 9. The system of claim 7, wherein the first virtual machine image is retrieved from a local source based on a user logged into the system.
  - 10. The system of claim 1, wherein the loader is configured to load the first virtual machine image into the first container based on the access granted by the configurable security policy and based on a user logged into the system, such that a first user can use the first virtual machine image and a second user cannot use the first virtual machine image.
  - 11. The system of claim 10, wherein the first virtual machine image is received from a remote source over a network.

12. A computer-implemented method to provide security for a computer, comprising:
- receiving security-configuration information via a user interface, wherein the security-configuration information defines one or more containers and a plurality of system resources, and wherein the one or more containers are configured to include one or more virtual machines;
  
  controlling, with a security policy, which system resources that each container is entitled to access, wherein the security policy is configurable based on the security-configuration information; and
  
  loading a first virtual machine image into a first container based on access granted to the first container by the security policy.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The computer-implemented method of claim 12, wherein the loading comprises:
    - loading the first virtual machine image into the first container based on the access granted to the first container by the security policy, wherein the access granted to the first container is not changed when the first virtual machine is loaded into the first container.
  - 14. The computer-implemented method of claim 12, wherein the loading comprises:
    - loading the first virtual machine image into the first container based on the access granted to the first container by the security policy, wherein the security policy controls which of the one or more virtual machines can be included in the first container.
  - 15. The computer-implemented method of claim 12, wherein the loading comprises:
    - loading the first virtual machine image into the first container based on the access granted to the first container by a mandatory access control security policy.
  - 16. The computer-implemented method of claim 12, further comprising:
    - reconfiguring the first virtual machine image to correspond to the access granted to the first container by the security policy.
  - 17. The computer-implemented method of claim 12, further comprising:
    - receiving the first virtual machine image from a remote source over a network.
  - 18. The computer-implemented method of claim 12, further comprising:
    - controlling, with the security policy, access to the one or more containers on a per-user basis, such that a first user can access a first subset of the one or more containers and a second user can access a second subset of the one or more containers.
  - 19. The computer-implemented method of claim 18, further comprising:
    - retrieving the first virtual machine image from a remote source over a network based on a user logged into a computer system.
  - 20. The computer-implemented method of claim 18, further comprising:
    - retrieving the first virtual machine image from a local source based on a user logged into a computer system.
  - 21. The computer-implemented method of claim 12, wherein the loading comprises:
    - loading the first virtual machine image into the first container based on the access granted to the first container by the security policy and based on a user logged into a computer system, such that a first user can use the first virtual machine image and a second user cannot use the first virtual machine image.
  - 22. The computer-implemented method of claim 21, further comprising:
    - receiving the first virtual machine image from a remote source over a network.

23. A computer-implemented method for configuring mandatory access control (MAC) security, comprising:
- (a) receiving security-configuration information that defines a security profile for one or more containers and a plurality of system resources, wherein the one or more containers are configured to include one or more virtual machines; and
  
  (b) implementing a MAC security policy based on the security-configuration information.
- View Dependent Claims (24, 25)
- - 24. The computer-implemented method of claim 23, wherein step (b) comprises:
    - (b1) generating a MAC security installation package based on the security-configuration information; and
      
      (b2) deploying the installation package to a remote machine.
  - 25. The computer-implemented method of claim 23, wherein step (b) comprises:
    - (b1) reconfiguring a MAC security policy of a local machine based on the security-configuration information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Tresys Technology LLC (OWL Cyber Defense Solutions LLC)
Original Assignee
Tresys Technology LLC (OWL Cyber Defense Solutions LLC)
Inventors
Athey, James L., Shimko, Spencer R., Mayer, Frank L., Walker, Kenneth M., Sellers, Charles D.

Application Number

US12/073,252
Publication Number

US 20090222880A1
Time in Patent Office

Days
Field of Search
US Class Current

726/1
CPC Class Codes

G06F 21/604 Tools and structures for ma...

G06F 21/6218 to a system of files or obj...

Configurable access control security for virtualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

121 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

Configurable access control security for virtualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

121 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others