System and Methods for Enforcing Software License Compliance with Virtual Machines

US 20090328225A1
Filed: 05/16/2008
Published: 12/31/2009
Est. Priority Date: 05/16/2007
Status: Active Grant

First Claim

Patent Images

1. A method of securely controlling execution of a computer program within a virtual machine, the virtual machine providing an execution environment for a guest operating system, the virtual machine being configured for execution by way of system level virtualization software executing on a current host platform, the current host platform comprising at least one central processing unit having access to mass storage device, said method comprising:

executing a policy enforcer outside of the virtual machine, the policy enforcer accessing policies stored by the mass storage device, the policies identifying one or more hardware platforms for which the virtual machine is authorized to execute, the policy enforcer determining whether the current host platform matches one of the hardware platforms identified by the policies;

prohibiting the virtual machine from executing on the current host platform when the policies do not indicate that the virtual machine is permitted to execute on the current host platform; and

permitting the virtual machine to execute on the current host platform when the policies indicate that the virtual machine is permitted to execute on the current host platform.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtualization system supports secure, controlled execution of application programs within virtual machines. The virtual machine encapsulates a virtual hardware platform and guest operating system executable with respect to the virtual hardware platform to provide a program execution space within the virtual machine. An application program, requiring license control data to enable execution of the application program, is provided within the program execution space for execution within the virtual machine. A data store providing storage of encrypted policy control information and the license control data is provided external to the virtual machine. The data store is accessed through a virtualization system including a policy controller that is selectively responsive to a request received from the virtual machine to retrieve the license control data dependent on an evaluation of the encrypted policy control information.

162 Citations

21 Claims

1. A method of securely controlling execution of a computer program within a virtual machine, the virtual machine providing an execution environment for a guest operating system, the virtual machine being configured for execution by way of system level virtualization software executing on a current host platform, the current host platform comprising at least one central processing unit having access to mass storage device, said method comprising:
- executing a policy enforcer outside of the virtual machine, the policy enforcer accessing policies stored by the mass storage device, the policies identifying one or more hardware platforms for which the virtual machine is authorized to execute, the policy enforcer determining whether the current host platform matches one of the hardware platforms identified by the policies;
  
  prohibiting the virtual machine from executing on the current host platform when the policies do not indicate that the virtual machine is permitted to execute on the current host platform; and
  
  permitting the virtual machine to execute on the current host platform when the policies indicate that the virtual machine is permitted to execute on the current host platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the policies include a hardware identification number for each hardware platform for which the virtual machine is permitted to execute, and the determining whether the host platform matches one of the hardware platforms comprises comparing the hardware identification numbers with a current hardware identification number derived or obtained from the current host platform.
  - 3. The method of claim 1, further comprising:
    - accessing a license permissions file corresponding to the computer program, the license permissions file containing license file key data;
      
      authenticating the computer program against the license file key data; and
      
      inhibiting execution of the computer program when the authenticating of the computer program fails.
  - 4. The method of claim 3, wherein said computer program is selectively capable of performing a plurality of featured functions and the license permissions file further contains feature information, said method further comprising:
    - providing feature information to the computer program, wherein said computer program is responsive to said feature information for enabling only a subset of said featured functions.
  - 5. The method of claim 1, wherein said virtual machine includes a plurality of virtual hardware components, wherein the each of said plurality of virtual hardware components may be selectively disabled and enabled based on properties defined by the policies.
  - 6. The method of claim 5, wherein the policies limit utilization of said computer program to demonstration use by preventing data input and output except by way of a basic user interface and a virtual disk, the basic user interface comprising keyboard and mouse input and display and sound output.
  - 7. The method of claim 6, further comprising:
    - executing an initialization routine included with the computer program, the initialization routine being in communication with said license module;
      
      causing the license module to determine whether the computer program is executing within an authorized virtual machine environment; and
      
      terminating, execution of said computer program when the license module determines that the computer program is not executing within an authorized virtual machine environment.
  - 8. The method of claim 7, wherein the policies include a set of program properties associated with the computer program, and virtual machine properties associated with the virtual machine, the program properties identifying features of the computer program that are authorized for use, and the virtual machine properties identifying features of the virtual machine that are authorized for use, the method further comprising:
    - the step of operatively constraining modification of said virtual machine properties and said program properties such that the operative utility of said computer program is within the scope of predetermined license rights of said computer program.
  - 9. The method of claim 8, further comprising:
    - modifying at least one of the virtual machine properties and the program properties to reduce or remove limitations imposed by the policies on the use of said computer program, the modifying being performed by applying a patch to one or more files containing the policies.
  - 10. The method of claim 9, wherein the virtual machine properties includes at least one hardware platform identifiers and wherein said determining whether the host platform matches one of the hardware platforms comprises comparing the hardware platform identifiers with a host identifier obtained from one or more properties of the host platform.

