SECURE VIRTUAL MACHINE MEMORY

US 20110246767A1
Filed: 03/30/2010
Published: 10/06/2011
Est. Priority Date: 03/30/2010
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a first node including encrypted memory locations that have been allocated to store encrypted information; and

a storage supervision processor executing a single hypervisor and communicatively coupled to the first node to permit access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor, and to deny access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM, the information to be encrypted and decrypted using the single hypervisor.

View all claims

16 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Apparatus, systems, and methods may operate to allocating encrypted memory locations to store encrypted information, the information to be encrypted and decrypted using a single hypervisor. Further activity may include permitting access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor, and denying access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM. In some embodiments, the operational state of the associated VM may be restored using the encrypted information. Additional apparatus, systems, and methods are disclosed.

Citations

20 Claims

1. An apparatus, comprising:
- a first node including encrypted memory locations that have been allocated to store encrypted information; and
  
  a storage supervision processor executing a single hypervisor and communicatively coupled to the first node to permit access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor, and to deny access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM, the information to be encrypted and decrypted using the single hypervisor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The apparatus of claim 1, further comprising:
    - a second node to execute the single application, and to request storage and recall of the information using a memory configuration associated with the encrypted memory locations.
  - 3. The apparatus of claim 1, further comprising:
    - a second node to execute the single application, and to request storage and recall of the information without having a memory configuration associated with the encrypted memory locations.
  - 4. The apparatus of claim 1, further comprising:
    - a second node to house the storage supervision processor.
  - 5. The apparatus of claim 1, wherein the encrypted memory locations comprise non-volatile memory.
  - 6. The apparatus of claim 1, further comprising:
    - a key generation module to generate one of a static encryption key or a dynamic encryption key to be made accessible to the single hypervisor, the static encryption key created once for a lifetime of the associated VM, and the dynamic encryption key created for some number of times approximately equal to a number of snapshots taken of the associated VM.

7. A processor-implemented method to execute on one or more processors that perform the method, comprising:
- allocating encrypted memory locations to store encrypted information, the information to be encrypted and decrypted using a single hypervisor;
  
  permitting access to a designated number of the encrypted memory locations to a single application executed by an associated virtual machine (VM) subject to the hypervisor; and
  
  denying access to the designated number of the encrypted memory locations to any other application executed by the associated VM, or any other VM.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein the permitting access comprises:
    - permitting access when the single application requests access using a secure memory request designated by the associated VM.
  - 9. The method of claim 7, wherein the single application comprises one of a word processing application, a presentation application, a spreadsheet application, an email application, a database application, or a browser application.
  - 10. The method of claim 7, further comprising:
    - presenting the encrypted memory locations by the hypervisor to the associated VM as a secure disk file memory configuration, wherein the associated VM is to manage storage operations associated with secure disk file memory.
  - 11. The method of claim 10, further comprising:
    - mounting a secure disk containing the secure disk file by the associated VM;
      
      mapping memory in the secure disk file to the designated number of the encrypted memory locations; and
      
      granting access to the secure disk file to the single application by the associated VM.
  - 12. The method of claim 7, further comprising:
    - storing the encrypted information in the encrypted memory locations comprising non-volatile memory locations; and
      
      one of transmitting the encrypted information and at least one shared key to a new hypervisor or transmitting a decrypted version of the encrypted information to the new hypervisor over a secure network connection.
  - 13. The method of claim 7, further comprising:
    - decrypting the encrypted information to provide the information;
      
      assembling a memory file comprising content of regular memory associated with the single application and the information; and
      
      migrating the memory file to a physical machine to permit unencrypted access to the information by the physical machine.

14. A processor-implemented method to execute on one or more processors that perform the method, comprising:
- restoring an operational state of an associated virtual machine (VM), using encrypted information stored in encrypted memory locations, the information to be encrypted and decrypted using a single hypervisor; and
  
  permitting access to a designated number of the encrypted memory locations only to a single application executed by the associated VM subject to the hypervisor, wherein the access is denied to any other application executed by the associated VM, or any other VM.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method of claim 14, further comprising:
    - granting access by the hypervisor to an operating system (OS) associated with the associated VM, to a designated number of the encrypted memory locations, without transmitting a configuration of the encrypted memory locations to the associated VM.
  - 16. The method of claim 14, further comprising:
    - receiving a request to access the encrypted memory locations from an unknown application that is not the single application, or an unknown VM that is not associated with the single application; and
      
      denying access to the unknown application by the associated VM.
  - 17. The method of claim 14, further comprising:
    - receiving a request to restore the operational state of the associated VM after one of a pause operation or a suspend operation;
      
      decrypting, by the hypervisor, the encrypted information to provide the information; and
      
      transmitting the information to be used to restore the operating state of the associated VM.
  - 18. The method of claim 14, wherein the information is to be shared between the single application and another application, further comprising:
    - requesting recall of the information by the single application;
      
      decrypting of the encrypted information by the hypervisor to provide the information; and
      
      transmitting the information from the hypervisor to the single application.
  - 19. The method of claim 14, further comprising:
    - requesting storage of the information by the single application;
      
      encrypting the information by the hypervisor to provide the encrypted information; and
      
      storing the encrypted information in the encrypted memory locations by the hypervisor.
  - 20. The method of claim 14, further comprising:
    - creating, by the hypervisor, a decryption key associated with the information once for a lifetime of the VM, or for some number of times approximately equal to a number of snapshots taken of the VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Micro Focus Software, Inc. (Open Text Corporation)
Original Assignee
Novell Incorporated (Open Text Corporation)
Inventors
Chaturvedi, Pradeep Kumar, Sudhakar, Gosukonda Naga Venkata Satya

Granted Patent

US 8,627,112 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/164
CPC Class Codes

G06F 12/1408   by using cryptography for d...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

SECURE VIRTUAL MACHINE MEMORY

First Claim

16 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE VIRTUAL MACHINE MEMORY

First Claim

16 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links