System and method for security and privacy aware virtual machine checkpointing
First Claim
1. A method of performing a checkpointing process within a virtual machine, comprising:
- (a) identifying a set of memory pages comprising user space memory pages and kernel space memory pages occupied by at least one application executing under control of a hypervisor of the virtual machine;
(b) distinguishing a first subset of the set of memory pages comprising private user space memory pages and private kernel space memory pages occupied by the at least one application which represent private information from a second subset of the set of memory pages comprising the user space memory pages, and the kernel space memory pages occupied by the at least one application which do not represent the private information to the hypervisor; and
(c) persistently storing a checkpoint file representing a state of the hypervisor comprising the identifications of the second subset of the set of memory pages, substantially without the first subset of the set of memory pages.
1 Assignment
0 Petitions
Accused Products
Abstract
A checkpointing method for creating a file representing a restorable state of a virtual machine in a computing system, comprising identifying processes executing within the virtual machine that may store confidential data, and marking memory pages and files that potentially contain data stored by the identified processes; or providing an application programming interface for marking memory regions and files within the virtual machine that contain confidential data stored by processes; and creating a checkpoint file, by capturing memory pages and files representing a current state of the computing system, which excludes information from all of the marked memory pages and files.
1757 Citations
20 Claims
-
1. A method of performing a checkpointing process within a virtual machine, comprising:
-
(a) identifying a set of memory pages comprising user space memory pages and kernel space memory pages occupied by at least one application executing under control of a hypervisor of the virtual machine; (b) distinguishing a first subset of the set of memory pages comprising private user space memory pages and private kernel space memory pages occupied by the at least one application which represent private information from a second subset of the set of memory pages comprising the user space memory pages, and the kernel space memory pages occupied by the at least one application which do not represent the private information to the hypervisor; and (c) persistently storing a checkpoint file representing a state of the hypervisor comprising the identifications of the second subset of the set of memory pages, substantially without the first subset of the set of memory pages. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method for checkpointing a virtual machine, comprising performing, by a checkpointing process executing on the virtual machine under control of a hypervisor:
-
(a) pausing system calls and I/O requests from at least one application, complete or flush pending I/O operations, and zeroing out all I/O buffers after the completion of the I/O operations; (b) identifying user space memory pages and kernel space memory locations of the at least one application, which contain private information and user space memory pages and kernel space memory locations of the at least one application that exclude private information; (c) creating a checkpoint file comprising at least the user space memory pages and kernel space memory locations of the at least one application that exclude the private information, and which does not comprise the user space memory pages and kernel space memory locations which contain private information; and (d) recommencing system calls and I/O requests from the at least one application. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A system for performing a checkpointing process within a virtual machine, comprising:
-
a memory configured to store memory pages of a virtual machine controlled having a hypervisor controlling execution of at least one application; the hypervisor controlling execution of a set of checkpointing processes, comprising; (a) a process to identify a set of memory pages comprising user space memory pages and kernel space memory pages occupied by at least one application executing under control of a hypervisor of the virtual machine; (b) a process to distinguish a first subset of the set of memory pages comprising private user space memory pages and private kernel space memory pages occupied by the at least one application which represent private information from a second subset of the set of memory pages comprising the user space memory pages, and the kernel space memory pages occupied by the at least one application which do not represent the private information to the hypervisor; (c) a process to persistently store a checkpoint file representing a state of the hypervisor comprising the identifications of the second subset of the set of memory pages, substantially without the first subset of the set of memory pages.
-
Specification