Protection of data from virtual machine clones via paravirtualization
First Claim
Patent Images
1. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:
- receiving by the hypervisor, from a guest operating system hosted by a first virtual machine, a message that identifies a memory location for a secure datum;
receiving, by the hypervisor, a direct-copy command to clone the first virtual machine; and
in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for protecting secure data from virtual machine clones are disclosed. In accordance with one embodiment, a hypervisor receives a message from a guest operating system hosted by a first virtual machine, where the message identifies a memory location (e.g., of main memory, of a storage device, etc.) for a secure datum. After the hypervisor receives a direct-copy command to clone the first virtual machine, the hypervisor creates a second virtual machine via direct copy, where the second virtual machine is not provided access to the secure memory location during its creation.
-
Citations
26 Claims
-
1. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:
-
receiving by the hypervisor, from a guest operating system hosted by a first virtual machine, a message that identifies a memory location for a secure datum; receiving, by the hypervisor, a direct-copy command to clone the first virtual machine; and in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a memory; and a processor to; execute a hypervisor, receive via the hypervisor, from a guest operating system of a virtual machine, a message that identifies a memory location of the memory for a secure datum, receive, via the hypervisor, a direct-copy command to clone the virtual machine, and refuse, via the hypervisor, to execute the direct-copy command. - View Dependent Claims (12, 13)
-
-
14. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:
-
receiving by the hypervisor, from a guest operating system hosted by a virtual machine, a message that identifies a memory location for a secure datum; receiving, by the hypervisor, a copy-on-write command to clone the virtual machine; in response to the copy-on-write command, creating, by the hypervisor, a pointer to the virtual machine; and refusing, by the hypervisor, to execute a request via the pointer to read contents of the memory location. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer readable storage medium, having instructions stored therein, which when executed, cause a computer system to perform a method, wherein the computer system executes a hypervisor, and wherein the method comprises:
-
receiving by the hypervisor, from a guest operating system hosted by a virtual machine, a message that identifies a memory location for a secure datum; receiving, by the hypervisor, a copy-on-write command to clone the virtual machine; and refusing, by the hypervisor, to execute the copy-on-write command. - View Dependent Claims (24, 25, 26)
-
Specification