PER PROCESS VIRTUAL MACHINES

US 20100223613A1
Filed: 02/27/2009
Published: 09/02/2010
Est. Priority Date: 02/27/2009
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method comprising:

loading, at a computing device, a process into a virtual machine operating under the control of a hypervisor communicatively interfaced with an operating system kernel;

exposing, at the computing device, a subset of an Application Programming Interface (API) to the virtual machine, wherein the process to interface with the operating system kernel via the subset of the API; and

executing the process in the virtual machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for isolating processes executing within a computing device. A process is loaded into a virtual machine operating under the control of a hypervisor communicatively interfaced with an operating system kernel. A subset of an application programming interface (API) is exposed to the virtual machine enabling the process to interface with the operating system kernel via the subset of the API. The process is then executed in the virtual machine.

Citations

26 Claims

1. A computer-implemented method comprising:
- loading, at a computing device, a process into a virtual machine operating under the control of a hypervisor communicatively interfaced with an operating system kernel;
  
  exposing, at the computing device, a subset of an Application Programming Interface (API) to the virtual machine, wherein the process to interface with the operating system kernel via the subset of the API; and
  
  executing the process in the virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The computer-implemented method of claim 1, further comprising:
    - exposing, at the computing device, a copy-on-write memory image associated with the operating system kernel to the virtual machine.
  - 3. The computer-implemented method of claim 2, further comprising:
    - exposing, at the computing device, a read-only memory image of the operating system kernel to the virtual machine.
  - 4. The computer-implemented method of claim 1, further comprising:
    - receiving, at the hypervisor, a request from the process to write to the copy-on-write memory image;
      
      allocating a private copy portion of the copy-on-write memory image to the process executing in the virtual machine; and
      
      writing to the private copy portion of the copy-on-write memory image based on the request from the process.
  - 5. The computer-implemented method of claim 1, wherein the hypervisor controls a plurality of virtual machines, each of which comprises a read-only view of the operating system kernel in memory, and wherein:
    - each virtual machine contains a single executing process;
      
      the hypervisor exposes a subset of the API to each virtual machine; and
      
      whereinthe hypervisor exposes the copy-on-write memory image associated with the operating system kernel to each virtual machine.
  - 6. The computer-implemented method of claim 1, wherein the process executing in the virtual machine executes as a guest operating system under the control of the hypervisor.
  - 7. The computer-implemented method of claim 1, wherein exposing the subset of the API to the virtual machine comprises:
    - exposing non-restricted operations of the operating system kernel accessible via the API to the virtual machine; and
      
      hiding restricted operations accessible of the operating system kernel accessible via the API from the virtual machine.
  - 8. The computer-implemented method of claim 1, wherein:
    - the API comprises interfaces to restricted operations of the operating system kernel and interfaces to non-restricted operations of the operating system kernel;
      
      the subset of the API exposed to the virtual machine comprises the interfaces to the non-restricted operations; and
      
      whereinthe interfaces to the restricted operations are not exposed to the virtual machine.
  - 9. The computer-implemented method of claim 1, wherein the restricted operations are selected from the group comprising:
    - requests to load executable code after an initial process load associated with the computer application;
      
      requests to access memory locations which are not allocated to the computer application;
      
      requests to make executable memory locations writable;
      
      requests to make writable memory locations executable;
      
      requests to commit modifications to dynamic shared objects; and
      
      requests to self-modify the executing computer application.
  - 10. The computer-implemented method of claim 1, further comprising:
    - marking an executable image associated with the process as read-only in the copy-on-write memory image; and
      
      disabling interfaces in the subset of the API to mark all or a portion of the executable image associated with the process as writable in the copy-on-write memory image.
  - 11. The computer-implemented method of claim 1, further comprising:
    - loading a second process into a second virtual machine operating under the control of the hypervisor;
      
      exposing the copy-on-write memory image associated with the operating system kernel to the virtual machine; and
      
      exposing the read-only memory image of the operating system kernel to the virtual machine.
  - 12. The computer-implemented method of claim 11, wherein the first process of the first virtual machine is hidden from the second process of the second virtual machine via the hypervisor, and wherein the second process of the second virtual machine is hidden from the first process of the first virtual machine via the hypervisor.
  - 13. The computer-implemented method of claim 1, further comprising:
    - removing the virtual machine when the process terminates; and
      
