PROTECTING MEMORY OF A VIRTUAL GUEST

US 20130097354A1
Filed: 10/13/2011
Published: 04/18/2013
Est. Priority Date: 10/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

initializing a virtual guest on a host computing system, the host computing system comprising a virtual machine manager, the virtual machine manager managing operation of the virtual guest, the virtual guest comprising a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager;

receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system; and

setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The method for protecting memory of a virtual guest includes initializing a virtual guest on a host computing system. The host computing system includes a virtual machine manager that manages operation of the virtual guest. The virtual guest includes a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager. The method includes receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system. The method includes setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

31 Citations

View as Search Results

25 Claims

1. A method comprising:
- initializing a virtual guest on a host computing system, the host computing system comprising a virtual machine manager, the virtual machine manager managing operation of the virtual guest, the virtual guest comprising a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager;
  
  receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system; and
  
  setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising establishing a shared memory portion for access by the virtual machine manager, the shared memory portion comprising a portion of the allocation of run-time memory of the virtual guest.
  - 3. The method of claim 2, wherein access to the allocation of run-time memory is determined by the virtual guest.
  - 4. The method of claim 1, further comprising verifying that the virtual guest is in direct communication with a processor of the host computing system independent of the virtual machine manager.
  - 5. The method of claim 4, wherein verifying that the virtual guest is in direct communication with the processor further comprises verifying that the virtual guest is in direct communication with the processor based on metrics from a Trusted Platform Module (“
    - TPM”
      
      ) in communication with the host computing system.
  - 6. The method of claim 1, wherein setting, by the virtual guest, at least the portion of the allocation of run-time memory to be inaccessible by the virtual machine manager further comprises communicating, by the virtual guest, directly with the processor, independent of the virtual machine manager, to set access permissions for the allocation of run-time memory of the virtual guest.
  - 7. The method of claim 1, wherein setting, by the virtual guest, at least the portion of the allocation of run-time memory to be inaccessible by the virtual machine manager further comprises associating one or more virtual guest identifiers with a particular run-time memory page of the allocation of run-time memory, at least one of the virtual guest identifiers identifying the virtual guest, wherein the processor denies an access request to the particular run-time memory page from a requester in response to the requester lacking a corresponding virtual guest identifier for the particular run-time memory page.
  - 8. The method of claim 1, further comprising sending a request, from the virtual machine manager, to the virtual guest to access at least a portion of the inaccessible run-time memory.
  - 9. The method of claim 1, further comprising:
    - receiving a request, from the virtual machine manager, to access at least a portion of the inaccessible run-time memory;
      
      determining that the request meets one or more predetermined criteria; and
      
      granting access of the at least a portion of the inaccessible run-time memory to the virtual machine manager in response to determining that the request meets the one or more predetermined criteria.
  - 10. The method of claim 9, wherein the one or more predetermined criteria comprises one or more of a request for memory dump data and a request for a virtual guest migration.
  - 11. The method of claim 9, further comprising encrypting particular data of the inaccessible run-time memory prior to granting access of the at least a portion of the inaccessible run-time memory to the virtual machine manager.
  - 12. The method of claim 1, further comprising calling a predetermined command to destroy the allocation of run-time memory for the virtual guest without the virtual machine manager accessing the allocation of run-time memory, the host computing system destroying the allocation of run-time memory in response to calling the predetermined command.
  - 13. The method of claim 12, further comprising detecting that the virtual guest is unresponsive, wherein calling the predetermined command further comprises calling the predetermined command in response to detecting that the virtual guest is unresponsive.

14-22. -22. (canceled)

23. A computer program product comprising a computer readable storage medium having computer readable program code embodied therewith, the computer readable program code for:
- initializing a virtual guest on a host computing system, the host computing system comprising a virtual machine manager, the virtual machine manager managing operation of the virtual guest, the virtual guest comprising a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager;
  
  receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system; and
  
  setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.
- View Dependent Claims (24)
- - 24. The computer program product of claim 23, further comprising establishing a shared memory portion for access by the virtual machine manager, the shared memory portion comprising a portion of the allocation of run-time memory of the virtual guest.

25. A method comprising:
- deploying a virtual guest security apparatus onto a host computing system, the virtual guest security apparatus capable of;
  
  initializing a virtual guest on the host computing system, the host computing system comprising a virtual machine manager, the virtual machine manager managing operation of the virtual guest, the virtual guest comprising a distinct operating environment executing in a virtual operation platform provided by the virtual machine manager;
  
  receiving an allocation of run-time memory for the virtual guest, the allocation of run-time memory comprising a portion of run-time memory of the host computing system; and
  
  setting, by the virtual guest, at least a portion of the allocation of run-time memory to be inaccessible by the virtual machine manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Finjan Blue, Inc. (SoftBank Group Corp.)
Original Assignee
International Business Machines Corporation
Inventors
Arges, Christopher J., Fontenot, Nathan D., Grimm, Ryan P., Schopp, Joel H., Strosaker, Michael T.

Granted Patent

US 8,782,351 B2
Time in Patent Office

Days
Field of Search
US Class Current

711/6
CPC Class Codes

G06F 12/14   Protection against unauthor...

G06F 12/1458   by checking the subject acc...

G06F 12/1491   in a hierarchical protectio...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/62   Protecting access to data v...

G06F 21/6209   to a single file or object,...

G06F 21/6281   at program execution time, ...

G06F 2212/151   Emulated environment, e.g. ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

PROTECTING MEMORY OF A VIRTUAL GUEST

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

31 Citations

25 Claims

Specification

Use Cases

Quick Links

Others

PROTECTING MEMORY OF A VIRTUAL GUEST

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

25 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others