System and method for logging operations of virtual machines

US 8,448,165 B1
Filed: 09/15/2009
Issued: 05/21/2013
Est. Priority Date: 09/15/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

redirecting a reference from a first address to a second address, whereinthe reference initially refers to the first address,the first address is an address of a function to be executed by a virtual machine, andthe second address is an address of a second memory location in a memory page within the virtual machine;

installing an execution event at the second memory location;

in response to a request to load a software module in the virtual machine, triggering the execution event, whereinthe execution event, when triggered, is configured to cause an indication to be sent to a hypervisor;

in response to the triggering of the execution event, sending the indication to the hypervisor that the software module is loaded in the virtual machine;

in response to the sending, accessing a first memory location in the virtual machine, whereinthe accessing is performed using the hypervisor,a value is stored in the first memory location, andthe value identifies the software module; and

returning the value to the hypervisor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for logging operations of guest virtual machines are provided. An execution event is triggered, in response to a request to load a software module in a virtual machine. A processor sends an indication to a hypervisor that the software module is loaded in the virtual machine, in response to the triggering of the execution event. A security appliance accesses, using the hypervisor, a first memory location in the virtual machine, in response to the indication. A value is stored in the first memory location. The value identifies the software module. The security appliance returns the value to the hypervisor.

Citations

20 Claims

1. A method, comprising:
- redirecting a reference from a first address to a second address, whereinthe reference initially refers to the first address,the first address is an address of a function to be executed by a virtual machine, andthe second address is an address of a second memory location in a memory page within the virtual machine;
  
  installing an execution event at the second memory location;
  
  in response to a request to load a software module in the virtual machine, triggering the execution event, whereinthe execution event, when triggered, is configured to cause an indication to be sent to a hypervisor;
  
  in response to the triggering of the execution event, sending the indication to the hypervisor that the software module is loaded in the virtual machine;
  
  in response to the sending, accessing a first memory location in the virtual machine, whereinthe accessing is performed using the hypervisor,a value is stored in the first memory location, andthe value identifies the software module; and
  
  returning the value to the hypervisor.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, whereinthe function is a debug service function,the indication is a message, andthe message indicates that the software module is loaded in the virtual machine.
  - 3. The method of claim 2, further comprising:
    - saving an original association between the reference and the first address.
  - 4. The method of claim 2, whereinthe request to load the software module in the virtual machine results in the second memory location being accessed.
  - 5. The method of claim 4, further comprising:
    - in response to triggering the execution event, retrieving the original association; and
      
      executing the debug service function at the first address.
  - 6. The method of claim 2, whereinthe memory page is a non-pageable memory page, andthe memory page is located in a kernel memory of the virtual machine.
  - 7. The method of claim 2, wherein the message is sent by a processor executing the debug service function.

8. A computer system comprising:
- at least one processor;
  
  a computer-readable storage medium coupled to the at least one processor; and
  
  computer code, encoded in the computer-readable storage medium, configured to cause the at least one processor toredirect a reference from a first address to a second address, whereinthe reference initially refers to the first address,the first address is an address of a function to be executed by a virtual machine, andthe second address is an address of a second memory location in a memory page within the virtual machine,install an execution event at the second memory location,trigger the execution event, in response to a request to load a software module in the virtual machine, whereinthe execution event, when triggered, is configured to cause an indication to be sent to a hypervisor,send the indication to the hypervisor that the software module is loaded in the virtual machine, in response to the triggering of the execution event,access a first memory location in the virtual machine, in response to the indication, whereinthe accessing is performed using the hypervisor,a value is stored in the first memory location, andthe value identifies the software module, andreturn the value to the hypervisor.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, whereinthe function is a debug service function,the indication is a message, andthe message indicates that the software module is loaded in the virtual machine.
  - 10. The computer system of claim 9, wherein the computer code is further configured to cause the processor to:
    - save an original association between the reference and the first address.
  - 11. The computer system of claim 9, whereinthe request to load the software module in the virtual machine results in the second memory location being accessed.
  - 12. The computer system of claim 11, wherein the computer code is further configured to cause the processor to:
    - retrieve the original association, in response to triggering the execution event; and
      
      execute the debug service function at the first address.
  - 13. The computer system of claim 9, whereinthe memory page is a non-pageable memory page, andthe memory page is located in a kernel memory of the virtual machine.
  - 14. The computer system of claim 9, wherein the message is sent by a processor executing the debug service function.

15. A non-transitory computer-readable storage medium comprising computer code, when executed, the computer code is configured to cause a processor to:
- redirect a reference from a first address to a second address, whereinthe reference initially refers to the first address,the first address is an address of a function to be executed by a virtual machine, andthe second address is an address of a second memory location in a memory page within the virtual machine;
  
  install an execution event at the second memory location;
  
  trigger an execution event, in response to a request to load a software module in the virtual machine, whereinthe execution event, when triggered, is configured to cause an indication to be sent to a hypervisor;
  
  send the indication to the hypervisor that the software module is loaded in the virtual machine, in response to the triggering of the execution event;
  
  access a first memory location in the virtual machine, in response to the sending whereinthe accessing is performed using the hypervisor,a value is stored in the first memory location, andthe value identifies the software module; and
  
  return the value to the hypervisor.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The non-transitory computer-readable storage medium of claim 15, whereinthe function is a debug service function,the indication is a message, andthe message indicates that the software module is loaded in the virtual machine.
  - 17. The non-transitory computer-readable storage medium of claim 16, wherein the computer code, when executed, is further configured to cause the processor to:
    - save an original association between the reference and the first address.
  - 18. The non-transitory computer-readable storage medium of claim 16, whereinthe request to load the software module in the virtual machine results in the second memory location being accessed.
  - 19. The non-transitory computer-readable storage medium of claim 18, wherein the computer code, when executed, is further configured to cause the processor to:
    - retrieve the original association, in response to triggering the execution event; and
      
      execute the debug service function at the first address.
  - 20. The non-transitory computer-readable storage medium of claim 16, whereinthe memory page is a non-pageable memory page, andthe memory page is located in a kernel memory of the virtual machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Conover, Matthew
Primary Examiner(s)
WANG, RONGFA PHILIP

Application Number

US12/559,990
Time in Patent Office

1,344 Days
Field of Search

None
US Class Current

717/174
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 9/4411   Configuring for operating w...

G06F 9/45558   Hypervisor-specific managem...

System and method for logging operations of virtual machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for logging operations of virtual machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links