In-the-flow security services for guested virtual machines

US 20100100718A1
Filed: 10/20/2008
Published: 04/22/2010
Est. Priority Date: 10/20/2008
Status: Abandoned Application

First Claim

Patent Images

1. In a computing system environment, a method of providing security to a plurality of guest virtual machines configured on a hardware platform, comprising:

configuring a plurality of I/O domains on the hardware platform including configuring one of the I/O domains between each of the plurality of guest virtual machines and a network connected to the hardware platform and configuring another of the I/O domains between said each of the plurality of guest virtual machines and storage available to the hardware platform.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and apparatus provide security to guest virtual machines configured on a hardware platform. A plurality of I/O domains are also configured on the hardware platform and connect between each of the guest virtual machines and a network connected to the hardware platform or remote or local storage available to the hardware platform. In this manner, the I/O domains are configured in the flow of the guest virtual machines as they utilize available resources, for instance, and are able to filter network or block level traffic, respectively. Representatively, one filter analyzes packets exchanged to and from the network, while the other filter analyzes internal traffic and may be a block-tap, stackable driver, virus scanning application, etc. Also, the guested virtual machines communicate with the I/O domains by way of a shared memory transport. Still other features contemplate drivers, operating systems, and computer program products, to name a few.

52 Citations

View as Search Results

30 Claims

1. In a computing system environment, a method of providing security to a plurality of guest virtual machines configured on a hardware platform, comprising:
- configuring a plurality of I/O domains on the hardware platform including configuring one of the I/O domains between each of the plurality of guest virtual machines and a network connected to the hardware platform and configuring another of the I/O domains between said each of the plurality of guest virtual machines and storage available to the hardware platform.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further including configuring a hypervisor of the hardware platform as a layer in which said each of the plurality of guest virtual machines communicate through the plurality of I/O domains.
  - 3. The method of claim 1, further including configuring the one of the I/O domains as packet filter between said each of the plurality of guest virtual machines and the network connected to the hardware platform to analyze packets exchanged to and from the network.
  - 4. The method of claim 1, further including configuring the another of the I/O domains as a filter between said each of the plurality of guest virtual machines and the storage available to the hardware platform, the filter being a block-tap, a stackable driver or a virus scanning application.
  - 5. The method of claim 1, further including configuring each of the plurality of I/O domains with back-end drivers that communicate with physical device drivers of the hardware platform.
  - 6. The method of claim 5, further including configuring said each of the plurality of guest virtual machines with front-end drivers that communicate with the back-end drivers of the each of the plurality of I/O domains.
  - 7. The method of claim 1, wherein the configuring the plurality of I/O domains on the hardware platform further includes configuring the plurality of I/O domains independently of an operating system of said each of the plurality of guest virtual machines.

8. In a computing system environment, a method of providing security to a plurality of guest virtual machines configured on a hardware platform having a hypervisor, comprising:
- configuring a plurality of I/O domains on the hardware platform including configuring one of the I/O domains as a filter between each of the plurality of guest virtual machines and a network connected to the hardware platform and configuring another of the I/O domains as a filter between said each of the plurality of guest virtual machines and storage available to the hardware platform; and
  
  configuring by way of the hypervisor said each of the plurality of guest virtual machines to communicate with the network or storage through the plurality of I/O domains.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, further including configuring a memory transport of the hypervisor for said communication between said each of the plurality of guest virtual machines and the network or storage.
  - 10. The method of claim 8, further including configuring said one of the I/O domains with all drivers of the network.
  - 11. The method of claim 8, further including configuring said another of the I/O domains with all block device drivers.
  - 12. The method of claim 8, further including configuring the filter between said each of the plurality of guest virtual machines and the network connected to the hardware platform as a packet filter to analyze packets exchanged to and from the network.
  - 13. The method of claim 8, further including configuring the filter between said each of the plurality of guest virtual machines and the storage available to the hardware platform as a block-tap, a stackable driver or a virus scanning application.

