Generating child virtual machine to execute authorized application with reduced risk of malware attack

US 9,460,270 B2
Filed: 02/21/2012
Issued: 10/04/2016
Est. Priority Date: 04/27/2011
Status: Active Grant

First Claim

Patent Images

1. A virtual machine system comprising:

a processor; and

a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes;

an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine;

a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine for executing the predetermined application program, the second virtual machine being based on the first virtual machine; and

an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, andthe operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

When a predetermined application program becomes the target of execution on a virtual machine that is currently being executed, the virtual machine that is currently being executed is designated as a parent virtual machine, and a child virtual machine to execute the predetermined application program is generated by forking. The generated child virtual machine is configured not to execute any application program other than the predetermined application program. The parent virtual machine executes a dummy application program instead of the predetermined application program.

13 Citations

View as Search Results

13 Claims

1. A virtual machine system comprising:
- a processor; and
  
  a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes;
  
  an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine;
  
  a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine for executing the predetermined application program, the second virtual machine being based on the first virtual machine; and
  
  an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, andthe operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The virtual machine system of claim 1, wherein when generating the new second virtual machine based on the first virtual machine, the virtual machine generation unit allocates a memory area to the second virtual machine by forking based on a memory area allocated to the first virtual machine.
  - 3. The virtual machine system of claim 2, wherein the hypervisor further includes a virtual machine scheduling unit configured to switch a target of execution by the processor from the first virtual machine to the second virtual machine when execution of the predetermined dummy program starts on the first virtual machine, which is being executed by the processor.
  - 4. The virtual machine system of claim 3, wherein the virtual machine scheduling unit switches the target of execution by the processor from the second virtual machine to the first virtual machine when execution of the predetermined application program on the second virtual machine, which is being executed by the processor, terminates.
  - 5. The virtual machine system of claim 4, wherein the hypervisor further includes a virtual machine deletion unit configured to delete the second virtual machine after the virtual machine scheduling unit switches the target of execution by the processor from the second virtual machine to the first virtual machine when execution of the predetermined application program on the second virtual machine, which is being executed by the processor, terminates.
  - 6. The virtual machine system of claim 5, wherein the execution control unit of each virtual machine includes a multitask execution control unit configured to cause the processor to control execution of a program with a multitask execution control method using a time slice, the multitask execution control unit of the first virtual machine allocates, to the predetermined dummy program, a time slice that is the same as a time slice allocated to the predetermined application program when the execution control unit of the first virtual machine, which is being executed by the processor causes the processor to execute the predetermined dummy program instead of the predetermined application program, andthe virtual machine scheduling unit switches the target of execution by the processor from the second virtual machine to the first virtual machine when the second virtual machine is being executed after the time slice allocated to the predetermined dummy program elapses from when the execution of the predetermined dummy program starts on the first virtual machine.
  - 7. The virtual machine system of claim 6, wherein the hypervisor further includes a child virtual machine notification unit configured to notifythe execution control unit of the second virtual machine, when the virtual machine generation unit executed by the processor generates the second virtual machine, that the second virtual machine is a child virtual machine, and the execution control unit of the second virtual machine includes an execution start unit configured to cause the processor to start up the predetermined application program on the second virtual machine upon receipt of notification from the child virtual machine notification unit that the second virtual machine is a child virtual machine.
  - 8. The virtual machine system of claim 7, wherein each of the plurality of virtual machines whose execution is controlled by the processor includes a notification unit, the notification unit of the first virtual machine configured to detect when the predetermined application program is scheduled to be newly executed on the first virtual machine and to notify the execution detection unit that the predetermined application program is scheduled to be newly executed on the first virtual machine, andthe execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine when the notification unit of the firstvirtual machine notifies the execution detection unit that the predetermined application program is scheduled to be newly executed on the first virtual machine.
  - 9. The virtual machine system of claim 7, wherein each of the plurality of virtual machines whose execution is controlled by the processor includes a dummy program execution start notification unit, the dummy program execution start notification unit of the first virtual machine configured to notify the virtual machine scheduling unit that the processor has started execution of the predetermined dummy program on the first virtual machine when the processor starts execution of the predetermined dummy program on the first virtual machine, andthe virtual machine scheduling unit detects that execution of the predetermined dummy program has started on the first virtual machine when the dummy program execution start notification unit of the first virtual machine notifies the virtual machine scheduling unit that the processor has started execution of the predetermined dummy program on the first virtual machine.
  - 10. The virtual machine system of claim 7, wherein each of the plurality of virtual machines whose execution is controlled by the processor includes an execution termination notification unit, the execution termination notification unit of the second virtual machine configured to notify the virtual machine scheduling unit that execution of the predetermined application program on the second virtual machine has terminated when execution of the predetermined application program on the second virtual machine terminates, andthe virtual machine scheduling unit detects that execution of the predetermined application program has terminated on the second virtual machine when the execution termination notification unit of the second virtual machine notifies the virtual machine scheduling unit that execution of the predetermined application program on the second virtual machine has terminated.

