Protection of data from virtual machine clones via paravirtualization

US 8,775,715 B2
Filed: 05/30/2012
Issued: 07/08/2014
Est. Priority Date: 05/30/2012
Status: Active Grant

First Claim

Patent Images

1. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:

receiving by the hypervisor, from a guest operating system hosted by a first virtual machine, a message that identifies a memory location for a secure datum;

receiving, by the hypervisor, a direct-copy command to clone the first virtual machine; and

in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for protecting secure data from virtual machine clones are disclosed. In accordance with one embodiment, a hypervisor receives a message from a guest operating system hosted by a first virtual machine, where the message identifies a memory location (e.g., of main memory, of a storage device, etc.) for a secure datum. After the hypervisor receives a direct-copy command to clone the first virtual machine, the hypervisor creates a second virtual machine via direct copy, where the second virtual machine is not provided access to the secure memory location during its creation.

Citations

26 Claims

1. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:
- receiving by the hypervisor, from a guest operating system hosted by a first virtual machine, a message that identifies a memory location for a secure datum;
  
  receiving, by the hypervisor, a direct-copy command to clone the first virtual machine; and
  
  in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1 wherein the message that identifies the memory location is transmitted by the guest operating system prior to storing the secure datum in the memory location.
  - 3. The method of claim 1 wherein the second virtual machine is not provided access to read contents of the memory location.
  - 4. The method of claim 3 wherein the second virtual machine is not provided access to read the contents of the memory location until a write operation of a new datum to the memory location.
  - 5. The method of claim 1 wherein a request by the second virtual machine to read contents of the memory location causes the hypervisor to throw an exception.
  - 6. The method of claim 1 wherein the memory location is a location in one of a random access memory and a storage device.
  - 7. The method of claim 1 wherein a non-secure datum is written instead of the secure datum during the creating of the second virtual machine.
  - 8. The method of claim 7 wherein the non-secure datum is supplied to the hypervisor by the first virtual machine.
  - 9. The method of claim 7 wherein, instead of copying a page that includes the memory location at position N of the page, the creating of the second virtual machine comprises:
    - creating a new page that stores the non-secure datum at position N of the page; and
      
      setting, in a page table for the second virtual machine, an entry to point to the new page.
  - 10. The method of claim 7 wherein, instead of copying a page that includes the memory location, the creating of the second virtual machine comprises setting, in a page table for the second virtual machine, an entry for a non-present page.

11. An apparatus comprising:
- a memory; and
  
  a processor to;
  
  execute a hypervisor,receive via the hypervisor, from a guest operating system of a virtual machine, a message that identifies a memory location of the memory for a secure datum,receive, via the hypervisor, a direct-copy command to clone the virtual machine, andrefuse, via the hypervisor, to execute the direct-copy command.
- View Dependent Claims (12, 13)
- - 12. The apparatus of claim 11 wherein the processor is also to throw, via the hypervisor, an exception in response to the direct-copy command.
  - 13. The apparatus of claim 11 wherein the memory is one of a random access memory and a storage device.

14. A method performed by a computer system, wherein the computer system executes a hypervisor, the method comprising:
- receiving by the hypervisor, from a guest operating system hosted by a virtual machine, a message that identifies a memory location for a secure datum;
  
  receiving, by the hypervisor, a copy-on-write command to clone the virtual machine;
  
  in response to the copy-on-write command, creating, by the hypervisor, a pointer to the virtual machine; and
  
  refusing, by the hypervisor, to execute a request via the pointer to read contents of the memory location.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14 wherein the message that identifies the memory location is transmitted by the guest operating system prior to storing the secure datum in the memory location.
  - 16. The method of claim 14 further comprising throwing, by the hypervisor, an exception in response to the request.
  - 17. The method of claim 14 further comprising returning, by the hypervisor, a non-secure datum instead of the secure datum.
  - 18. The method of claim 17 wherein the non-secure datum is supplied to the hypervisor by the virtual machine.
  - 19. The method of claim 14 wherein the guest operating system receives a first request to write a new datum to the memory location, and wherein, in response to the first request, the guest operating system writes the new datum to the memory location, and wherein the guest operating system receives, via the pointer, a second request to read the contents of the memory location, and wherein, in response to the second request, the guest operating system returns the new datum.
  - 20. The method of claim 14 wherein the guest operating system receives a first request to write a new datum to the memory location, and wherein, in response to the first request, the guest operating system writes the new datum to the memory location, and wherein the guest operating system receives, via the pointer, a second request to read the contents of the memory location, and wherein the hypervisor refuses to execute the second request.
  - 21. The method of claim 14 further comprising, in response to the copy-on-write command:
    - setting, in a page table associated with the pointer, an entry to point to a page with only non-secure data instead of a page that includes the memory location.
  - 22. The method of claim 14 further comprising, in response to the copy-on-write command:
    - setting, in a page table associated with the pointer, an entry for a non-present page instead of a page that includes the memory location.

23. A non-transitory computer readable storage medium, having instructions stored therein, which when executed, cause a computer system to perform a method, wherein the computer system executes a hypervisor, and wherein the method comprises:
- receiving by the hypervisor, from a guest operating system hosted by a virtual machine, a message that identifies a memory location for a secure datum;
  
  receiving, by the hypervisor, a copy-on-write command to clone the virtual machine; and
  
  refusing, by the hypervisor, to execute the copy-on-write command.
- View Dependent Claims (24, 25, 26)
- - 24. The non-transitory computer readable storage medium of claim 23, wherein the message that identifies the memory location is transmitted by the guest operating system prior to storing the secure datum in the memory location.
  - 25. The non-transitory computer readable storage medium of claim 23, wherein the method further comprises throwing, by the hypervisor, an exception in response to the copy-on-write command.
  - 26. The non-transitory computer readable storage medium of claim 23, wherein the memory location is a location in one of a random access memory and a storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Original Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Inventors
Tsirkin, Michael, Laor, Dor
Primary Examiner(s)
Gu, Shawn X

Application Number

US13/484,110
Publication Number

US 20130326172A1
Time in Patent Office

769 Days
Field of Search

None
US Class Current

711/6
CPC Class Codes

G06F 2009/45562   Creating, deleting, cloning...

G06F 2009/45587   Isolation or security of vi...

G06F 9/45558   Hypervisor-specific managem...

Protection of data from virtual machine clones via paravirtualization

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Protection of data from virtual machine clones via paravirtualization

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links