Cross-VM network filtering
First Claim
1. A method of filtering data traffic in a virtualization environment, said method comprising:
- receiving, at a privileged virtual machine executing a privileged domain responsible for managing communication between virtual machines, a data packet from a first virtual machine destined for a second virtual machine, said privileged virtual machine executing upon a virtualization platform on a host computer, wherein data packets of said virtualization environment pass through said privileged virtual machine;
intercepting said data packet by said privileged virtual machine;
sending said data packet from said privileged virtual machine to a memory location in said host computer shared between said privileged virtual machine and a security virtual machine executing a security domain on said virtualization platform, said sending not utilizing a virtual network of said virtualization environment, said security virtual machine being a different virtual machine than said privileged virtual machine;
receiving at said privileged virtual machine a verdict from said security virtual machine regarding said data packet; and
passing said data packet to said second virtual machine or dropping said data packet based upon said verdict.
1 Assignment
0 Petitions
Accused Products
Abstract
A security virtual machine inspects all data traffic between other virtual machines on a virtualization platform in order to prevent an inter-VM attack. Data traffic between the machines is intercepted at the privileged domain and directed to the security virtual machine via a hook mechanism and a shared memory location. The traffic is read by the security machine and analyzed for malicious software. After analysis, the security machine sends back a verdict for each data packet to the privileged machine which then drops each data packet or passes each data packet on to its intended destination. The privileged domain keeps a copy of each packet or relies upon the security machine to send back each packet. The security machine also substitutes legitimate or warning data packets into a malicious data package instead of blocking data packets. The shared memory location is a circular buffer for greater performance. Traffic is intercepted on a single host computer or between host computers.
-
Citations
26 Claims
-
1. A method of filtering data traffic in a virtualization environment, said method comprising:
-
receiving, at a privileged virtual machine executing a privileged domain responsible for managing communication between virtual machines, a data packet from a first virtual machine destined for a second virtual machine, said privileged virtual machine executing upon a virtualization platform on a host computer, wherein data packets of said virtualization environment pass through said privileged virtual machine; intercepting said data packet by said privileged virtual machine; sending said data packet from said privileged virtual machine to a memory location in said host computer shared between said privileged virtual machine and a security virtual machine executing a security domain on said virtualization platform, said sending not utilizing a virtual network of said virtualization environment, said security virtual machine being a different virtual machine than said privileged virtual machine; receiving at said privileged virtual machine a verdict from said security virtual machine regarding said data packet; and passing said data packet to said second virtual machine or dropping said data packet based upon said verdict. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12)
-
-
11. A method of filtering data traffic in a virtualization environment, said method comprising:
-
reading, by a security virtual machine executing a security domain, a plurality of data packets from a memory location in a host computer shared between said security virtual machine and a privileged virtual machine executing a privileged domain responsible for managing communication between virtual machines, said security virtual machine executing upon a virtualization platform on said host computer, wherein data packets of said virtualization environment pass through said privileged virtual machine, and wherein said reading not utilizing a virtual network of said virtualization environment, said security virtual machine being a different virtual machine than said privileged virtual machine; assembling said data packets into a data package; analyzing said data package by said security virtual machine to determine if malicious software is present; determining a pass or a block verdict for one of said data packets based upon said analyzing; and sending said verdict to said privileged virtual machine along with an indication of said data packet. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method of modifying data traffic in a virtualization environment, said method comprising:
-
reading, by a security virtual machine executing a security domain, a plurality of data packets from a memory location in a host computer shared between said security virtual machine and a privileged virtual machine executing a privileged domain responsible for managing communication between virtual machines, said security virtual machine executing upon a virtualization platform on said host computer, wherein data packets of said virtualization environment pass through said privileged virtual machine, and wherein said reading not utilizing a virtual network of said virtualization environment, said security virtual machine being a different virtual machine than said privileged virtual machine; assembling said data packets into a data package; detecting malicious software in said data package; replacing, by said security virtual machine, a subset of said data packets to eliminate said malicious software in said data package; and returning said modified data package to said privileged virtual machine. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
-
Specification