System and method for security and privacy aware virtual machine checkpointing

US 9,552,495 B2
Filed: 06/29/2015
Issued: 01/24/2017
Est. Priority Date: 10/01/2012
Status: Active Grant

First Claim

Patent Images

1. A method of preventing restoration of private information from a checkpoint creation within a virtual machine, comprising:

(a) identifying all memory occupied by data from at least one application executing under control of a hypervisor of the virtual machine in a memory space of a computer, with a guest process;

(b) determining inter-process dependencies with the guest process;

(c) identifying kernel state memory pages which represent an internal kernel state of a kernel;

(d) upon initiation of checkpoint creation, requesting from the guest process the identified physical identifying memory addresses of the memory pages that belong to the at least one of;

memory pages that belong to the at least one application, by the guest process,memory pages the belong to processes that depend on the at least one application based on the determined inter-process dependencies, by the guest process, andkernel state memory pages, and providing the requested identified physical memory addresses of the memory pages that belong to the at least one application to the hypervisor;

(e) at least one of obscuring and segregating at least a portion of information in the memory pages corresponding to the received identification of the memory addresses;

(f) persistently storing a checkpoint file representing a state of the hypervisor with the at least a portion of the memory pages corresponding to the received identification of the memory addresses at least one of obscured and segregated; and

(g) restoring a prior state of the hypervisor from the persistently stored checkpoint file, wherein the restored prior state of the hypervisor is sufficient to resume operation of the virtual machine, other than the at least one application and the processes that depend on the at least one application.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A checkpointing method for creating a file representing a restorable state of a virtual machine in a computing system, comprising identifying processes executing within the virtual machine that may store confidential data, and marking memory pages and files that potentially contain data stored by the identified processes; or providing an application programming interface for marking memory regions and files within the virtual machine that contain confidential data stored by processes; and creating a checkpoint file, by capturing memory pages and files representing a current state of the computing system, which excludes information from all of the marked memory pages and files.

1760 Citations

20 Claims

1. A method of preventing restoration of private information from a checkpoint creation within a virtual machine, comprising:
- (a) identifying all memory occupied by data from at least one application executing under control of a hypervisor of the virtual machine in a memory space of a computer, with a guest process;
  
  (b) determining inter-process dependencies with the guest process;
  
  (c) identifying kernel state memory pages which represent an internal kernel state of a kernel;
  
  (d) upon initiation of checkpoint creation, requesting from the guest process the identified physical identifying memory addresses of the memory pages that belong to the at least one of;
  
  memory pages that belong to the at least one application, by the guest process,memory pages the belong to processes that depend on the at least one application based on the determined inter-process dependencies, by the guest process, andkernel state memory pages, and providing the requested identified physical memory addresses of the memory pages that belong to the at least one application to the hypervisor;
  
  (e) at least one of obscuring and segregating at least a portion of information in the memory pages corresponding to the received identification of the memory addresses;
  
  (f) persistently storing a checkpoint file representing a state of the hypervisor with the at least a portion of the memory pages corresponding to the received identification of the memory addresses at least one of obscured and segregated; and
  
  (g) restoring a prior state of the hypervisor from the persistently stored checkpoint file, wherein the restored prior state of the hypervisor is sufficient to resume operation of the virtual machine, other than the at least one application and the processes that depend on the at least one application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the virtual machine has a user space which supports user processes and a kernel space which supports kernel processes, and wherein all user space processes within the virtual machine are frozen, except the guest process, between the initiation of the checkpoint creation and said persistently storing the checkpoint file.
  - 3. The method according to claim 1, wherein the inter-process dependencies comprise information in teletype (TTY) buffers, socket buffers, pipe buffers, and first-in first-out (FIFO) buffers.
  - 4. The method according to claim 1, wherein a process container is provided to encapsulate all memory pages and files associated with the at least one application, wherein the memory pages within the process container are excluded from the checkpoint file.
  - 5. The method according to claim 1, wherein a process container is provided to encapsulate all memory pages and files associated with a respective at least one application, wherein the memory pages and files within the process container are separately stored within a respective checkpoint file.
  - 6. The method according to claim 1, wherein the checkpoint file is encrypted.
  - 7. The method according to claim 1, further comprising determining the inter-process dependencies for the at least one application executing within the virtual machine by a static analysis.
  - 8. The method according to claim 1, further comprising determining the inter-process dependencies for a plurality of applications executing within the virtual machine by static analysis and dynamic analysis.
  - 9. The method according to claim 1, further comprising determining a status of a communication of the at least one application, and deferring initiation of checkpoint creation with respect to the at least one application until completion of the communication.
  - 10. The method according to claim 1, further comprising:
    - communicating a message to the at least one application prior to initiation of checkpoint creation;
      
      assuming a safe state by the at least one application, in which confidential information is removed from the memory pages within the persistently stored checkpoint file; and
      
      wherein said restoring a prior state of the hypervisor comprises reverting the at least one application to a normal operation state absent the removed confidential information.
  - 11. The method according to claim 10, further comprising:
    - after restoring the prior state of the virtual machine from the persistently stored checkpoint file informing the at least one application that the virtual machine is restored.
  - 12. The method according to claim 1, further comprising, before persistently storing the checkpoint file:
    - initiating a checkpointing process;
      
      sanitizing kernel space memory by pausing system calls and I/O requests from the at least one application by the kernel;
      
      completing or flushing any pending I/O operations of the at least one application; and
      
      removing data from all I/O buffers after the completion of the I/O operations.
  - 13. The method according to claim 1, further comprising:
    - (a) monitoring an input-output data stream communication from non-program memory sources during a computing session, and storing a series of states representing activities of the at least one application with respect to respective associated input-output data stream communications;
      
      (b) an least one of searching and cross correlating the checkpoint file with data from the monitored input-output data stream communication;
      
      (c) tagging instances of data within the checkpoint file based on a match or cross correlation of portions of the checkpoint file with data from the monitored input-output data stream communication; and
      
      (d) restoring the virtual machine to substantially resume operation, based on the persistently stored checkpoint file, wherein a state of the at least one application is rolled back to a state prior to a respective monitored input-output data stream communication.

