Patent Grant
8381284
This disclosure relates in general to the field of security and, more particularly, to enforcing security policies in a virtual environment.
The field of network security has become increasingly important in today's society. In particular, the ability to effectively protect computers and systems presents a significant obstacle for component manufacturers, system designers, and network operators. This obstacle is made even more difficult due to the plethora of new security threats, which seem to evolve daily. Virtualization is a software technology allowing an operating system to run unmodified on an isolated virtual environment (typically referred to as a virtual machine), where a platform's physical characteristics and behaviors are reproduced. More specifically, a virtual machine can represent an isolated, virtual environment (lying on top of a host operating system (OS)) and equipped with virtual hardware (processor, memory, disks, network interfaces, etc.). Commonly, the virtual machine is managed by a virtualization product. A virtual machine monitor (VMM) is the virtualization software layer that manages hardware requests from a guest OS (e.g., simulating answers from real hardware). A hypervisor is computer software/hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. Both Xen and Hypervisor represent forms of VMMs and these VMMs can be exploited to better protect computers and systems from emerging security threats.
To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:
Overview
A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The method further includes denying the execution of the object if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary, and evaluating an origination address of a hypercall associated with the code before executing the code.
Example Embodiments
For purposes of illustrating the techniques of system 10, it is important to understand the activities occurring within a given virtual system. The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Such information is offered earnestly for purposes of explanation only and, accordingly, should not be construed in any way to limit the broad scope of the present disclosure and its potential applications. Virtual machine monitors (e.g., Xen and HyperV) are hypervisors that currently fail to offer an interface to the end user to properly manage virtual machines and guest operating system (OS) instances. As used herein in this Specification, the term ‘virtual machine element’ is meant to include any such hypervisors, or other devices that operate in a virtual environment. It should also be noted that these hypervisor's fail to offer suitable device drivers. Both of the above functionalities are commonly provided by a special privileged domain/partition. Generally, these privileged domains can host device drivers and, further, provide an interface for managing virtual machine monitor 16 and guest OS instances.
Any grant of special privileges to a particular domain poses security risks for other guest OS instances. A compromised privileged domain can readily degrade the security of all guest OS instances running on a computer. In essence, hypervisors and privileged domains can unknowingly engender new attack vectors that are not adequately protected by current security solutions. System 10 offers a viable architecture to thwart these new categories of attacks, as well as other security risks presented to a given computer.
Consider a first example in which some type of malware is attempting to run a kernel module, which is not authorized. A hypercall is a function that is generally used by a kernel module to interact with a virtual machine. For example, a hypercall could be used by the kernel module to access specific areas of a given machine. The hypercall can shut down the virtual machine and, in a worst-case scenario, control all the other virtual machines to which it can communicate. Thus, the ability of certain code (e.g., in the form of a hypercall) to enter a certain space and to improperly manipulate the system is problematic.
The primary attack vectors that can compromise a privileged domain include: 1) execution of an unauthorized user binary (malware/virus)/kernel module; 2) execution of a vulnerable authorized binary; and 3) execution of unauthorized hypercalls. System 10 can be used to enforce security policies in the privileged domain. The present disclosure is directed towards securing privileged domains/partitions. In certain embodiments, the current disclosure works by inserting a security layer in the Domain 0 kernel, which protects: 1) against execution of unauthorized user space binaries/kernel module; and 2) against execution of vulnerable authorized binary.
The system can be configured to take a snapshot of all the valid binaries and kernel modules and store the information in a user space database/inventory. The kernel security layer (in Domain 0) can intercept a kernel module and binary load routine and, subsequently, fetch inventory data from the user space inventory. When a particular request for execution of a kernel module or of a binary occurs, an intercept function is invoked that checks for an authorization of the loaded module or binary. The intercepting function allows execution of only authorized binaries/modules. Note that in computing, an executable (file) causes a computer to perform indicated tasks according to encoded instructions, as opposed to a file that only contains data. Files that contain instructions for an interpreter or virtual machine may be considered ‘executables’ or ‘binaries’ in contrast to program source code. The more generic term ‘object’ (as used herein in this Specification) is meant to include any such executables, binaries, kernel modules, improper hypercalls, etc., which are sought to be invoked, initiated, or otherwise executed.
