Systems and methods for securing virtual machine computing environments

US 9,529,998 B2
Filed: 06/24/2015
Issued: 12/27/2016
Est. Priority Date: 08/18/2010
Status: Active Grant

First Claim

Patent Images

1. A method for securing data, the method comprising:

receiving, using a hardware processor, a request for a security operation from a first virtual machine operating in a host operating system of a first device, wherein the security operation is to be performed by one or more of a plurality of security modules including a first security module implemented in a kernel of the host operating system and a second security module;

in response to receiving the request;

determining whether the second security module is available to execute the request;

selecting the first security module implemented in the kernel of the host operating system to execute the security operation in response to determining that the second security module is not available to execute the request; and

executing the security operation at the first security module implemented in the kernel of the host operating system andproviding a result of the security operation to the first virtual machine.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for securing data in virtual machine computing environments. A request is received for a security operation from a first virtual machine operating in a host operating system of a first device. In response to receiving the request, a first security module executes the security operation, the first security module implemented in a kernel of the host operating system. The result of the security operation is provided to the first virtual machine.

Citations

27 Claims

1. A method for securing data, the method comprising:
- receiving, using a hardware processor, a request for a security operation from a first virtual machine operating in a host operating system of a first device, wherein the security operation is to be performed by one or more of a plurality of security modules including a first security module implemented in a kernel of the host operating system and a second security module;
  
  in response to receiving the request;
  
  determining whether the second security module is available to execute the request;
  
  selecting the first security module implemented in the kernel of the host operating system to execute the security operation in response to determining that the second security module is not available to execute the request; and
  
  executing the security operation at the first security module implemented in the kernel of the host operating system andproviding a result of the security operation to the first virtual machine.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the request from the first virtual machine is a request from an application running in the first virtual machine.
  - 3. The method of claim 2, wherein the request from the application running in the first virtual machine is a request for a security operation to be executed by the first security module.
  - 4. The method of claim 1, wherein executing the security operation at the first security module comprises generating a plurality of shares, wherein each of the plurality of shares contains a distribution of data from a data set.
  - 5. The method of claim 4, wherein executing the security operation at the first security module further comprises encrypting the data set.
  - 6. The method of claim 1, wherein the request for the security operation from the first virtual machine is a request for a security operation to be executed by the second security module.
  - 7. The method of claim 1, wherein executing the security operation at the first security module comprises determining that the second security module is unable to execute the requested security operation.
  - 8. The method of claim 1, wherein executing the security operation at the first security module comprises receiving a request, at the first security module from the second security module, to execute the requested operation.
  - 9. The method of claim 1, wherein executing the security operation at the first security module comprises determining that the first security module is able to execute the requested security operation.
  - 10. The method of claim 1, wherein the request from the first virtual machine is a request to secure a communication between the first virtual and a second virtual machine.
  - 11. The method of claim 10, wherein the second virtual machine is operating in the host operating system of the first device.
  - 12. The method of claim 1, wherein executing this security operation of the first security module comprises calling a hardware accelerator from the kernel of the host operating system.
  - 13. The method of claim 1, wherein the first security module includes a secure parser.
  - 14. The method of claim 1, wherein executing the security operation at the first security module comprises:
    - determining whether one or more programmed conditions are satisfied; and
      
      selecting, based on the determining, the first security module from the plurality of security modules to perform the security operation.

15. A system for securing virtual machines, the system comprising:
- a processor including processor circuitry, the processor being configured to;
  
  execute a host operating system having a kernel;
  
  receive a request for a security operation, from a first virtual machine operating in the host operating system, wherein the security operation is to be performed by one or more of a plurality of security modules including a first security implemented in the kernel of the host operating system and a second security module;
  
  in response to receiving the request;
  
  determine whether the second security module is available to execute the request;
  
  select the first security module implemented in the kernel of the host operating system to execute the security operation in response to determining that the second security module is not available to execute the request; and
  
  execute the security operation at the first security module implemented in the kernel of the host operating system; and
  
  provide a result the security operation to the first virtual machine.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The system of claim 15, wherein the request from the first virtual machine is a request from an application running in the first virtual machine.
  - 17. The system of claim 16, wherein the request from the application running in the first virtual machine is a request for a security operation to be executed by the first security module.
  - 18. The system of claim 15, wherein executing the security operation at the first security module comprises generating a plurality of shares, wherein each of the plurality of shares contains a distribution of data from a data set.
  - 19. The system of claim 18, wherein executing the security operation at the first security module further comprises encrypting the data set.
  - 20. The system of claim 15, wherein the request for the security operation from the first virtual machine is a request for a security operation to be executed by the second security module.
  - 21. The system of claim 15, wherein executing the security operation at the first security module comprises receiving a request, at the first security module from the second security module, to execute the requested operation.
  - 22. The system of claim 15, wherein executing the security operation at the first security module comprises determining that the first security module is able to execute the request security operation.
  - 23. The system of claim 15, wherein the request from the first virtual machine if a request to secure a communication between the first virtual machine and the second virtual machine.
  - 24. The system of claim 23, wherein the second virtual machine is operating in the host operating system.
  - 25. The system of claim 15, wherein executing the security operation at the first security module comprises calling a hardware accelerator from the kernel of the host operating system.
  - 26. The system of claim 15, wherein the security module includes a secure parser.
  - 27. The system of claim 15, wherein the processor is configured to execute the security operation at the first security module by:
    - determining whether one or more programmed conditions are satisfied; and
      
      selecting, based on the determining, the first security module from the plurality of security modules to perform the security operation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Security First Innovations, LLC
Original Assignee
Security First Corp
Inventors
O'Hare, Mark S., Orsini, Rick L., Mumaugh, John R., Staker, Matt
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
BEHESHTI SHIRAZI, SAYED ARESH

Application Number

US14/749,058
Publication Number

US 20150294115A1
Time in Patent Office

552 Days
Field of Search

726/11, 726/23, 713/164, 713/167, 713/168, 713/170, 713/189, 713/193, 380/268, 709/224, 709/313
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/60   Protecting data

G06F 21/6281   at program execution time, ...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0823   using certificates cryptogr...

Systems and methods for securing virtual machine computing environments

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for securing virtual machine computing environments

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links