VIRTUAL MACHINE SYSTEM, SYSTEM FOR FORCING POLICY, METHOD FOR FORCING POLICY, AND VIRTUAL MACHINE CONTROL PROGRAM

US 20110154325A1
Filed: 12/10/2008
Published: 06/23/2011
Est. Priority Date: 12/26/2007
Status: Active Grant

First Claim

Patent Images

1-14. -14. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A virtual machine system that builds one or more virtual machines on a real machine has a hypervisor for realizing access to virtualized hardware by a guest OS that is an operating system running on the virtual machines or an application running on the guest OS by means of a physical device that the real machine has. The hypervisor includes a setting item information holding unit that holds setting item information in which a security policy is indicated by the setting value of a setting item; a setting detecting unit that monitors an instruction executed by the guest OS and the output of the physical device to detect the setting value that is set in the setting item of the setting item information holding unit or a setting value that is about to be changed therein; and a setting applying unit that, when the detected setting value and the setting value indicated by the setting item information differ from each other, applies the setting value indicated by the setting item information to the guest OS or application that is the setting target of the setting item.

38 Citations

View as Search Results

26 Claims

1-14. -14. (canceled)

15. A virtual machine system that builds one or more virtual machines on a real machine, comprisinga hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has,said hypervisor including:
- a setting item information holding unit that holds setting item information in which a security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application;
  
  a setting detecting unit that monitors an instruction executed by said guest OS and an output of said physical device, based on said setting item information, and detects the setting value that is set in said setting item of said setting item information holding unit or a setting value that is about to be changed; and
  
  a setting applying unit that, when the setting value detected by said setting detecting unit and the setting value indicated by said setting item information differ from each other, applies the setting value indicated by said setting item information to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The virtual machine system as claimed in claim 15, wherein said hypervisor includes:
    - an association information holding unit that holds association information indicating associations between an item defined by said security policy, and setting items of the respective types of said guest OS corresponding to the item and said application; and
      
      a setting item information generating unit that generates setting item information by receiving information about said security policy to be applied to said virtual machine system from a management system that manages said security policy, and developing setting contents of said item of said received security policy into one or more setting values of setting items corresponding to the type of said guest OS and the type of said application, based on said held association information.
  - 17. The virtual machine system as claimed in claim 15, whereinsaid setting applying unit rewrites a response to a hardware access instruction related to reference to or updating of the setting item from which said difference is detected, and thereby applies the setting value to said guest OS or said application that is the target of said setting item.
  - 18. The virtual machine system as claimed in claim 15, whereinsaid setting applying unit makes a notification with the use of a function of said guest OS or said application that is the target of the setting item from which said difference is detected, and thereby applies the setting value to said guest OS or said application that is the target of said setting item.
  - 19. The virtual machine system as claimed in claim 15, whereinsaid setting applying unit performs writing in a physical device holding the setting value of the setting item from which said difference is detected, and thereby applies the setting value to said guest OS or said application that is the target of said setting item.
  - 20. The virtual machine system as claimed in claim 15, whereinsaid setting applying unit generates an interrupt to be received by said guest OS or said application, as a notification made with the use of a function of said guest OS or said application that is the target of the setting item from which said difference is detected.
  - 21. The virtual machine system as claimed in claim 20, whereinsaid setting applying unit generates said interrupt via said guest OS on which said application is running.
  - 22. The virtual machine system as claimed in claim 15, wherein,when performing writing in said physical device, said setting applying unit performs the writing in a corresponding hardware region allotted as a hardware resource to said guest OS or said application that is the target of the corresponding target item.

23. A policy forcing system that forces a security policy on a virtual machine system that builds one or more virtual machines on a real machine, comprising:
- said virtual machine system; and
  
  a management system that manages said security policy to be applied to said virtual machine system,said virtual machine system including a hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has,said hypervisor including;
  
  a setting item information holding unit that holds setting item information in which said security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application;
  
  a setting detecting unit that monitors an instruction executed by said guest OS and an output of said physical device, based on said setting item information, and detects the setting value that is set in said setting item of said setting item information holding unit or a setting value that is about to be changed; and
  
  a setting applying unit that, when the setting value detected by said setting detecting unit and the setting value indicated by said setting item information differ from each other, applies the setting value indicated by said setting item information to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application.
- View Dependent Claims (24)
- - 24. The policy forcing system as claimed in claim 23, wherein said hypervisor includes:
    - an association information holding unit that holds association information indicating associations between an item defined by said security policy and setting items of the respective types of said guest OS corresponding to the item and said application; and
      
      a setting item information generating unit that generates setting item information by receiving information about said security policy to be applied to said virtual machine system from said management system that manages said security policy, and developing setting contents of said item of said received security policy into one or more setting values of setting items corresponding to the type of said guest OS and the type of said application, based on said held association information.

25. A policy forcing method for forcing a security policy on a virtual machine system that builds one or more virtual machines on a real machine,said virtual machine system including a hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has,said policy forcing method comprising:
- holding setting item information in which said security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application, said holding the setting item information being performed by said hypervisor;
  
  monitoring an instruction executed by said guest OS and an output of said physical device, based on said setting item information, to detect the setting value that is set in said setting item of said setting item information holding unit or a setting value that is about to be changed, said monitoring the instruction and the output being performed by said hypervisor; and
  
  when the setting value detected by said setting detecting unit and the setting value indicated by said setting item information differ from each other, applying the setting value indicated by said setting item information to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application, said applying the setting value being performed by said hypervisor.
- View Dependent Claims (26)
- - 26. The policy forcing method as claimed in claim 25, further comprising:
    - holding association information indicating associations between an item defined by said security policy and setting items of the respective types of said guest OS corresponding to the item and said application, said holding the association information being performed by said hypervisor; and
      
      generating setting item information by receiving information about said security policy to be applied to said virtual machine system from a management system that manages said security policy, and developing setting contents of said item of said received security policy into one or more setting values of setting items corresponding to the type of said guest OS and the type of said application, based on said held association information, said generating the setting item information being performed by said hypervisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NEC Corporation
Original Assignee
NEC Corporation
Inventors
Terasaki, Hiroshi

Granted Patent

US 8,468,522 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06F 9/455   Emulation; Interpretation; ...

H04L 63/102   Entity profiles

VIRTUAL MACHINE SYSTEM, SYSTEM FOR FORCING POLICY, METHOD FOR FORCING POLICY, AND VIRTUAL MACHINE CONTROL PROGRAM

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

VIRTUAL MACHINE SYSTEM, SYSTEM FOR FORCING POLICY, METHOD FOR FORCING POLICY, AND VIRTUAL MACHINE CONTROL PROGRAM

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others