The current disclosure also protects against execution of unauthorized hypercalls if a currently running binary is exploited. This is important because an attacker could use hypercalls to take over the entire virtual infrastructure. In such an implementation, the security layer checks for an origination address of hypercalls. The security layer can randomize hypercalls such that only authorized binaries can invoke the appropriate hypercalls.
Note that no security solution exists that effectively protects the privileged domain (Domain 0) as a special entity. Common solutions to the issues detailed herein include security software that would normally run on a commodity operating system. Security of privileged domains is an area of active research; however, there is no solution available that proactively protects the critical domains. System 10, by contrast, can treat the privileged domain as special and protect it against the new attack vectors involved. This is in contrast to more generalized solutions, which do not specifically target protection for Domain 0.
Turning to the infrastructure of
Each user space process normally runs in its own virtual memory space and, unless explicitly requested, does not access the memory of other processes. This is the basis for memory protection in mainstream operating systems, and a building block for privilege separation. In another approach, a single address space for all software is used, where the programming language's virtual machine ensures that arbitrary memory cannot be accessed. Applications simply cannot acquire references to the objects that they are not allowed to access.
Kernel module 20 represents the security layer in the Domain 0 kernel, which provides protection to the domain against unauthorized (and vulnerable authorized) binaries and kernel modules. In some attack scenarios, this can be the source of hypercalls. A hypercall is a software trap from a domain (e.g., Domain 0) to the hypervisor, just as a syscall is a software trap from an application to the kernel. Domains can use hypercalls to request privileged operations like updating page tables. Like a syscall, the hypercall is synchronous, where the return path from the hypervisor to the domain can employ event channels.
In one example implementation, virtual machine monitor 16 is a Xen element, which is a hypervisor that runs on bare hardware and which provides the capability of running multiple instances of OSs simultaneously on the same hardware. A typical Xen setup may involve Xen running beneath multiple OSs, where applications are on top of the OSs, which are associated with a group of virtual machines. The entire configuration may be provided in a server (or some other network appliance). One of the virtual machines can be running an OS associated with Domain 0. This VM (Dom 0) provides the user with the interface to manage this complete setup, and also hosts the device drivers. This management includes the hypervisor configuration, VM configuration, creation, deletion, shutdown, startup, etc. of VMs. This kind of setup can be popular in data centers where servers run Xen, which in turn hosts multiple instances of guest OSs (VMs). Each such server can have one Domain 0. The features discussed herein can effectively secure this Domain 0, as detailed below.
In most virtualization scenarios, one of the virtual elements is referred to as Domain 0, and it has administrative authority to control other virtual machines. This domain represents a privileged area and, therefore, it should be protected. In one example implementation, virtual machine monitor 16 is a Xen element configured to carry out some of the protection operations as outlined herein. Note that this Xen implementation is only representing one possible example to which the present disclosure can apply. Any number of additional hypervisors or virtual elements could similarly benefit from the broad teachings discussed herein.
In one example, a hypervisor can offer tools and applications necessary to support a complete virtualization environment. The hypervisor is the basic abstraction layer of software that sits directly on the hardware below operating systems. It is responsible for central processing unit (CPU) scheduling and memory partitioning of the various virtual machines running on a hardware device. The hypervisor not only abstracts the hardware for the virtual machines, but also controls the execution of virtual machines as they share the common processing environment.