11. A machine readable medium embodying instructions for causing a computer system to securely control execution of a computer program within a virtual machine, the virtual machine providing an execution environment for a guest operating system, the virtual machine being configured for execution by way of system level virtualization software on a current host platform, the current host platform comprising at least one central processing unit having access to mass storage device, the instructions including:
- instructions causing the virtualization software to identify a policy associated with the virtual machine, the policy including properties indicating whether one or more of a plurality of virtual input/output devices are to be disabled for the virtual machine;
  
  instructions disabling each virtual input/output device of the virtual machine that corresponds to input/output devices identified in the policy.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The machine readable medium of claim 11, wherein the policy implicitly indicates which of the plurality of input/output devices are to be disabled.
  - 13. The machine readable medium of claim 12, wherein the policy indicates that the virtual machine should operate in a demonstration mode, the demonstration mode being a virtual machine mode implicitly identifying all input/output devices except the virtual disk, and basic user interface input/output devices as devices that are to be disabled.
  - 14. The machine readable medium of claim 11, wherein:
    - the policy is stored in an encrypted format accessible by a policy enforcer, which executes outside of the virtual machine and controls operation of the virtual devices associated with the virtual machine;
      
      the instructions causing the virtualization software to identify a policy associated with the virtual machine includes the policy enforcer.
  - 15. The machine readable medium of claim 14, wherein the policy identifies one or more hardware platforms for which the virtual machine is authorized to execute, the policy enforcer:
    - determines whether the current host platform matches one of the hardware platforms identified by the policy;
      
      prohibits the virtual machine from executing on the current host platform when the policy does not indicate that the virtual machine is permitted to execute on the current host platform; and
      
      permits the virtual machine to execute on the current host platform when the policy indicates that the virtual machine is permitted to execute on the current host platform.

16. A method of securely controlling the execution of a software program within a virtual machine as executed on a host computer system, said method comprising the steps of:
- securely restricting execution of a virtual machine to an authoritatively identified host computer system; and
  
  securely restricting execution of a software program within said virtual machine to an authoritatively identified instance of said virtual machine, said software program being executable on a virtual host computer system encapsulated within said virtual machine;
  
  wherein;
  
  said securely restricting execution of the virtual machine selectively provides for the termination of execution of said virtual machine on non-authoritatively identified host computer systems, andsaid securely restricting execution of the software program selectively provides for the termination of execution of said software program within non-authoritatively identified virtual machines.
- View Dependent Claims (17, 18, 19, 20, 21)
- - 17. The method of claim 16, wherein:
    - said securely restricting execution of the virtual machine includes;
      
      determining a unique host computer system identifier; and
      
      authenticating said unique host computer system identifier against securely stored first policy control information; and
      
      wherein said securely restricting execution of the software program includes;
      
      determining a unique virtual host computer system identifier; and
      
      authenticating said unique virtual host computer system identifier against second policy control information.
  - 18. The method of claim 17, wherein said virtual host computer system includes a plurality of virtual peripherals having respective sets of operational capabilities determined by said first policy control information, and wherein said method further comprises:
    - defining said first and second policy control information to securely control the combined operational utility of said virtual machine and said software program, wherein the defining of the first and second policy control information provides for a first state wherein said first policy control information restricts said respective sets of operation capabilities to limit said software program to demonstration use only and a second state wherein said first and second policy control information includes non-generic identifier values for use in said second and fourth steps of authentication.
  - 19. The method of claim 18, further comprising:
    - maintaining said first and second policy control information within a secure store accessible through a policy controller, the operation of said policy controller being determined by said first and second policy control information.
  - 20. The method of claim 19, further comprising the step of enabling replication of said virtual machine as a virtual machine package, wherein said step of enabling replication provides for the storage of a predetermined number of non-generic identifier values in said first policy control information for use in said second step of authentication.
  - 21. The method of claim 20, further comprising replicating said virtual machine as said virtual machine package, wherein said replicating includes storing a target host identifier value to said first policy control information prior to creation of said virtual machine package provided said predetermined number of non-generic identifier values in said first policy control information is not exceeded.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Chambers, Benjamin A., Ginzton, Matthew D.

Granted Patent

US 8,875,266 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/10   Protecting distributed prog...

G06F 21/121   Restricting unauthorised ex...

G06F 21/44   Program or device authentic...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

System and Methods for Enforcing Software License Compliance with Virtual Machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

162 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

System and Methods for Enforcing Software License Compliance with Virtual Machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

162 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links