Enabling platform network stack control in a virtualization platform

US 20060070066A1
Filed: 09/30/2004
Published: 03/30/2006
Est. Priority Date: 09/30/2004
Status: Abandoned Application

First Claim

Patent Images

1. A system, comprising:

a virtualization platform capable of running a virtual machine monitor and a plurality of virtual machines, the virtual machine monitor to capture packets of information to be sent over a network by a process running in a virtual machine on the platform;

an encoder residing in a virtual machine to encode packets of information, the packets of information to be sent to a network interface card (NIC) via a network stack, wherein the encoder is communicatively coupled to a virtual network stack in the virtual machine running on the virtualization platform; and

a decoder to decode and verify the encoded packets of information, the decoder communicatively coupled to the NIC, wherein the NIC sends only verified decoded information packets and drops unverified information packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In some embodiments, the invention involves protecting network communications in a virtualized platform. An embodiment of the present invention is a system and method relating to protecting network communication flow using packet encoding/certification and the network stack. One embodiment uses a specialized engine or driver in the network stack to encode packets before being sent to physical network controller. The network controller may use a specialized driver to decode the packets, or have a hardware implementation of a decoder. If the decoded packet is certified, the packet is transmitted. Otherwise, the packet is dropped. An embodiment of the present invention utilizes virtualization architecture to implement the network communication paths. Other embodiments are described and claimed.

308 Citations

34 Claims

1. A system, comprising:
- a virtualization platform capable of running a virtual machine monitor and a plurality of virtual machines, the virtual machine monitor to capture packets of information to be sent over a network by a process running in a virtual machine on the platform;
  
  an encoder residing in a virtual machine to encode packets of information, the packets of information to be sent to a network interface card (NIC) via a network stack, wherein the encoder is communicatively coupled to a virtual network stack in the virtual machine running on the virtualization platform; and
  
  a decoder to decode and verify the encoded packets of information, the decoder communicatively coupled to the NIC, wherein the NIC sends only verified decoded information packets and drops unverified information packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system as recited in claim 1, wherein the encoder is a software agent coupled to the virtual network stack and the decoder is a software agent coupled to the network stack of the NIC.
  - 3. The system as recited in claim 1, wherein the encoder is a software agent coupled to the virtual network stack and the decoder is embodied in one of a decoder circuit on the NIC and firmware operatively coupled to the NIC.
  - 4. The system as recited in claim 3, wherein the decoder circuit decodes a received encoded packet of information and determines whether the decoded packet of information is verified before allowing the NIC to send the decoded information packet over the network.
  - 5. The system as recited in claim 1, further comprising at least one management partition running in a virtual machine on the platform, wherein the virtual network stack resides in the at least one management partition.
  - 6. The system as recited in claim 1, wherein the virtualization platform conforms to a virtualization architecture selected from a group of architectures consisting of host-based virtual machine monitor architecture, hypervisor architecture and hybrid hypervisor architecture.
  - 7. The system as recited in claim 1, wherein the virtualization platform comprises a host-based virtual machine monitor architecture, wherein at least one management partition runs in a virtual machine, the at least one management partition constructed to perform at least one management service, and wherein the virtualization platform further comprises at least one capability partition, each of the at least one capability partition to be run in a virtual machine, wherein the capability partition does not have direct access to the NIC.
  - 8. The system as recited in claim 7, wherein the at least one management service is selected from a group of services consisting of security patching, proxy services, intrusion detection, virtual private networking, firewall services, network address translation, network communication, and virtual device driver services.
  - 9. The system as recited in claim 1, wherein the decoder is constructed to accommodate at least one encoding format, wherein the encoder encodes the information packet using the at least one encoding format selected from a group of formats consisting of encryption, digital signature and digital encoding.
  - 10. The system as recited in claim 1, wherein the NIC is constructed to selectively accommodate one of a decoding mode and a pass-through mode.

11. A method for sending packets in a virtualization platform, comprising:
- sending a packet of information by an application running on the platform, the packet of information to be sent over a network, wherein the packet is sent to a first virtual network interface;
  
  capturing the packet of information by a management partition running in a first virtual machine on the platform;
  
  encoding a packet of information by an encoder residing in the management partition, the encoder communicatively coupled to a virtual network stack; and
  