Inventory 24 represents a memory element (e.g., a database) that may be provided in a security layer that keeps information about authorized binaries and kernel modules. System call table 28 is configured to intercept loading of modules and binaries in a given computer. Loading routines module 30 provides functionality for hooked routines, which can perform a check on each kernel module and binary. Control module 34 offers control for the security layer in user space 12. Control module 34 may include inventory 36, which represents user space inventory that gets pushed to the kernel security layer. Both instances of inventory 24 and 36 may be updated, and/or suitably modified based on systematic configurations, or events that trigger a change to either of these inventories. Management interface 40 can be configured to control the behavior of a security agent, which is relegated the task of protecting a computer.
In operation of a simple example, a loadable kernel module (LKM) represents a system commonly used by Linux (as well as some other modern operating systems) to allow the linking of object code into a running kernel without interrupting system traffic. At a fundamental level, an object is compiled to a re-locatable object (.o) file, loaded using ‘insmod’ under Linux, and removed using ‘rmmod’. Linux also supports demand loading of modules using ‘kerneld’ (now kmod).
Once ‘insmod’ is called, the module is linked into the running system kernel and the function init_module ( ) is called. All modules should contain this function, as well as a cleanup_module ( ), which is called at unloading. The purpose of the init_module ( ) is to register the functions contained within the module to handle system events, such as to operate as device drivers or interrupt handlers. The actions performed by insmod are similar to that of ‘Id’, for example, in regards to linkage.
In this example, when a request to run a binary or kernel module is intercepted, it is checked to see whether it is authorized. For example, a security agent (e.g., a piece of software running in Domain 0) can be configured to compute checksums in order to validate whether a given element (i.e., a binary or a kernel module) is authorized for the particular system. This may include look up operations in which stored inventories are compared against a new request for binaries or kernel modules in order to discern whether to allow these elements to be executed. Thus, the comparison is being made against internally stored items.
The interaction in the architecture of
Turning to
Domain 0, a modified Linux kernel, is a unique virtual machine running on the hypervisor that has special rights to access physical I/O resources, as well as interact with the other virtual machines (Domain U: PV and HVM Guests) running on the system. Domain 0 is the first domain launched when the system is booted, and it can be used to create and configure all other regular guest domains. Domain 0 is also sometimes called Dom0 and, similarly, a regular guest domain is called a DomU or unprivileged domain. Virtualization environments can require Domain 0 to be running before other virtual machines can be started. Two drivers are generally included in Domain 0 to support network and local disk requests from Domain U PV and HVM Guests: the Network Backend Driver and the Block Backend Driver. The Network Backend Driver communicates directly with the local networking hardware to process all virtual machines requests coming from the Domain U guests. The Block Backend Driver communicates with the local storage disk to read and write data from the drive based upon Domain U requests.
Thus, a given hypervisor is not alone in its task of administering the guest domains on the system. A special privileged domain (Domain 0) serves as an administrative interface to Xen. Domain 0 has direct physical access to hardware, and it exports the simplified generic class devices to each DomU. Rather than emulating the actual physical devices exactly, the hypervisor exposes idealized devices. For example, the guest domain views the network card as a generic network class device or the disk as a generic block class device. Domain 0 runs a device driver specific to each actual physical device and then communicates with other guest domains through an asynchronous shared memory transport.
Domain 0 can also delegate responsibility for a particular device to another domain. A driver domain is a DomU that runs a minimal kernel and the backend for a particular device. This has the advantage of moving the complexity and risk of device management out of the Domain 0. Moving device management to driver domains can make the system more stable because hardware drivers are notoriously the most error-prone code in an operating system. A driver domain could be stopped and restarted to recover from an error, while stopping and restarting Domain 0 can disrupt the entire system.
As a general proposition, a smaller and simpler Domain 0 is better for the security and stability of the system. Moving device management into driver domains is just one example of this. Although Domain 0 typically runs a general-purpose operating system, it is wise to use Domain 0 strictly for the administration of virtual machines on the system. All other applications can be run in a guest domain. Overall, a bare-bones Domain 0 is less vulnerable to attack or accidental software fault.
