METHODS AND SYSTEMS FOR SECURING SENSITIVE INFORMATION USING A HYPERVISOR-TRUSTED CLIENT

US 20110141124A1
Filed: 12/14/2010
Published: 06/16/2011
Est. Priority Date: 12/14/2009
Status: Active Grant

First Claim

Patent Images

1. In a computing device executing a hypervisor hosting a control virtual machine and a non-trusted virtual machine, a method for securing sensitive information using a hypervisor-trusted client, comprising:

requesting, by a user of a non-trusted virtual machine executed by a processor of a computing device, to establish a connection to a remote computing device;

launching, by a control virtual machine executed by the processor of the computing device, a client agent, responsive to the request;

assigning, by a graphics manager executed by the processor of the computing device, a secure section of a memory of a graphics processing unit of the computing device to the client agent; and

rendering, by the graphics manager, graphical data generated by the client agent to the secure section of the graphics processing unit memory.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The methods and systems described herein provide for securing sensitive information using a hypervisor-trusted client, in a computing device executing a hypervisor hosting a control virtual machine and a non-trusted virtual machine. A user of a non-trusted virtual machine requests to establish a connection to a remote computing device. Responsive to the request, a control virtual machine launches a client agent. A graphics manager executed by the processor of the computing device assigns a secure section of a memory of a graphics processing unit of the computing device to the client agent. The graphics manager renders graphical data generated by the client agent to the secure section of the graphics processing unit memory.

Citations

16 Claims

1. In a computing device executing a hypervisor hosting a control virtual machine and a non-trusted virtual machine, a method for securing sensitive information using a hypervisor-trusted client, comprising:
- requesting, by a user of a non-trusted virtual machine executed by a processor of a computing device, to establish a connection to a remote computing device;
  
  launching, by a control virtual machine executed by the processor of the computing device, a client agent, responsive to the request;
  
  assigning, by a graphics manager executed by the processor of the computing device, a secure section of a memory of a graphics processing unit of the computing device to the client agent; and
  
  rendering, by the graphics manager, graphical data generated by the client agent to the secure section of the graphics processing unit memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving, by the graphics manager, a request from the non-trusted virtual machine to read graphics rendered from the client agent graphical data and stored in the secure section of the graphics processing unit memory; and
      
      preventing, by the graphics manager, the non-trusted virtual machine from reading the client agent rendered graphics stored in the secure section of the graphics processing unit memory.
  - 3. The method of claim 1, further comprising receiving, by the client agent via a communications channel established between the non-trusted virtual machine and the control virtual machine, network address information to establish the connection to the remote computing device.
  - 4. The method of claim 1, further comprising directing, by a hypervisor of the computing device, input data from the user to the client agent, responsive to a window of the client agent having focus.
  - 5. The method of claim 4, wherein the input data comprises login credentials for the remote computing device.
  - 6. The method of claim 4, further comprising receiving, by the client agent from the non-trusted virtual machine, an identification that the window generated by the client agent is being given focus.
  - 7. The method of claim 4, further comprising preventing, by the hypervisor, the non-trusted virtual machine from accessing the input data while the window of the client agent has focus.
  - 8. The method of claim 4, further comprising directing, by the hypervisor, input data from the user to the non-trusted virtual machine, responsive to the window of the client agent no longer having focus.

9. In a computing device executing a hypervisor hosting a control virtual machine and a non-trusted virtual machine, a system for securing sensitive information using a hypervisor-trusted client, comprising:
- a remote computing device; and
  
  a local computing device comprising;
  
  a graphics processing unit comprising a memory, anda processor executing a graphics manager and a hypervisor hosting a non-trusted virtual machine and a control virtual machine;
  
  wherein the control virtual machine is configured to launch a client agent, responsive to receiving a request by a user of the non-trusted virtual machine to establish a connection to the remote computing device; and
  
  wherein the graphics manager is configured to assign a secure section of the memory of the graphics processing unit to the client agent, and render graphical data generated by the client agent to the secure section of the graphics processing unit memory.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the graphics manager is further configured to:
    - receive a request from the non-trusted virtual machine to read graphics rendered from the client agent graphical data and stored in the secure section of the graphics processing unit memory, andprevent the non-trusted virtual machine from reading the client agent rendered graphics stored in the secure section of the graphics processing unit memory.
  - 11. The system of claim 9, wherein the client agent is configured to:
    - receive, via a communications channel established between the non-trusted virtual machine and the control virtual machine, network address information to establish the connection to the remote computing device.
  - 12. The system of claim 9, wherein the hypervisor is configured to direct input data from the user to the client agent, responsive to a window of the client agent having focus.
  - 13. The system of claim 12, wherein the input data comprises login credentials for the remote computing device.
  - 14. The system of claim 12, wherein the client agent is configured to receive, from the non-trusted virtual machine, an identification that the window generated by the client agent is being given focus.
  - 15. The system of claim 12, wherein the hypervisor is configured to prevent the non-trusted virtual machine from accessing the input data while the window of the client agent has focus.
  - 16. The system of claim 12, wherein the hypervisor is configured to direct input data from the user to the non-trusted virtual machine, responsive to the window of the client agent no longer having focus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Halls, David, Van Der Linden, Rob

Granted Patent

US 9,804,866 B2
Time in Patent Office

Days
Field of Search
US Class Current

345/522
CPC Class Codes

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45579   I/O management, e.g. provid...

G06F 2009/45587   Isolation or security of vi...

G06F 21/31   User authentication

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/556   involving covert channels, ...

G06F 21/57   Certifying or maintaining t...

G06F 21/629   to features or functions of...

G06F 21/79   in semiconductor storage me...

G06F 21/83   input devices, e.g. keyboar...

G06F 21/84   output devices, e.g. displa...

G06F 21/85   interconnection devices, e....

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2107   File encryption

G06F 2221/2115   Third party

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2147   Locking files

G06F 2221/2149   Restricted operating enviro...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558 : Hypervisor-specific managem...

H04L 63/20 : for managing network securi...

View All

METHODS AND SYSTEMS FOR SECURING SENSITIVE INFORMATION USING A HYPERVISOR-TRUSTED CLIENT

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS AND SYSTEMS FOR SECURING SENSITIVE INFORMATION USING A HYPERVISOR-TRUSTED CLIENT

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links