  sending the encoded packet of information to a physical network interface, the physical network interface being capable of decoding and authenticating the encoded packet, the physical network interface being capable of sending authenticated packets and dropping unauthenticated packets.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 27, 28)
- - 12. The method as recited in claim 11, wherein the application runs in one of a second virtual machine and a host operating system partition.
  - 13. The method as recited in claim 11, wherein the virtualization platform comprises a virtualization architecture selected from a group of architectures consisting of host-based virtual machine monitor architecture, hypervisor architecture and hybrid hypervisor architecture.
  - 14. The method as recited in claim 11, wherein the management partition comprises a virtual machine monitor.
  - 15. The method as recited in claim 11, wherein the virtualization platform comprises a host-based virtual machine monitor architecture, wherein the management partition running in the first virtual machine is constructed to perform at least one management service, and wherein the virtualization platform further comprises at least one additional virtual machine, each of the at least one additional virtual machine, wherein an additional application runs in the additional virtual machine, wherein the applications running in respective virtual machines do not have direct access to the physical network interface.
  - 16. The method as recited in claim 15, wherein the at least one management service is selected from a group of services consisting of security patching, proxy services, intrusion detection, virtual private networking, firewall services, network address translation, network communication, and virtual device driver services.
  - 17. The method as recited in claim 11, wherein the decoding performed by the physical network interface accommodates at least one encoding format, wherein the encoding comprises encoding the information packet using the at least one encoding format selected from a group of formats consisting of encryption, digital signature and digital encoding.
  - 18. The method as recited in claim 11, wherein the decoding and authenticating of the encoded packet is performed by a software agent communicatively coupled to a network stack corresponding to the physical network interface.
  - 19. The method as recited in claim 11, wherein the decoding and authenticating of the encoded packet is performed by a circuit communicatively coupled to the physical network interface.
  - 20. The method as recited in claim 11, wherein the decoding and authenticating of the encoded packet is performed by firmware communicatively coupled to the physical network interface.
  - 21. The method as recited in claim 11, wherein encoding the information packet performs at least one encoding task selected from a group of encoding tasks consisting of encrypting, digitally signing and digitally encoding, wherein the physical network interface is constructed to decode the encoded information packet.
  - 22. The method as recited in claim 11, wherein the physical network interface is constructed to selectively accommodate one of a decoding mode and a pass-through mode.
  - 27. The machine accessible medium as recited in claim 11, wherein the virtualization platform comprises a host-based virtual machine monitor architecture, wherein the management partition running in the first virtual machine is constructed to perform at least one management service, and wherein the virtualization platform further comprises at least one additional virtual machine, each of the at least one additional virtual machine, wherein an additional application runs in the additional virtual machine, wherein the applications running in respective virtual machines do not have direct access to the physical network interface.
  - 28. The machine accessible medium as recited in claim 27, wherein the at least one management service is selected from a group of services consisting of security patching, proxy services, intrusion detection, virtual private networking, firewall services, network address translation, network communication, and virtual device driver services.

23. A machine accessible medium having instructions for sending packets in a virtualization platform, the instructions when accessed cause the machine to:
- send a packet of information by an application running on the platform, the packet of information to be sent over a network, wherein the packet is sent to a first virtual network interface;
  
  capture the packet of information by a management partition running in a first virtual machine on the platform;
  
  encode a packet of information by an encoder residing in the management partition, the encoder communicatively coupled to a virtual network stack; and
  
  send the encoded packet of information to a physical network interface, the physical network interface being capable of decoding and authenticating the encoded packet, the physical network interface being capable of sending authenticated packets and dropping unauthenticated packets.
- View Dependent Claims (24, 25, 26, 29, 30, 31, 32, 33, 34)
- - 24. The machine accessible medium as recited in claim 23, wherein the application runs in one of a second virtual machine and a host operating system partition.
  - 25. The machine accessible medium as recited in claim 23, wherein the virtualization platform comprises a virtualization architecture selected from a group of architectures consisting of host-based virtual machine monitor architecture, hypervisor architecture and hybrid hypervisor architecture.
  - 26. The machine accessible medium as recited in claim 23, wherein the management partition comprises a virtual machine monitor.
  - 29. The machine accessible medium as recited in claim 23, wherein the decoding performed by the physical network interface accommodates at least one encoding format, wherein the encoding comprises encoding the information packet using the at least one encoding format selected from a group of formats consisting of encryption, digital signature and digital encoding.
  - 30. The machine accessible medium as recited in claim 23, wherein the decoding and authenticating of the encoded packet is performed by a software agent communicatively coupled to a network stack corresponding to the physical network interface.
  - 31. The machine accessible medium as recited in claim 23, wherein the decoding and authenticating of the encoded packet is performed by a circuit communicatively coupled to the physical network interface.
  - 32. The machine accessible medium as recited in claim 23, wherein the decoding and authenticating of the encoded packet is performed by firmware communicatively coupled to the physical network interface.
  - 33. The machine accessible medium as recited in claim 23, wherein encoding the information packet performs at least one encoding task selected from a group of encoding tasks consisting of encrypting, digitally signing and digitally encoding, wherein the physical network interface is constructed to decode the encoded information packet.
  - 34. The machine accessible medium as recited in claim 23, wherein the physical network interface is constructed to selectively accommodate one of a decoding mode and a pass-through mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grobman, Steven L.

Application Number

US10/954,905
Publication Number

US 20060070066A1
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

H04L 63/12 Applying verification of th...

H04L 63/1441 Countermeasures against mal...

Enabling platform network stack control in a virtualization platform

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

308 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Enabling platform network stack control in a virtualization platform

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

308 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others