As discussed above, there are several Domain 0 security issues in such a scenario. These include unauthorized binary execution, or the propagation of malware capable of modifying the VM state (e.g., via ioctl). Another security risk is presented by the remote code injection in authorized binary to modify the VM state (e.g., via ioctl). Note that in computing, an ioctl is typically the part of the user-to-kernel interface of an operating system. The acronym is short for “Input/output control,” where ioctls are commonly employed to allow user space code to communicate with hardware devices or kernel components. The other threat in such a scenario involves an unauthorized Linux kernel module (e.g., a hypercall). The architecture of
Xend shown in
Software for intercepting unauthorized binaries and kernel modules (as well as inhibiting dangerous code from being executed for already running binaries) can be provided at various locations. In one example implementation, this software is resident in a computer sought to be protected from a security attack (or protected from unwanted, or unauthorized manipulations of a privileged area). In a more detailed configuration, this software is specifically resident in Domain 0. One implementation involves providing in a security layer of a virtual machine monitor, which may include (or otherwise interface with) a kernel space and a user space, as depicted by
In still other embodiments, software could be received or downloaded from a web server (e.g., in the context of purchasing individual end-user licenses for separate devices, separate virtual machines, hypervisors, servers, etc.) in order to carry out these intercepting and authorizing functions in Domain 0. In other examples, the intercepting and authorizing functions could involve a proprietary element (e.g., as part of an antivirus solution), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, etc., or be provided as a complementary solution (e.g., in conjunction with a firewall), or provisioned somewhere in the network. As used herein in this Specification, the term ‘computer’ is meant to encompass these possible elements (VMMs, hypervisors, Xen devices, virtual devices, network appliances, routers, switches, gateway, processors, servers, loadbalancers, firewalls, or any other suitable device, component, element, or object) operable to affect or process electronic information in a security environment. Moreover, this computer may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective authorization of kernel modules, binaries, etc. In addition, the intercepting and authorizing functions can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules and components of
In certain example implementations, the intercepting and authorizing functions outlined herein may be implemented by logic encoded in one or more tangible media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (as shown in
Any of these elements (e.g., a computer, a server, a network appliance, a firewall, a virtual machine element, etc.) can include memory elements for storing information to be used in achieving the intercepting and authorizing operations as outlined herein. Additionally, each of these devices may include a processor that can execute software or an algorithm to perform the intercepting and authorizing activities as discussed in this Specification. These devices may further keep information in any suitable memory element (random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., inventory, table(s), user space, kernel space, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers, network appliances, virtual elements, etc. can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a secure environment.
Step 140 represents copying of an unauthorized binary on Domain 0. The security agent is configured to compute checksums in order to validate whether a given element (a binary or kernel module) is authorized for the particular system. These activities may include look up operations in which stored inventories are compared against new requests for binaries or kernel modules in order to discern whether to allow these elements to be executed. Thus, the comparison is being made against stored items.
At step 150, the query is answered as to whether this particular binary has been authorized. If it has not been authorized, the flow moves to step 160 where execution of the binary is denied. In such a context, an inference can be made that if the lookup reveals that the particular binary is not found, then the request is presumed to be a security risk that should not be executed. If the binary is authorized, then from step 150 the flow moves to step 170, where execution of the binary is allowed.
