Virtual machine system, system for forcing policy, method for forcing policy, and virtual machine control program
First Claim
1. A virtual machine system that builds one or more virtual machines on a real machine, comprisinga hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has,said hypervisor including:
- a setting item information holding unit that holds setting item information in which a security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application;
a setting detecting unit that monitors an instruction executed by said guest OS and an output of said physical device, and detects a candidate value, which corresponds to a setting item in the setting item information, and which is used by the instruction of the guest OS or is the output of said physical device that said real machine, on which the guest OS runs, has; and
a setting applying unit that, when the candidate value detected by said setting detecting unit and the setting value corresponding to the same setting item, in said setting item information, as the candidate value differ from each other, applies not the candidate value but the setting value to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application.
1 Assignment
0 Petitions
Accused Products
Abstract
A virtual machine system that builds one or more virtual machines on a real machine has a hypervisor for realizing access to virtualized hardware by a guest OS that is an operating system running on the virtual machines or an application running on the guest OS by means of a physical device that the real machine has. The hypervisor includes a setting item information holding unit that holds setting item information in which a security policy is indicated by the setting value of a setting item; a setting detecting unit that monitors an instruction executed by the guest OS and the output of the physical device to detect the setting value that is set in the setting item of the setting item information holding unit or a setting value that is about to be changed therein; and a setting applying unit that, when the detected setting value and the setting value indicated by the setting item information differ from each other, applies the setting value indicated by the setting item information to the guest OS or application that is the setting target of the setting item.
5 Citations
12 Claims
-
1. A virtual machine system that builds one or more virtual machines on a real machine, comprising
a hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has, said hypervisor including: -
a setting item information holding unit that holds setting item information in which a security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application; a setting detecting unit that monitors an instruction executed by said guest OS and an output of said physical device, and detects a candidate value, which corresponds to a setting item in the setting item information, and which is used by the instruction of the guest OS or is the output of said physical device that said real machine, on which the guest OS runs, has; and a setting applying unit that, when the candidate value detected by said setting detecting unit and the setting value corresponding to the same setting item, in said setting item information, as the candidate value differ from each other, applies not the candidate value but the setting value to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A policy forcing system that forces a security policy on a virtual machine system that builds one or more virtual machines on a real machine, comprising:
-
said virtual machine system; and a management system that manages said security policy to be applied to said virtual machine system, said virtual machine system including a hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has, said hypervisor including; a setting item information holding unit that holds setting item information in which said security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application; a setting detecting unit that monitors an instruction executed by said guest OS and an output of said physical device, and detects a candidate value, which corresponds to a setting item in the setting item information, and which is used by the instruction of the guest OS or is the output of said physical device that said real machine, on which the guest OS runs, has; and a setting applying unit that, when the candidate value detected by said setting detecting unit and the setting value corresponding to the same setting item, in said setting item information, as the candidate value differ from each other, applies not the candidate value but the setting value to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application. - View Dependent Claims (10)
-
-
11. A policy forcing method for forcing a security policy on a virtual machine system that builds one or more virtual machines on a real machine,
said virtual machine system including a hypervisor that realizes access to virtualized hardware by a guest OS that is an operating system running on said virtual machines or an application running on said guest OS by means of a physical device that said real machine has, said policy forcing method, which is performed by said hypervisor, comprising: -
holding setting item information in which said security policy to be applied to said virtual machine system is indicated as a setting value of a setting item corresponding to a type of said guest OS or a type of said application; monitoring an instruction executed by said guest OS and an output of said physical device detecting a candidate value, which corresponds to a setting item in the setting item information, and which is used by the instruction of the guest OS or is the output of said physical device that said real machine, on which the guest OS runs, has; and when the candidate value detected by said setting detecting unit and the setting value corresponding to the same setting item, in said setting item information, as the candidate value differ from each other, applying not the candidate value but the setting value to said guest OS or said application that is a setting target of said setting item, using hardware access from said guest OS or said application. - View Dependent Claims (12)
-
Specification