Hypervisor-driven protection of data from virtual machine clones
First Claim
Patent Images
1. A method comprising:
- transmitting to a guest operating system of a first virtual machine, by a hypervisor executed by a processing device, a message that identifies a memory location for storing secure data;
receiving by the hypervisor, after the transmitting of the message, a direct-copy command to clone the first virtual machine; and
in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for protecting secure data from virtual machine clones are disclosed. In accordance with one embodiment, a hypervisor transmits a message to a guest operating system hosted by a first virtual machine, where the message identifies a memory location for a secure datum. After the transmission of the message, when the hypervisor receives a direct-copy command to clone the first virtual machine, the hypervisor creates a second virtual machine via direct copy, where the second virtual machine is not provided access to the secure memory location during its creation.
42 Citations
26 Claims
-
1. A method comprising:
-
transmitting to a guest operating system of a first virtual machine, by a hypervisor executed by a processing device, a message that identifies a memory location for storing secure data; receiving by the hypervisor, after the transmitting of the message, a direct-copy command to clone the first virtual machine; and in response to the direct-copy command, creating, by the hypervisor, a second virtual machine via direct copy of the first virtual machine, wherein the second virtual machine is not provided access to the memory location during the creating of the second virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
a memory; and a processing device, coupled to the memory, to; execute a hypervisor, transmit to a guest operating system of a virtual machine, via the hypervisor, a message that identifies a memory location for storing secure data, receive via the hypervisor, after the transmitting of the message, a direct-copy command to clone the virtual machine, and refuse, via the hypervisor, to execute the direct-copy command. - View Dependent Claims (12, 13)
-
14. A method comprising:
-
transmitting to a guest operating system of a virtual machine, by a hypervisor executed by a processing device, a message that identifies a memory location for storing secure data; receiving by the hypervisor, after the transmitting of the message, a copy-on-write command to clone the virtual machine; in response to the copy-on-write command, creating, by hypervisor, a pointer to the virtual machine; receiving, via the pointer, a request to read contents of the memory location; and refusing, by the hypervisor, to execute the request. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A non-transitory computer readable storage medium, having instructions stored therein, which when executed, cause a processing device to perform operations comprising:
-
transmitting to a guest operating system of a virtual machine, by a hypervisor executed by the processing device, a message that identifies a memory location for storing secure data; receiving by the hypervisor, after the transmitting of the message, a copy-on-write command to clone the virtual machine; and refusing, by the hypervisor, to execute the copy-on-write command. - View Dependent Claims (24, 25, 26)
-
Specification