TRUSTED VIRTUAL COMPUTING SYSTEM

US 20150244717A1
Filed: 07/09/2013
Published: 08/27/2015
Est. Priority Date: 07/09/2013
Status: Abandoned Application

First Claim

Patent Images

1. A trusted computing system, comprising:

one or more hardware components;

a hypervisor configured to execute on at least one of the hardware components; and

a privileged domain comprising;

a security module configured to;

authorize access to the hypervisor, andmanage one or more virtual machines that are grouped with one or more additional virtual machines disposed on other network nodes to form one or more respective trusted logic virtual domains based on one or more predetermined criteria, one or more trusted platform modules (TPMs), each of which corresponds to each of the one or more respective trusted logic virtual domains, each of which is configured to generate a system security state for each of the respective one or more trusted logic virtual domains, anda synchronization module configured to synchronize the system security state between at least one of the one or more virtual machines and the one or more additional virtual machines in a same one of the one or more trusted logic virtual domains.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computing environment that includes multiple virtual machines performing computing tasks for a same entity, the integrity of each of the virtual machines may be synchronized between different virtual machines to create a trusted logic virtual domain for a user.

25 Citations

View as Search Results

21 Claims

1. A trusted computing system, comprising:
- one or more hardware components;
  
  a hypervisor configured to execute on at least one of the hardware components; and
  
  a privileged domain comprising;
  
  a security module configured to;
  
  authorize access to the hypervisor, andmanage one or more virtual machines that are grouped with one or more additional virtual machines disposed on other network nodes to form one or more respective trusted logic virtual domains based on one or more predetermined criteria, one or more trusted platform modules (TPMs), each of which corresponds to each of the one or more respective trusted logic virtual domains, each of which is configured to generate a system security state for each of the respective one or more trusted logic virtual domains, anda synchronization module configured to synchronize the system security state between at least one of the one or more virtual machines and the one or more additional virtual machines in a same one of the one or more trusted logic virtual domains.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The trusted computing system of claim 1, wherein the system security state includes one or more security levels.
  - 3. The trusted computing system of claim 1, wherein the privileged domain further comprises a TPM management module configured to receive security information from the one or more virtual machines and to update the system security state of each of the one or more virtual machines.
  - 4. The trusted computing system of claim 1,wherein each of the one or more virtual machines is allocated with a portion of physical memory of the network node to store the system security state;
    - andwherein the synchronization module is authorized to access the portions of physical memory allocated to each of the one or more virtual machines.
  - 5. The trusted computing system of claim 1, wherein the one or more predetermined criteria at least include identity of a user, organization that the user belongs to, or geographical information.
  - 6. The trusted computing system of claim 1, wherein the one or more TPMs are configured to respond to one or more verification requests to verify the system security state of at least one of the one or more trusted logic virtual domains.

7. (canceled)

8. A method, comprising:
- managing one or more virtual machines on a physical node;
  
  forming a trusted logic virtual domain by grouping each of the one or more virtual machines with one or more other virtual machines on other physical nodes;
  
  generating a system security state for each of the trusted logic virtual domain;
  
  identifying one or more events that change the system security state of one of the one or more virtual machines in the trusted logic virtual domain;
  
  changing the system security state of one of the one or more virtual machines in the trusted logic virtual domain; and
  
  synchronizing the system security states of other virtual machines in the trusted logic virtual domain.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method of claim 8, wherein the forming includes grouping each of the one or more virtual machines with one or more other virtual machines on other physical nodes based on one or more predetermined criteria that includes at least one of an identity of a user of one of the virtual machines, an identity of an entity to which the user belongs, or a location of the user or entity.
  - 10. The method of claim 8, wherein the system security state includes one or more security levels.
  - 11. The method of claim 8, wherein the synchronizing includes retrieving the system security state from a portion of physical memory allocated to one or the one or more virtual machines.
  - 12. The method of claim 8, further comprising responding to one or more verification requests, from one or more requestors, to verify the system security state of the trusted logic virtual domain.
  - 13. The method of claim 10, further comprising denying one or more requests to transfer confidential information when the system security state reaches a predetermined one of the one or more security levels.
  - 14. The method of claim 12, wherein the responding comprises:
    - receiving a random number included in one of the one or more verification requests;
      
      signing, with a secret private key, a packet that includes a hash value of the system security state and the random number; and
      
      returning the packet to one of the one or more requestors.

15. A computer-readable medium that stores executable-instructions that, when executed, cause one or more processors to perform operations comprising:
- activating a privileged domain to manage one or more virtual machines, each of which is grouped with other virtual machines on at least one physical nodes to form a trusted logic virtual domain that is assigned a system security state;
  
  allocating a portion of physical memory to each of the one or more virtual machines to store the system security state;
  
  transmitting the system security state of one of the one or more trusted logic virtual domains to a corresponding trusted platform module in the privileged domain; and
  
  authorizing a synchronization module in the privileged domain to update the system security state to other virtual machines hosted on the plurality of physical nodes.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The computer-readable medium of claim 15, wherein the one or more trusted logic virtual domains are formed based on one or more predetermined criteria that at least include identity of a user of at least one of the virtual machines, an identity of an entity to which the user belongs, or location information of the user or organization.
  - 17. The computer-readable medium of claim 15, wherein the system security state includes one or more security levels.
  - 18. The computer-readable medium of claim 15, wherein the transmitting includes retrieving the system security state from the portion of physical memory and writing the system security state to another portion of physical memory that is accessible to the corresponding trusted platform module.
  - 19. The computer-readable medium of claim 15, wherein the operations further comprise allowing the privileged domain to respond to one or more verification requests, from one or more requestors, by verifying the system security state of at least one of the one or more trusted logic virtual domains.
  - 20. The computer-readable medium of claim 17, wherein the operations further comprise denying one or more requests to transfer confidential information when the system security state reaches a predetermined one of the one or more security levels.
  - 21. The computer-readable medium of claim 17, further comprising denying one or more requests to access one or more hardware components when the system security level reaches the predetermined one of the one or more security levels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huazhong University of Science & Technology
Original Assignee
Huazhong University of Science & Technology
Inventors
Jin, Hai, Zou, Deqing, Dai, Weiqi, Jiang, Changqing

Application Number

US14/422,823
Publication Number

US 20150244717A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/71   to assure secure computing ...

G06F 9/5077   Logical partitioning of res...

H04L 63/0853   using an additional device,...

TRUSTED VIRTUAL COMPUTING SYSTEM

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

25 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

TRUSTED VIRTUAL COMPUTING SYSTEM

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

25 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others