14. A computing server, comprising:
- a hardware platform including a processor, memory, the hardware platform able to be connected to a computing network and having access to remote or local storage;
  
  a hypervisor layer on the hardware platform;
  
  a plurality of guest virtual machines each operating as an independent guest computing device on the processor and memory by way of scheduling control from the hypervisor layer; and
  
  a plurality of I/O domains wherein one of the I/O domains serves as a filter between each of the plurality of guest virtual machines and the computing network and another of the I/O domains serves as a second filter between said each of the plurality of guest virtual machines and the remote or local storage.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The computing server of claim 14, wherein the hypervisor layer further includes a shared memory transport that connects said each of the plurality of guest virtual machines to each of the plurality of I/O domains.
  - 16. The computing server of claim 14, wherein the plurality of I/O domains include back-end drivers that communicate with physical device drivers of the hardware platform.
  - 17. The computing server of claim 16, wherein said each of the plurality of guest virtual machines include front-end drivers that communicate with the back-end drivers.
  - 18. The computing server of claim 14, wherein the filter is a packet filter to analyze packets exchanged to and from the network.
  - 19. The computing server of claim 14, wherein the second filter is a block-tap, a stackable driver or a virus scanning application.

20. A computing server, comprising:
- a hardware platform including a processor, memory, the hardware platform able to be connected to a computing network and having access to remote or local storage;
  
  a hypervisor layer on the hardware platform;
  
  a plurality of guest virtual machines each operating as an independent guest computing device on the processor and memory by way of scheduling control from the hypervisor layer;
  
  one I/O domain connected between each of the plurality of guest virtual machines and the computing network; and
  
  another I/O domain connected between said each of the plurality of guest virtual machines and the remote or local storage.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The computing server of claim 20, wherein said each of the plurality of guest virtual machines has an operating system that is a same or different operating system than other of the plurality of guest virtual machines.
  - 22. The computing server of claim 20, wherein the one I/O domain or the another I/O domain includes a minimalist Linux operating system.
  - 23. The computing server of claim 20, wherein the hypervisor layer is a Xen hypervisor including a shared memory transport.
  - 24. The computing server of claim 23, wherein the shared memory transport said connects the one I/O domain and said each of the plurality of guest virtual machines and said connects the another I/O domain and said each of the plurality of guest virtual machines.

25. A computing server, comprising:
- a hardware platform including a processor, memory, the hardware platform able to be connected to a computing network and having access to remote or local storage;
  
  a hypervisor layer on the hardware platform;
  
  a plurality of guest virtual machines each operating as an independent guest computing device on the processor and memory by way of scheduling control from the hypervisor layer;
  
  a plurality of I/O domains wherein one of the I/O domains filters traffic between each of the plurality of guest virtual machines and the computing network and another of the I/O domains filters traffic between said each of the plurality of guest virtual machines and the remote or local storage; and
  
  a common I/O path between the plurality of I/O domains and said each of the plurality of guest virtual machines.
- View Dependent Claims (26)
- - 26. The computing server of claim 25, wherein the common I/O path is in the hypervisor layer.

27. A computer program product available as a download or on a computer readable medium for loading on a computing server in a computing system environment to provide security to a plurality of guest virtual machines configured on the computing server, the computer program product having executable instructions to enable configuring a plurality of I/O domains on the computing server including configuring one of the I/O domains between each of the plurality of guest virtual machines and a network connectable to the computing server and configuring another of the I/O domains between said each of the plurality of guest virtual machines and storage available to the computing server.
- View Dependent Claims (28, 29, 30)
- - 28. The computer program product of claim 27, further including executable instructions to configure the one of the I/O domains with a packet filter between said each of the plurality of guest virtual machines and the network to analyze packets exchanged to and from the network during use.
  - 29. The computer program product of claim 27, further including executable instructions to configure the another of the I/O domains with a filter between said each of the plurality of guest virtual machines and the storage, the filter being a block-tap, a stackable driver or a virus scanning application.
  - 30. The computer program product of claim 27, further including executable instructions to configure an I/O path of a hypervisor of the computing server as a common path between said each of the plurality of guest virtual machines and the plurality of I/O domains.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Srinivasan, Kattiganehalli Y.

Application Number

US12/288,433
Publication Number

US 20100100718A1
Time in Patent Office

Days
Field of Search
US Class Current

713/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/606   by securing the transmissio...

G06F 2221/2149   Restricted operating enviro...

G06F 9/5077   Logical partitioning of res...

H04L 63/145   the attack involving the pr...

In-the-flow security services for guested virtual machines

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

In-the-flow security services for guested virtual machines

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links