      removing the virtual machine from a plurality of virtual machines operating under the control of the hypervisor.
  - 14. The computer-implemented method of claim 1, wherein executing the process in the virtual machine comprises executing the process in recording mode to generate an operations profile.
  - 15. The computer-implemented method of claim 14, wherein executing the process in recording mode comprises:
    - executing the process in the virtual machine;
      
      recording all requests made to the API from the executing process; and
      
      storing the recorded requests in the operations profile.
  - 16. The computer-implemented method of claim 15, wherein the subset of the API exposed to the virtual machine is based on the operations profile.
  - 17. The computer-implemented method of claim 16, wherein the subset of the API exposed to the virtual machine is based further on a restricted operations profile.

18. A computer-readable medium, having instructions stored thereon that, when executed by a processor, perform a method comprising:
- loading a process into a virtual machine operating under the control of a hypervisor communicatively interfaced with an operating system kernel;
  
  exposing a subset of an Application Programming Interface (API) to the virtual machine, wherein the process to interface with the operating system kernel via the subset of the API; and
  
  executing the process in the virtual machine.
- View Dependent Claims (19, 20)
- - 19. The computer-readable medium of claim 18, wherein the method to be performed further comprises:
    - exposing a copy-on-write memory image associated with the operating system kernel to the virtual machine.
  - 20. The computer-readable medium of claim 19, wherein the method to be performed further comprises:
    - exposing at least a portion of a read-only memory image of the operating system kernel to the virtual machine, wherein the portion of the read-only memory image comprises one or more modular components of the operating system in the read-only memory image.

21. A computing device comprising:
- a memory; and
  
  a processor, coupled to the memory, to execute a hypervisor communicatively interfaced with an operating system kernel via an Application Programming Interface (API), the hypervisor to load a process into a virtual machine operating under the control of the hypervisor, and to expose a subset of the API to the virtual machine, wherein the process to interface with the operating system kernel via the subset of the API, andwherein the processor is to execute the process in the virtual machine.
- View Dependent Claims (22, 23)
- - 22. The computing device of claim 21, further comprising:
    - an operations recorder, coupled with the memory and the processor, to record all API requests initiated by the executing process, regardless of whether the API requests are supported by the subset of the API exposed to the virtual machine; and
      
      whereinthe operations recorder to further store the recorded API requests in an operations profile.
  - 23. The computing device of claim 21, further comprising:
    - a copy-on-write memory controller, coupled with the memory, to manage a copy-on-write memory image stored in the memory and associated with the operating system kernel, and whereinthe copy-on-write memory controller to further;
      
      expose the read-only memory image of the operating system kernel to the virtual machine via the hypervisor,receiving from the hypervisor, a request to write to the copy-on-write memory image on behalf of the process,allocate a private copy portion of the copy-on-write memory image to the process executing in the virtual machine, andwrite to the private copy portion of the copy-on-write memory image based on the request from the hypervisor.

24. A computer-implemented method comprising:
- loading, at a computing device, a process within a virtual machine under the control of a hypervisor, the hypervisor being communicatively interfaced with an operating system kernel via an Application Programming Interface (API);
  
  exposing a subset of the API to the virtual machine, wherein the subset of the API comprises a plurality of non-restricted operations of the operating system kernel to the process loaded within the virtual machine; and
  
  initiating execution of the process in the virtual machine.
- View Dependent Claims (25, 26)
- - 25. The computer-implemented method of claim 24, further comprising:
    - receiving a request from the process executing in the virtual machine to perform an operation; and
      
      transacting the operation requested by the process to the operating system kernel when the operation is exposed to the virtual machine via the subset of the API.
  - 26. The computer-implemented method of claim 24, wherein a portion of the API unexposed to the virtual machine via the subset of the API comprises one or more restricted operations selected from the group comprising:
    - requests to load executable code after an initial process load associated with the computer application;
      
      requests to access memory locations which are not allocated to the computer application;
      
      requests to make executable memory locations writable;
      
      requests to make writable memory locations executable;
      
      requests to commit modifications to dynamic shared objects; and
      
      requests to self-modify the executing computer application.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Schneider, James P.

Granted Patent

US 8,464,252 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45587 Isolation or security of vi...

G06F 9/45558 Hypervisor-specific managem...

PER PROCESS VIRTUAL MACHINES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

PER PROCESS VIRTUAL MACHINES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links