11. A virtual machine control method for controlling a virtual machine system comprising a processor and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, the virtual machine control method comprising the steps of:
- detecting, by the hypervisor, when a predetermined application program is scheduled to be newly executed on a first virtual machine;
  
  generating, by the hypervisor, when the execution detection step detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and
  
  performing execution control using a control unit, the control unit being configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control by the control unit, when determining that itself is included in the second virtual machine, causing the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control by the control unit, when determining itself is included in the first virtual machine, causing the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, and the operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.

12. A non-transitory computer-readable recording medium storing a virtual machine control program for controlling a virtual machine system comprising a processor and a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, the virtual machine control program causing a computer to perform steps comprising:
- detecting, by the hypervisor, when a predetermined application program is scheduled to be newly executed on a first virtual machine;
  
  generating, by the hypervisor, when the execution detection step detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and
  
  performing execution control using a control unit, the control unit being configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control by the control unit, when determining that itself is included in the second virtual machine, causing the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control by the control unit, when determining itself is included in the first virtual machine, causing the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, andthe operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.

13. A semiconductor integrated circuit comprising:
- a processor; and
  
  a hypervisor, executed on the processor, configured to cause the processor to control execution of a plurality of virtual machines, wherein the hypervisor includes;
  
  an execution detection unit configured to detect when a predetermined application program is scheduled to be newly executed on a first virtual machine;
  
  a virtual machine generation unit configured to generate, when the execution detection unit detects that the predetermined application program is scheduled to be newly executed on the first virtual machine, a second virtual machine based on the first virtual machine, the second virtual machine being for executing the predetermined application program; and
  
  an execution control unit, the execution control unit configured to determine whether itself is included in the first virtual machine or the second virtual machine, the execution control unit, when determining that itself is included in the second virtual machine, configured to cause the processor to execute only a specific group of programs that includes the predetermined application program on the second virtual machine, and the execution control unit, when determining that itself is included in the first virtual machine, configured to cause the processor to execute a predetermined dummy program instead of the predetermined application program on the first virtual machine,wherein the predetermined dummy program causes the processor to execute only tasks associated with the predetermined dummy program and no other tasks, and the specific group of programs includes only programs that do not include malware that attacks the predetermined application program,the dummy program includes a repetition of a NOP (No Operation),the first virtual machine and the second virtual machine each have an operating system, and the respective operating systems of the first and second virtual machine run concurrently, andthe operating system of the second virtual machine performs execution and control of the predetermined application program, and the operating system of the first virtual machine performs execution and control of the predetermined dummy program.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sun Patent Trust
Original Assignee
Panasonic Intellectual Property Corporation of America (Panasonic Holdings Corporation)
Inventors
Amano, Katsushige, Saito, Masahiko
Primary Examiner(s)
An, Meng
Assistant Examiner(s)
TEETS, BRADLEY A

Application Number

US13/807,202
Publication Number

US 20130097603A1
Time in Patent Office

1,687 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/4843   by program, e.g. task dispa...

Generating child virtual machine to execute authorized application with reduced risk of malware attack

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Generating child virtual machine to execute authorized application with reduced risk of malware attack

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links