Systems and methods for securing virtual machine computing environments

US 9,165,137 B2
Filed: 08/18/2011
Issued: 10/20/2015
Est. Priority Date: 08/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

receiving, by a hardware processor, a request for a security operation, to be performed by one of a plurality of security modules including a first security module and a second security module, from a first virtual machine operating in a host operating system of a first device;

in response to receiving the request;

determining whether the second security module implemented in a kernel of an operating system of the first virtual machine is available to execute the request;

selecting the first security module, implemented in a kernel of the host operating system, from the plurality of security modules in response to determining that the second security module is not available to execute the request; and

executing the security operation at the first security module; and

providing a result of the security operation to the first virtual machine.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for securing data in virtual machine computing environments. A request is received for a security operation from a first virtual machine operating in a host operating system of a first device. In response to receiving the request, a first security module executes the security operation, the first security module implemented in a kernel of the host operating system. The result of the security operation is provided to the first virtual machine.

Citations

26 Claims

1. A method for securing data, the method comprising:
- receiving, by a hardware processor, a request for a security operation, to be performed by one of a plurality of security modules including a first security module and a second security module, from a first virtual machine operating in a host operating system of a first device;
  
  in response to receiving the request;
  
  determining whether the second security module implemented in a kernel of an operating system of the first virtual machine is available to execute the request;
  
  selecting the first security module, implemented in a kernel of the host operating system, from the plurality of security modules in response to determining that the second security module is not available to execute the request; and
  
  executing the security operation at the first security module; and
  
  providing a result of the security operation to the first virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the request from the first virtual machine is a request from an application running in the first virtual machine.
  - 3. The method of claim 2, wherein the request from the application running in the first virtual machine is a request for a security operation to be executed by the first security module.
  - 4. The method of claim 1, wherein executing the security operation at the first security module comprises generating a plurality of shares, wherein each of the plurality of shares contains a distribution of data from a data set.
  - 5. The method of claim 4, wherein executing the security operation at the first security module further comprises encrypting the data set.
  - 6. The method of claim 1, wherein the request for the security operation from the first virtual machine is a request for a security operation to be executed by the second security module implemented in the kernel of the operating system of the first virtual machine.
  - 7. The method of claim 6, wherein executing the security operation at the first security module comprises determining that the second security module is unable to execute the requested security operation.
  - 8. The method of claim 7, wherein executing the security operation at the first security module comprises receiving a request, at the first security module from the second security module, to execute the requested operation.
  - 9. The method of claim 6, wherein executing the security operation at the first security module comprises determining that the first security module is able to execute the requested security operation.
  - 10. The method of claim 1, wherein the request from the first virtual machine is a request to secure a communication between the first virtual and a second virtual machine.
  - 11. The method of claim 10, wherein the second virtual machine is operating in the host operating system of the first device.
  - 12. The method of claim 1, wherein executing this security operation of the first security module comprises calling a hardware accelerator from the kernel of the host operating system.
  - 13. The method of claim 1, wherein the first security module includes a secure parser.

14. A system for securing virtual machines, the system comprising:
- processing circuitry, including a hardware processor, configured to;
  
  execute a host operating system having a kernel;
  
  receive a request for a security operation, to be performed by one of a plurality of security modules including a first security module and a second security module, from a first virtual machine operating in the host operating system;
  
  in response to receiving the request;
  
  determine whether the second security module implemented in a kernel of an operating system of the first virtual machine is available to execute the request;
  
  select the first security module, implemented in the kernel of the host operating system, from the plurality of security modules in response to determining that the second security module is not available to execute the request; and
  
  execute the security operation at the first security module; and
  
  provide a result of the security operation to the first virtual machine.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the request from the first virtual machine is a request from an application running in the first virtual machine.
  - 16. The system of claim 15, wherein the request from the application running in the first virtual machine is a request for a security operation to be executed by the first security module.
  - 17. The system of claim 14, wherein executing the security operation at the first security module comprises generating a plurality of shares, wherein each of the plurality of shares contains a distribution of data from a data set.
  - 18. The system of claim 17, wherein executing the security operation at the first security module further comprises encrypting the data set.
  - 19. The system of claim 14, wherein the request for the security operation from the first virtual machine is a request for a security operation to be executed by the second security module implemented in the kernel of the operating system of the first virtual machine.
  - 20. The system of claim 19, wherein executing the security operation of the first security module comprises determining that the second security module is unable to execute the requested security operation.
  - 21. The system of claim 20, wherein executing the security operation at the first security module comprises receiving a request, at the first security module from the second security module, to execute the requested operation.
  - 22. The system of claim 19, wherein in executing the security operation at the first security module comprises determining that the first security module is able to execute the requested security operation.
  - 23. The system of claim 14, wherein the request from the first virtual machine if a request to secure a communication between the first virtual machine and the second virtual machine.
  - 24. The system of claim 23, wherein the second virtual machine is operating in the host operating system.
  - 25. The system of claim 14, wherein executing the security operation at the first security module comprises calling a hardware accelerator from the kernel of the host operating system.
  - 26. The system of claim 14, wherein the security module includes a secure parser.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Mumaugh, John Robert, Staker, Matt
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US13/212,360
Publication Number

US 20120179916A1
Time in Patent Office

1,524 Days
Field of Search

713/189, 713/100, 713/167, 713/170, 713/182, 713/193, 380/28, 380/201, 380/268, 380/279, 72/15
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

G06F 21/6281   at program execution time, ...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0823   using certificates cryptogr...

Systems and methods for securing virtual machine computing environments

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing virtual machine computing environments

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links