Automated provisioning of secure virtual execution environment using virtual machine templates based on requested activity
First Claim
1. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
- in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises;
identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and the provenance of the executable code for said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, andwherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and
after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
2 Assignments
0 Petitions
Accused Products
Abstract
Approaches for executing untrusted software on a client without compromising the client using micro-virtualization to execute untrusted software in isolated contexts. A template for instantiating a virtual machine on a client is identified in response to receiving a request to execute an application. After the template is identified, without human intervention, a virtual machine is instantiated, using the template, in which the application is to be executed. The template may be selected from a plurality of templates based on the nature of the request, as each template describe characteristics of a virtual machine suitable for a different type of activity. When the client determines that the application has ceased to execute, the client ceases execution of the virtual machine without human intervention.
-
Citations
24 Claims
-
1. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and the provenance of the executable code for said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine. - View Dependent Claims (2, 3)
-
-
4. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine, wherein a firewall virtual machine provides said virtual machine access to a particular set of network resources available to said virtual machine, and wherein said firewall virtual machine implements a network access policy for a plurality of virtual machines on a physical device.
-
-
5. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and user input accompanying the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
6. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and a reputation of said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
7. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution of said application in said virtual machine; and customizing at least one of the one or more templates based on the behavior of said application during execution of said application in said virtual machine.
-
-
8. A non-transitory computer readable storage medium storing one or more sequences of instructions, which when executed by one or more processors, causes:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution; and updating the policy based on the behavior of said application during execution of said application.
-
-
9. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and the provenance of the executable code for said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine. - View Dependent Claims (10, 11)
-
-
12. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine, wherein a firewall virtual machine provides said virtual machine access to a particular set of network resources available to said virtual machine, and wherein said firewall virtual machine implements a network access policy for a plurality of virtual machines on a physical device.
-
-
13. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and user input accompanying the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
14. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and a reputation of said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
15. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution of said application in said virtual machine; and customizing at least one of the one or more templates based on the behavior of said application during execution of said application in said virtual machine.
-
-
16. An apparatus, comprising:
-
one or more processors; and one or more non-transitory computer-readable storage mediums storing one or more sequences of instructions, which when executed, cause; in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution; and updating the policy based on the behavior of said application during execution of said application.
-
-
17. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and the provenance of the executable code for said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine. - View Dependent Claims (18, 19)
-
-
20. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine, wherein a firewall virtual machine provides said virtual machine access to a particular set of network resources available to said virtual machine, and wherein said firewall virtual machine implements a network access policy for a plurality of virtual machines on a physical device.
-
-
21. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and user input accompanying the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
22. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request and a reputation of said application, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; and after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine.
-
-
23. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution of said application in said virtual machine; and customizing at least one of the one or more templates based on the behavior of said application during execution of said application in said virtual machine.
-
-
24. A method, comprising:
-
in response to receiving a request to execute an application, instantiating a virtual machine in which the application is to be executed, wherein instantiating said virtual machine is performed without receiving an explicit user instruction to instantiate said virtual machine, and wherein instantiating said virtual machine further comprises; identifying one or more templates for use in instantiating said virtual machine based on a policy that considers a type of activity whose execution is being requested by the request, wherein the one or more templates describe virtual machine characteristics configured for different types of activity, and wherein the one or more templates each reference a shared operating system image used to instantiate a plurality of operating system instances to each run in virtual machines created using the one or more templates; after instantiating said virtual machine using said one or more templates, executing said application in said virtual machine; monitoring the behavior of said application during execution; and updating the policy based on the behavior of said application during execution of said application.
-
Specification