CROSS-VM NETWORK FILTERING

US 20130036470A1
Filed: 08/03/2011
Published: 02/07/2013
Est. Priority Date: 08/03/2011
Status: Active Grant

First Claim

Patent Images

1. A method of filtering data traffic in a virtualization environment, said method comprising:

receiving at a privileged virtual machine a data packet from a first virtual machine destined for a second virtual machine, said privileged virtual machine executing upon a virtualization platform on a host computer;

intercepting said data packet by said privileged virtual machine;

sending said data packet to a memory location shared with a security virtual machine executing on said virtualization platform;

receiving at said privileged virtual machine a verdict from said security virtual machine regarding said data packet; and

passing said data packet to said second virtual machine or dropping said data packet based upon said verdict.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers.

Citations

20 Claims

1. A method of filtering data traffic in a virtualization environment, said method comprising:
- receiving at a privileged virtual machine a data packet from a first virtual machine destined for a second virtual machine, said privileged virtual machine executing upon a virtualization platform on a host computer;
  
  intercepting said data packet by said privileged virtual machine;
  
  sending said data packet to a memory location shared with a security virtual machine executing on said virtualization platform;
  
  receiving at said privileged virtual machine a verdict from said security virtual machine regarding said data packet; and
  
  passing said data packet to said second virtual machine or dropping said data packet based upon said verdict.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1 further comprising:
    - intercepting said data packet by using a hooking routine in the operating system of said privileged virtual machine, whereby said data packet is sent to said memory location instead of being sent to said second virtual machine.
  - 3. The method as recited in claim 1 wherein said first and second virtual machines are both executing upon said virtualization platform on said host computer.
  - 4. The method as recited in claim 1 wherein said memory location has been allocated by said security virtual machine in a memory of said host computer.
  - 5. The method as recited in claim 1 wherein said verdict indicates passing said data packet, said method further comprising:
    - receiving said data packet from said security virtual machine along with said verdict.
  - 6. The method as recited in claim 1 wherein said verdict indicates passing said data packet, said method further comprising:
    - holding a copy of said data packet at said privileged virtual machine after said sending, wherein said verdict received from said security virtual machine does not include said data packet.
  - 7. The method as recited in claim 1 wherein said verdict indicates blocking said data packet, said method further comprising:
    - dropping said data packet by said security virtual machine, wherein a copy of said data packet is not retained by said privileged virtual machine after said sending.

8. A method of filtering data traffic in a virtualization environment, said method comprising:
- reading, by a security virtual machine, a plurality of data packets from a memory location shared with a privileged virtual machine, said security virtual machine executing upon a virtualization platform on a host computer;
  
  assembling said data packets into a data package;
  
  analyzing said data package by said security virtual machine to determine if malicious software is present;
  
  determining a pass or a block verdict for one of said data packets based upon said analyzing; and
  
  sending said verdict to said privileged virtual machine along with an indication of said data packet.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method as recited in claim 8 wherein said verdict is a block verdict for said data packet, and wherein said indication of said data packet is a packet identifier.
  - 10. The method as recited in claim 8 wherein said verdict is a pass verdict for said data packet, said method further comprising:
    - sending said data packet along with said verdict to said privileged virtual machine.
  - 11. The method as recited in claim 8 wherein said verdict is a pass verdict for said data packet, said method further comprising:
    - sending said pass verdict to said privileged virtual machine along with a packet identifier for said data packet without sending said data packet.
  - 12. The method as recited in claim 8 further comprising:
    - modifying at least one of said data packets to eliminate said malicious software; and
      
      sending said at least one of said data packets to said privileged virtual machine.
  - 13. The method as recited in claim 8 wherein said memory location is a buffer allocated for use by said security virtual machine, said method further comprising:
    - granting access by said security virtual machine to said privileged virtual machine to write data packets into said memory location.

14. A method of modifying data traffic in a virtualization environment, said method comprising:
- reading, by a security virtual machine, a plurality of data packets from a memory location shared with a privileged virtual machine, said security virtual machine executing upon a virtualization platform on a host computer;
  
  assembling said data packets into a data package;
  
  detecting malicious software in said data package;
  
  replacing, by said security virtual machine, a subset of said data packets to eliminate said malicious software in said data package; and
  
  returning said modified data package to said privileged virtual machine.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The method as recited in claim 14 wherein said data packets originate with a first virtual machine and are destined for a second virtual machine, said method further comprising:
    - delivering said modified data package to said second virtual machine.
  - 16. The method as recited in claim 14 further comprising:
    - writing said data packets into said memory location by said privileged virtual machine; and
      
      said privileged virtual machine not retaining a copy of said data packets after said writing.
  - 17. The method as recited in claim 14 wherein said data packets originate with a first virtual machine and are destined for a second virtual machine, said method further comprising:
    - not delivering said data package to said second virtual machine before said step of returning.
  - 18. The method as recited in claim 14 further comprising:
    - returning only said subset of said data packets to said privileged domain; and
      
      returning a packet identifier for each data packet in said data package that is not in said subset to said privileged domain.
  - 19. The method as recited in claim 14 further comprising:
    - detecting said malicious software in said data package by a software application executing upon said security virtual machine.
  - 20. The method as recited in claim 14 wherein said data packets originate with a first virtual machine and are destined for a second virtual machine, and wherein said first virtual machine and said second virtual machine are located upon different host computers.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
ZHU, Minghang, QIAN, Gongwei

Granted Patent

US 8,893,274 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/53   by executing in a restricte...

H04L 63/0227   Filtering policies mail mes...

H04L 63/145   the attack involving the pr...

CROSS-VM NETWORK FILTERING

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

CROSS-VM NETWORK FILTERING

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links