Generating child virtual machine to execute authorized application with reduced risk of malware attack
First Claim
Patent Images
1. A virtual machine system comprising:
- a processor; and
a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes;
an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine;
a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine for executing the predetermined application program, the second virtual machine being based on the first virtual machine; and
an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, andthe operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.
3 Assignments
0 Petitions
Accused Products
Abstract
When a predetermined application program becomes the target of execution on a virtual machine that is currently being executed, the virtual machine that is currently being executed is designated as a parent virtual machine, and a child virtual machine to execute the predetermined application program is generated by forking. The generated child virtual machine is configured not to execute any application program other than the predetermined application program. The parent virtual machine executes a dummy application program instead of the predetermined application program.
13 Citations
13 Claims
-
1. A virtual machine system comprising:
-
a processor; and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes; an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine; a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine for executing the predetermined application program, the second virtual machine being based on the first virtual machine; and an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine, wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program, the dummy program includes a repetition of a NOP (No Operation), the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, and the operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A virtual machine control method for controlling a virtual machine system comprising a processor and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, the virtual machine control method comprising the steps of:
-
detecting, by the hypervisor, when a predetermined application program is scheduled to be newly executed on a first virtual machine; generating, by the hypervisor, when the execution detection step detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and performing execution control using a control unit, the control unit being configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control by the control unit, when determining that itself is included in the second virtual machine, causing the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control by the control unit, when determining itself is included in the first virtual machine, causing the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine, wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program, the dummy program includes a repetition of a NOP (No Operation), the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, and the operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.
-
-
12. A non-transitory computer-readable recording medium storing a virtual machine control program for controlling a virtual machine system comprising a processor and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, the virtual machine control program causing a computer to perform steps comprising:
-
detecting, by the hypervisor, when a predetermined application program is scheduled to be newly executed on a first virtual machine; generating, by the hypervisor, when the execution detection step detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and performing execution control using a control unit, the control unit being configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control by the control unit, when determining that itself is included in the second virtual machine, causing the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control by the control unit, when determining itself is included in the first virtual machine, causing the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine, wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program, the dummy program includes a repetition of a NOP (No Operation), the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, and the operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.
-
-
13. A semiconductor integrated circuit comprising:
-
a processor; and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes; an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine; a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine, wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program, the dummy program includes a repetition of a NOP (No Operation), the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, and the operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.
-
Specification