Note that with the examples provided herein, interaction may be described in terms of two, three, four, or more network elements. However, this has been done for purposes of clarity and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of components or network elements. It should be appreciated that system 10 of
It is also important to note that the steps described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, system 10. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, a number of these operations have been described as being executed concurrently with, or in parallel to, one or more additional operations. However, the timing of these operations may be altered considerably. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by system 10 in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4688169 | Joshi | Aug 1987 | A |
| 4982430 | Frezza et al. | Jan 1991 | A |
| 5155847 | Kirouac et al. | Oct 1992 | A |
| 5222134 | Waite et al. | Jun 1993 | A |
| 5390314 | Swanson | Feb 1995 | A |
| 5521849 | Adelson et al. | May 1996 | A |
| 5560008 | Johnson et al. | Sep 1996 | A |
| 5699513 | Feigen et al. | Dec 1997 | A |
| 5778349 | Okonogi | Jul 1998 | A |
| 5787427 | Benantar et al. | Jul 1998 | A |
| 5842017 | Hookway et al. | Nov 1998 | A |
| 5907709 | Cantey et al. | May 1999 | A |
| 5974149 | Leppek | Oct 1999 | A |
| 5987610 | Franczek et al. | Nov 1999 | A |
| 5987611 | Freund | Nov 1999 | A |
| 5991881 | Conklin et al. | Nov 1999 | A |
| 6073142 | Geiger et al. | Jun 2000 | A |
| 6141698 | Krishnan et al. | Oct 2000 | A |
| 6192401 | Modiri et al. | Feb 2001 | B1 |
| 6192475 | Wallace | Feb 2001 | B1 |
| 6256773 | Bowman-Amuah | Jul 2001 | B1 |
| 6275938 | Bond et al. | Aug 2001 | B1 |
| 6338149 | Ciccone, Jr. et al. | Jan 2002 | B1 |
| 6356957 | Sanchez, II et al. | Mar 2002 | B2 |
| 6393465 | Leeds | May 2002 | B2 |
| 6442686 | McArdle et al. | Aug 2002 | B1 |
| 6449040 | Fujita | Sep 2002 | B1 |
| 6453468 | D'Souza | Sep 2002 | B1 |
| 6460050 | Pace et al. | Oct 2002 | B1 |
| 6587877 | Douglis et al. | Jul 2003 | B1 |
| 6662219 | Nishanov et al. | Dec 2003 | B1 |
| 6748534 | Gryaznov et al. | Jun 2004 | B1 |
| 6769008 | Kumar et al. | Jul 2004 | B1 |
| 6769115 | Oldman | Jul 2004 | B1 |
| 6795966 | Lim et al. | Sep 2004 | B1 |
| 6832227 | Seki et al. | Dec 2004 | B2 |
| 6834301 | Hanchett | Dec 2004 | B1 |
| 6847993 | Novaes et al. | Jan 2005 | B1 |
| 6907600 | Neiger et al. | Jun 2005 | B2 |
| 6918110 | Hundt et al. | Jul 2005 | B2 |
| 6930985 | Rathi et al. | Aug 2005 | B1 |
| 6934755 | Saulpaugh et al. | Aug 2005 | B1 |
| 6988101 | Ham et al. | Jan 2006 | B2 |
| 6988124 | Douceur et al. | Jan 2006 | B2 |
| 7010796 | Strom et al. | Mar 2006 | B1 |
| 7024548 | O'Toole, Jr. | Apr 2006 | B1 |
| 7039949 | Cartmell et al. | May 2006 | B2 |
| 7065767 | Kambhammettu et al. | Jun 2006 | B2 |
| 7069330 | McArdle et al. | Jun 2006 | B1 |