14. A method of preserving privacy of information during a checkpoint restoration process of a virtual machine, comprising:
- (a) monitoring an input-output data stream communication from non-program memory sources during a computing session prior to creation of a checkpoint file, and storing data representing a series of states representing activities of at least one application executing on the virtual machine with respect to their associated input-output data stream communications;
  
  (b) at least one of searching and cross correlating a created checkpoint file with the data from the monitored input-output data stream communication;
  
  (c) tagging instances of data within the created checkpoint file based on at least one of a match and a cross correlation of portions of the created checkpoint file with the data from the monitored input-output data stream communication; and
  
  (d) restoring the virtual machine to substantially resume operation, based on the created checkpoint file, wherein a state of the at least one application is rolled back to a state prior to a respective monitored input-output data stream communication based on at least the tagged instances of data.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The method according to claim 14, wherein a process container is provided to encapsulate all memory pages and files associated with the at least one application, wherein the memory pages within the process container are at least one of excluded from and obscured within, the checkpoint file.
  - 16. The method according to claim 14, further comprising:
    - determining inter-process dependencies for the at least one application executing within the virtual machine by static analysis and dynamic analysis; and
      
      tagging at least a portion of instances of data within the created checkpoint file dependent on the inert-process dependencies.
  - 17. The method according to claim 14, further comprising determining a status of a communication of the at least one application, and deferring a creation of the checkpoint file with respect to the at least one application until completion of the communication.
  - 18. The method according to claim 14, further comprising:
    - prior to creation of the checkpoint file;
      
      communicating a message to the at least one application;
      
      assuming a safe state by the at least one application, in which private information is removed from the memory pages which are to be captured within the created checkpoint file;
      
      sanitizing kernel space memory by pausing system calls and I/O requests from the at least one application by the kernel;
      
      at least one of completing and flushing any pending I/O operations of the at least one application; and
      
      removing data from all I/O buffers after the completion of the I/O operations;
      
      creating the checkpoint file; and
      
      after creating the checkpoint file;
      
      reverting the at least one application to a normal operation state;
      
      restoring an operation state of the virtual machine from the checkpoint file; and
      
      informing the at least one application that the virtual machine is restored from a checkpoint file.

19. A method of checkpoint creation by a hypervisor of a virtual machine having at least one transaction processing application executing in the virtual machine under control of the hypervisor, comprising:
- (a) identifying memory pages occupied by;
  
  (i) data from the at least one application, by a guest process;
  
  (ii) data from processes having inter-process dependencies with the at least one application, by the guest process; and
  
  (iii) data which represents an internal kernel state of a kernel;
  
  (b) at least one of obscuring and segregating at least a portion of information in the identified memory pages representing data associated with particular user sessions of use of the at least one application;
  
  (c) persistently storing a checkpoint file representing a state of the virtual machine with the at least a portion of the memory pages corresponding to the received identification of the memory pages at least one of obscured and segregated; and
  
  (d) restoring a prior state of the virtual machine from the persistently stored checkpoint file, wherein the restored prior state of the hypervisor is sufficient to resume operation of the virtual machine, other than the particular user sessions of use of the at least one application.
- View Dependent Claims (20)
- - 20. The method according to claim 19, further comprising, prior to identifying the memory pages:
    - assuming a safe state by the at least one application, in which data associated with user sessions of use of the at least one application is removed from the memory pages;
      
      sanitizing kernel space pages by pausing system calls and I/O requests from the at least one application by the kernel;
      
      at least one of completing and flushing any pending I/O operations of the at least one application; and
      
      removing data from all I/O buffers after the completion of the I/O operations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
The Research Foundation for The State University of New York (State University of New York)
Original Assignee
The Research Foundation for The State University of New York (State University of New York)
Inventors
Yang, Ping, Gopalan, Kartik
Primary Examiner(s)
SUN, SCOTT C

Application Number

US14/753,800
Publication Number

US 20150317491A1
Time in Patent Office

575 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/1407   Checkpointing the instructi...

G06F 11/1451   by selection of backup cont...

G06F 16/128   Details of file system snap...

G06F 16/13   File access structures, e.g...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/6245   Protecting personal data, e...

G06F 21/79   in semiconductor storage me...

G06F 2201/84   Using snapshots, i.e. a log...

G06F 3/0619   in relation to data integri...

G06F 3/065   Replication mechanisms

G06F 3/067   Distributed or networked st...

G06F 9/45558   Hypervisor-specific managem...

System and method for security and privacy aware virtual machine checkpointing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

1760 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for security and privacy aware virtual machine checkpointing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

1760 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links