Method and apparatus to protect policy state information during the life-time of virtual machines

US 7,856,653 B2
Filed: 03/29/2006
Issued: 12/21/2010
Est. Priority Date: 03/29/2006
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for protecting policy state information during the lifetime of a virtual machine, the computer implemented method comprising:

creating by a processing unit of a data processing system a source policy in combination with a first extension;

creating by the processing unit a mapping policy, wherein the mapping policy maps between the source policy and a binary policy; and

contains a second extension and a hash of the source policy and the first extension;

creating by the processing unit the binary policy, wherein the binary policy contains a hash of the mapping policy and the second extension; and

wherein the source policy, the mapping policy, and the binary policy form a chain of different representations of a security policy, wherein the first extension and the second extension are user defined and are used to customize the security policy to a particular environment; and

determining compatibility of the security policy with another security policy using the binary policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A scheme for protecting policy state information during the lifetime of a virtual machine is presented. In order to protect and preserve the policy state information of the virtual machine, a process creates a source policy, a mapping policy, and a binary policy. These policies are all different representations of a security policy. The different policy representations are chained together via cryptographic hashes.

Citations

20 Claims

1. A computer implemented method for protecting policy state information during the lifetime of a virtual machine, the computer implemented method comprising:
- creating by a processing unit of a data processing system a source policy in combination with a first extension;
  
  creating by the processing unit a mapping policy, wherein the mapping policy maps between the source policy and a binary policy; and
  
  contains a second extension and a hash of the source policy and the first extension;
  
  creating by the processing unit the binary policy, wherein the binary policy contains a hash of the mapping policy and the second extension; and
  
  wherein the source policy, the mapping policy, and the binary policy form a chain of different representations of a security policy, wherein the first extension and the second extension are user defined and are used to customize the security policy to a particular environment; and
  
  determining compatibility of the security policy with another security policy using the binary policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computer implemented method of claim 1, further comprising:
    - deriving the mapping policy from the source policy.
  - 3. The computer implemented method of claim 1, further comprising:
    - deriving the binary policy from the mapping policy.
  - 4. The computer implemented method of claim 1, further comprising:
    - deriving the binary policy from the source policy.
  - 5. The computer implemented method of claim 1, further comprising:
    - chaining the source policy, the mapping policy, and the binary policy together via cryptographic hashes.
  - 6. The computer implemented method of claim 5, further comprising:
    - performing a cryptographic hash on the source policy to form a source hash.
  - 7. The computer implemented method of claim 6, wherein the first extension comprising a user defined extension is combined with the source policy before the cryptographic hash is performed.
  - 8. The computer implemented method of claim 6, further comprising:
    - performing a cryptographic hash on the mapping policy combined with the source hash to form a mapping hash.
  - 9. The computer implemented method of claim 8, wherein the second extension comprising a user defined extension is combined with the mapping policy and the source hash before the cryptographic hash is performed.
  - 10. The computer implemented method of claim 8, wherein the binary policy comprises policy encoding combined with the mapping hash.

11. A non-transitory computer usable medium having computer usable program code stored thereon for protecting policy state information during the lifetime of a virtual machine, the computer usable program code comprising:
- computer usable program code for creating a source policy in combination with a first extension;
  
  computer usable program code for creating a mapping policy, wherein the mapping policy maps between the source policy and a binary policy; and
  
  contains a second extension and a hash of the source policy and the first extension; and
  
  computer usable program code for creating the binary policy, wherein the binary policy contains a hash of the mapping policy and the second extension; and
  
  wherein the source policy, the mapping policy; and
  
  the binary policy form a chain of different representations of a security policy, wherein the first extension and the second extension are user defined and are used to customize the security policy to a particular environment; and
  
  determining compatibility of the security policy with another security policy using the binary policy.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The non-transitory computer usable medium of claim 11, further comprising:
    - computer usable program code for chaining the source policy, the mapping policy, and the binary policy together via cryptographic hashes.
  - 13. The non-transitory computer usable medium of claim 12, further comprising:
    - computer usable program code for performing a cryptographic hash on the source policy to form a source hash.
  - 14. The non-transitory computer usable medium of claim 13, wherein the first extension comprising a user defined extension is combined with the source policy before the cryptographic hash is performed.
  - 15. The non-transitory computer usable medium of claim 13, further comprising:
    - computer usable program code for performing a cryptographic hash on the mapping policy and the second extension combined with the source hash to form a mapping hash.
  - 16. The non-transitory computer usable medium of claim 15, wherein the second extension comprising a user defined extension is combined with the mapping policy and the source hash before the cryptographic hash is performed.

17. A data processing system for protecting policy state information during the lifetime of a virtual machine, said data processing system comprising:
- a storage device for storing computer usable program code; and
  
  a processor for executing the computer usable program code for creating a source policy in combination with a first extension;
  
  creating a mapping policy, wherein the mapping policy maps between the source policy and a binary policy; and
  
  contains a second extension and a hash of the source policy and the first extension;
  
  creating the binary policy, wherein the binary policy contains a hash of the mapping policy and the second extension; and
  
  wherein the source policy, the mapping policy, and the binary policy form a chain of different representations of a security policy, wherein the first extension and the second extension are user defined and are used to customize the security policy to a particular environment; and
  
  determining compatibility of the security policy with another security policy using the binary policy.
- View Dependent Claims (18, 19, 20)
- - 18. The data processing system of claim 17, wherein the processor further executes the computer usable program code for chaining the source policy, the mapping policy, and the binary policy together via cryptographic hashes.
  - 19. The data processing system of claim 17, wherein the processor further executes the computer usable program code for performing a cryptographic hash on the source policy to form a source hash and wherein the first extension comprising a user defined extension is combined with the source policy before the cryptographic hash is performed.
  - 20. The data processing system of claim 17, wherein the processor further executes the computer usable program code for performing a cryptographic hash on the mapping policy combined with the source hash to form a mapping hash and wherein the second extension comprising a user defined extension is combined with the mapping policy and the source hash before the cryptographic hash is performed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wrp IP Management, LLC
Original Assignee
International Business Machines Corporation
Inventors
Valdez, Enriquillo, Jaeger, Trent Ray, Berger, Stefan, Sailer, Reiner, Perez, Ronald
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US11/392,349
Publication Number

US 20070239979A1
Time in Patent Office

1,728 Days
Field of Search

726/1, 726/2, 726/26, 726/27, 726/30, 713/150, 713/155, 713/156, 713/157, 713/165, 713/166, 713/167, 713/170, 709/225, 718/1, 718/100
US Class Current

726/1
CPC Class Codes

H04L 63/102 Entity profiles

H04L 63/12 Applying verification of th...

Method and apparatus to protect policy state information during the life-time of virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to protect policy state information during the life-time of virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links