| 7082456 | Mani-Meitav et al. | Jul 2006 | B2 |
| 7093239 | van der Made | Aug 2006 | B1 |
| 7124409 | Davis et al. | Oct 2006 | B2 |
| 7139916 | Billingsley et al. | Nov 2006 | B2 |
| 7152148 | Williams et al. | Dec 2006 | B2 |
| 7159036 | Hinchliffe et al. | Jan 2007 | B2 |
| 7177267 | Oliver et al. | Feb 2007 | B2 |
| 7203864 | Goin et al. | Apr 2007 | B2 |
| 7251655 | Kaler et al. | Jul 2007 | B2 |
| 7290266 | Gladstone et al. | Oct 2007 | B2 |
| 7302558 | Campbell et al. | Nov 2007 | B2 |
| 7330849 | Gerasoulis et al. | Feb 2008 | B2 |
| 7346781 | Cowle et al. | Mar 2008 | B2 |
| 7350204 | Lambert et al. | Mar 2008 | B2 |
| 7353501 | Tang et al. | Apr 2008 | B2 |
| 7363022 | Whelan et al. | Apr 2008 | B2 |
| 7370360 | van der Made | May 2008 | B2 |
| 7406517 | Hunt et al. | Jul 2008 | B2 |
| 7441265 | Staamann et al. | Oct 2008 | B2 |
| 7464408 | Shah et al. | Dec 2008 | B1 |
| 7506155 | Stewart et al. | Mar 2009 | B1 |
| 7506170 | Finnegan | Mar 2009 | B2 |
| 7546333 | Alon et al. | Jun 2009 | B2 |
| 7607170 | Chesla | Oct 2009 | B2 |
| 7657599 | Smith | Feb 2010 | B2 |
| 7685635 | Vega et al. | Mar 2010 | B2 |
| 7698744 | Fanton et al. | Apr 2010 | B2 |
| 7757269 | Roy-Chowdhury et al. | Jul 2010 | B1 |
| 7809704 | Surendran et al. | Oct 2010 | B2 |
| 7836504 | Ray et al. | Nov 2010 | B2 |
| 7908653 | Brickell et al. | Mar 2011 | B2 |
| 7937455 | Saha et al. | May 2011 | B2 |
| 8015563 | Araujo et al. | Sep 2011 | B2 |
| 20020069367 | Tindal et al. | Jun 2002 | A1 |
| 20020083175 | Afek et al. | Jun 2002 | A1 |
| 20020099671 | Mastin Crosbie et al. | Jul 2002 | A1 |
| 20030014667 | Kolichtchak | Jan 2003 | A1 |
| 20030023736 | Abkemeier | Jan 2003 | A1 |
| 20030033510 | Dice | Feb 2003 | A1 |
| 20030073894 | Chiang et al. | Apr 2003 | A1 |
| 20030074552 | Olkin et al. | Apr 2003 | A1 |
| 20030120601 | Ouye et al. | Jun 2003 | A1 |
| 20030120811 | Hanson et al. | Jun 2003 | A1 |
| 20030120935 | Teal et al. | Jun 2003 | A1 |
| 20030145232 | Poletto et al. | Jul 2003 | A1 |
| 20030163718 | Johnson et al. | Aug 2003 | A1 |
| 20030167399 | Audebert et al. | Sep 2003 | A1 |
| 20040003258 | Billingsley et al. | Jan 2004 | A1 |
| 20040015554 | Wilson | Jan 2004 | A1 |
| 20040051736 | Daniell | Mar 2004 | A1 |
| 20040054928 | Hall | Mar 2004 | A1 |
| 20040143749 | Tajalli et al. | Jul 2004 | A1 |
| 20040167906 | Smith et al. | Aug 2004 | A1 |
| 20040230963 | Rothman et al. | Nov 2004 | A1 |
| 20040243678 | Smith et al. | Dec 2004 | A1 |
| 20040255161 | Cavanaugh | Dec 2004 | A1 |
| 20050018651 | Yan et al. | Jan 2005 | A1 |
| 20050108516 | Balzer et al. | May 2005 | A1 |
| 20050108562 | Khazan et al. | May 2005 | A1 |
| 20050114672 | Duncan et al. | May 2005 | A1 |
| 20050228990 | Kato et al. | Oct 2005 | A1 |
| 20050235360 | Pearson | Oct 2005 | A1 |
| 20050257207 | Blumfield et al. | Nov 2005 | A1 |
| 20050260996 | Groenendaal | Nov 2005 | A1 |
| 20050262558 | Usov | Nov 2005 | A1 |
