Security domain in virtual environment
First Claim
Patent Images
1. A computer-implemented method of generating a security domain, the method comprising:
- defining the security domain representing a bounded area of a Virtual Machine for storing protected objects of the Virtual Machine and to enable signing of code using a Trusted Platform Module (TPM),the security domain including kernel-space and user-space objects, and having a flag indicating the validity of the security domain;
allocating a memory space to the security domain and defining a root of trust area, such that the root of trust is guaranteed to be secure upon initialization of the security domain;
initializing the security domain using the root of trust;
loading executable code into the memory space;
allowing the executable code in the security domain access to physical resources of a computer and to the memory space; and
after an access attempt to the memory space from outside the memory space, setting the validity flag to indicate invalidity and invalidating the security domain,otherwise treating the security domain as uncompromised.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, method and computer program product for an isolated security domain which is a bounded area of the VM for protected objects. The objects include executable code and/or data, hardware units (e.g., ports) or a combination thereof. The secure units in this area are accessible using secure rules used to ensure that objects are not malware. Authentication for connections to security domain is required and certain areas of the domain are made to be read only.
-
Citations
21 Claims
-
1. A computer-implemented method of generating a security domain, the method comprising:
-
defining the security domain representing a bounded area of a Virtual Machine for storing protected objects of the Virtual Machine and to enable signing of code using a Trusted Platform Module (TPM), the security domain including kernel-space and user-space objects, and having a flag indicating the validity of the security domain; allocating a memory space to the security domain and defining a root of trust area, such that the root of trust is guaranteed to be secure upon initialization of the security domain; initializing the security domain using the root of trust; loading executable code into the memory space; allowing the executable code in the security domain access to physical resources of a computer and to the memory space; and after an access attempt to the memory space from outside the memory space, setting the validity flag to indicate invalidity and invalidating the security domain, otherwise treating the security domain as uncompromised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A system for generating a security domain on a computer having a processor and a memory, the system comprising:
-
a security domain representing a bounded area of a Virtual Machine for storing protected objects of the Virtual Machine and to enable signing of code using a Trusted Platform Module (TPM), the security domain including kernel-space and user space-objects, and having a flag indicating the validity of the security domain; a memory space in the memory allocated to the security domain, a root of trust area associated with the security domain, such that the root of trust is guaranteed to be secure upon initialization of the security domain; executable code loaded into the memory space, such that the executable code in the security domain is permitted access to physical resources; and after an access attempt to the memory space from outside the memory space, the validity flag is set to indicate invalidity and the security domain is invalidated, otherwise the security domain is treated as uncompromised.
-
Specification