Undefeatable transformation for virtual machine I/O operations

US 8,060,877 B1
Filed: 08/20/2007
Issued: 11/15/2011
Est. Priority Date: 04/26/2001
Status: Active Grant

First Claim

Patent Images

1. A non-transitory medium embodying a computer program, the computer program controlling input/output (I/O) operations of a user'"'"'s computer, the user'"'"'s computer being implemented as a virtual machine (VM) in a physical computer system, the physical computer system including at least one device, the computer program comprising:

an interface software component interfacing with the VM and the physical computer system, the interface software component causing a central processing unit (CPU) of the physical computer system to perform the following operations;

sensing a request for an I/O operation between the VM and the device; and

performing a transformation of I/O data passing between the VM and the device, said transformation changing contents of the I/O data and being adjunct to complete servicing of the request, as issued, for the I/O operation;

the transformation of the I/O data thereby being undefeatable by any user action via the VM.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

I/O operations between a virtual machine (VM) and a device external to the VM are monitored by a virtual machine monitor (VMM). Data passing between the VM and the external device is transformed by the VMM, in some cases only when a predetermined filtering or triggering condition is met. Because the VMM, and thus the transformation operation, is transparent to the VM, the transformation cannot be prevented or undone or even affected by any action by a user of the VM. Examples of the non-defeatable transformation of I/O data include generating display overlays such as banners, masking out portions of a display, encryption, compression and network shaping such as bandwidth limiting.

Citations

32 Claims

1. A non-transitory medium embodying a computer program, the computer program controlling input/output (I/O) operations of a user'"'"'s computer, the user'"'"'s computer being implemented as a virtual machine (VM) in a physical computer system, the physical computer system including at least one device, the computer program comprising:
- an interface software component interfacing with the VM and the physical computer system, the interface software component causing a central processing unit (CPU) of the physical computer system to perform the following operations;
  
  sensing a request for an I/O operation between the VM and the device; and
  
  performing a transformation of I/O data passing between the VM and the device, said transformation changing contents of the I/O data and being adjunct to complete servicing of the request, as issued, for the I/O operation;
  
  the transformation of the I/O data thereby being undefeatable by any user action via the VM.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 2. The non-transitory medium of claim 1, in which:
    - the device is a display;
      
      the I/O data is VM display data output from the VM and intended for display; and
      
      the transformation is a replacement of at least a portion of the VM display data with display data stored external to the VM;
      
      wherein the computer program further causes the CPU to display the VM display data with the non-defeatable display data overlaid.
  - 3. The non-transitory medium of claim 1, wherein the interface software component further performs the following steps:
    - filtering the I/O data with respect to at least one predetermined filtering condition; and
      
      performing the transformation of the I/O data only when the filtering condition is met.
  - 4. The non-transitory medium of claim 3, wherein the filtering condition is that the I/O data includes at least one restricted term.
  - 5. The non-transitory medium of claim 3, wherein the filtering condition is that the I/O data is from a restricted source.
  - 6. The non-transitory medium of claim 3, wherein:
    - the I/O data includes image data;
      
      the step of filtering the I/O data comprises detecting the presence of a representation of a target image within the image data; and
      
      the transformation is substitution of a representation of a replacement image in place of the representation of the target image.
  - 7. The non-transitory medium of claim 6, wherein:
    - the I/O data is in a non-character image format;
      
      the target image is a representation of a restricted character string; and
      
      the step of filtering the I/O data comprises applying character recognition to the I/O data.
  - 8. The non-transitory medium of claim 3, wherein the filtering condition is the presence in the I/O data of a copy protection indication.
  - 9. The non-transitory medium of claim 1, wherein the transformation comprises insertion into the I/O data of a source indication associated with the VM.
  - 10. The non-transitory medium of claim 1, wherein the transformation is time-varying.
  - 11. The non-transitory medium of claim 1, wherein the device is a network connection device.
  - 12. The non-transitory medium of claim 11, wherein the transformation is a bandwidth limiting of the I/O data being transferred between the VM and the network connection device.
  - 14. The non-transitory medium of claim 11, wherein:
    - the requested I/O operation is a transfer of the I/O data from the VM to a first destination address via the network connection device;
      
      the transformation is a redirection of the I/O data to a second destination address different from the first.
  - 15. The non-transitory medium of claim 1, wherein:
    - the device is a display;
      
      the display renders data stored in a display map; and
      
      the step of performing the transformation comprises altering a selected portion of the display map.
  - 16. The non-transitory medium of claim 15, wherein the altering of the selected portion of the display data comprises substituting non-defeatable display data for the selected portion.
  - 17. The non-transitory medium of claim 15, wherein the altering of the selected portion of the display data comprises changing all occurrences in the display map of a display color to a replacement color.
  - 18. The tangible medium of claim 1, wherein:
    - the device is a data storage device;
      
      the requested I/O operation is a transfer of data between the VM and the storage device; and
      
      the transformation comprises changing at least a portion of the data during the transfer between the VM and the storage device.
  - 19. The non-transitory medium of claim 18, wherein the transformation comprises encrypting data written by the VM to the data storage device and decrypting data read from the data storage device by the VM.
  - 20. The non-transitory medium of claim 18, wherein the transformation of the I/O data comprises compressing data written by the VM to the data storage device and decompressing data read from the data storage device by the VM.
  - 21. The non-transitory medium of claim 1, wherein:
    - the device is a network connection device;
      
      the requested I/O operation is a transfer of data between the VM and the network connection device; and
      
      the transformation comprises changing at least a portion of the I/O data during the transfer between the VM and the network connection device.
  - 22. The non-transitory medium of claim 21, wherein the transformation of the I/O data comprises encrypting data written by the VM to the network connection device and decrypting data read from the network connection device by the VM.
  - 23. The non-transitory medium of claim 21, wherein the transformation of the I/O data comprises compressing data written by the VM to the network connection device and decompressing data read from the network connection device by the VM.
  - 24. The non-transitory medium of claim 1, wherein the transformation of the I/O data comprises cryptographic transformation of the I/O data.
  - 25. The non-transitory medium of claim 1, wherein:
    - the VM supports a plurality of I/O modes;
      
      the interface software component further performs a step of filtering the I/O data with respect to at least one predetermined filtering condition, the interface software component performing the transformation of the I/O data only when the filtering condition is met;
      
      the step of filtering is performed on I/O data corresponding to a first one of the plurality of I/O modes; and
      
      the predetermined transformation is applied to I/O data in a second one of the I/O modes when the I/O data in the first I/O mode satisfies a transformation-triggering criterion.
  - 26. The non-transitory medium of claim 25, wherein the I/O modes include a video mode and an audio mode.

13. The non-transitory medium of 11, wherein:
- the requested I/O operation is a transfer of the I/O data between the VM and the network connection device; and
  
  the transformation is a time delay of the transfer.

27. A non-transitory medium embodying a computer program, the computer program controlling input/output (I/O) of a user'"'"'s computer, the user'"'"'s computer being implemented as a virtual machine (VM) in a physical computer system, the physical computer system including at least one device that carries out an I/O operation on the basis of device control data, the computer program causing a central processing unit (CPU) of a physical computer system to perform the following steps:
- loading an interface software component that interfaces with the VM and the physical computer system;
  
  storing the device control data associated with the VM in a buffer; and
  
  upon sensing a transformation command from an administrative system external to the VM, causing the interface software component to change contents of the device control data by entering replacement data into at least a portion of the buffer, said replacement data being entered as a processing step that is adjunct to completion of the I/O operation, the entry of the replacement data thereby being undefeatable by any action initiated via the VM.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The non-transitory medium of claim 27, in which the device is a display and the device control data is VM display data.
  - 29. The non-transitory medium of claim 28, further comprising:
    - the buffer is a display buffer for storing the VM display data that is output from the VM and is intended for display; and
      
      the replacement data comprises arbitrary data written to the display buffer;
      
      in which the display is provided for displaying the contents of the display buffer.
  - 30. The non-transitory medium of claim 27, wherein:
    - the device is a data storage device;
      
      the I/O operation is a transfer of data between the VM and the storage device; and
      
      the replacement data comprises a cryptographic transformation of data written by the VM to the data storage device and of data read from the data storage device by the VM.
  - 31. The non-transitory medium of claim 27, wherein:
    - the device is a data storage device;
      
      the I/O operation is a transfer of data between the VM and the storage device; and
      
      the replacement data comprises a compression of data written by the VM to the data storage device and an expansion of data read from the data storage device by the VM.
  - 32. The non-transitory medium of claim 27, in which the device is a network connection device;
    - the I/O operation is a transfer of data between the VM and the network connection device; and
      
      the replacement data comprises a cryptographic transformation of data written by the VM to the network connection device and of data read from the data storage device by the VM.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
VMware, Inc. (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Bugnion, Edouard, Waldspurger, Carl A.
Primary Examiner(s)
TO, JENNIFER N

Application Number

US11/841,622
Time in Patent Office

1,548 Days
Field of Search

718/1
US Class Current

718/1
CPC Class Codes

G06F 2009/45579   I/O management, e.g. provid...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/545   where tasks reside in diffe...

Undefeatable transformation for virtual machine I/O operations

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Undefeatable transformation for virtual machine I/O operations

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links