| 20050273858 | Zadok et al. | Dec 2005 | A1 |
| 20050283823 | Okajo et al. | Dec 2005 | A1 |
| 20060004875 | Baron et al. | Jan 2006 | A1 |
| 20060015501 | Sanamrad et al. | Jan 2006 | A1 |
| 20060037016 | Saha et al. | Feb 2006 | A1 |
| 20060080656 | Cain et al. | Apr 2006 | A1 |
| 20060085785 | Garrett | Apr 2006 | A1 |
| 20060101277 | Meenan et al. | May 2006 | A1 |
| 20060133223 | Nakamura et al. | Jun 2006 | A1 |
| 20060136910 | Brickell et al. | Jun 2006 | A1 |
| 20060136911 | Robinson et al. | Jun 2006 | A1 |
| 20060195906 | Jin et al. | Aug 2006 | A1 |
| 20060236398 | Trakic et al. | Oct 2006 | A1 |
| 20070011746 | Malpani et al. | Jan 2007 | A1 |
| 20070039049 | Kupferman et al. | Feb 2007 | A1 |
| 20070050764 | Traut | Mar 2007 | A1 |
| 20070074199 | Schoenberg | Mar 2007 | A1 |
| 20070083522 | Nord et al. | Apr 2007 | A1 |
| 20070101435 | Konanka et al. | May 2007 | A1 |
| 20070136579 | Levy et al. | Jun 2007 | A1 |
| 20070169079 | Keller et al. | Jul 2007 | A1 |
| 20070192329 | Croft et al. | Aug 2007 | A1 |
| 20070220061 | Tirosh et al. | Sep 2007 | A1 |
| 20070253430 | Minami et al. | Nov 2007 | A1 |
| 20070271561 | Winner et al. | Nov 2007 | A1 |
| 20080005737 | Saha et al. | Jan 2008 | A1 |
| 20080005798 | Ross | Jan 2008 | A1 |
| 20080010304 | Vempala et al. | Jan 2008 | A1 |
| 20080034416 | Kumar et al. | Feb 2008 | A1 |
| 20080052468 | Speirs et al. | Feb 2008 | A1 |
| 20080082977 | Araujo et al. | Apr 2008 | A1 |
| 20080120499 | Zimmer et al. | May 2008 | A1 |
| 20080163207 | Reumann et al. | Jul 2008 | A1 |
| 20080163210 | Bowman et al. | Jul 2008 | A1 |
| 20080184373 | Traut et al. | Jul 2008 | A1 |
| 20080294703 | Craft et al. | Nov 2008 | A1 |
| 20080301770 | Kinder | Dec 2008 | A1 |
| 20090038017 | Durham et al. | Feb 2009 | A1 |
| 20090043993 | Ford et al. | Feb 2009 | A1 |
| 20090144300 | Chatley et al. | Jun 2009 | A1 |
| 20090150639 | Ohata | Jun 2009 | A1 |
| 20100071035 | Budko et al. | Mar 2010 | A1 |
| 20100100970 | Chowdhury et al. | Apr 2010 | A1 |
| 20100114825 | Siddegowda | May 2010 | A1 |
| 20100281133 | Brendel | Nov 2010 | A1 |
| 20100293225 | Sebes et al. | Nov 2010 | A1 |
| 20110035423 | Kobayashi et al. | Feb 2011 | A1 |
| 20110077948 | Sharma et al. | Mar 2011 | A1 |
| 20110093842 | Sebes | Apr 2011 | A1 |
| 20110093950 | Bhargava et al. | Apr 2011 | A1 |
| 20110119760 | Sebes et al. | May 2011 | A1 |
| 20110138461 | Bhargava et al. | Jun 2011 | A1 |
| 20120030731 | Bhargava et al. | Feb 2012 | A1 |
| 20120030750 | Bhargava et al. | Feb 2012 | A1 |
| Number | Date | Country |
|---|---|---|
| 1 482 394 | Dec 2004 | EP |
| 2 037 657 | Mar 2009 | EP |
| WO 9844404 | Oct 1998 | WO |
| WO 0184285 | Nov 2001 | WO |
| WO 2006012197 | Feb 2006 | WO |
| WO 2006124832 | Nov 2006 | WO |
| WO 2008054997 | May 2008 | WO |
| WO 2011059877 | May 2011 | WO |
| WO 2012015485 | Feb 2012 | WO |
| WO 2012015489 | Feb 2012 | WO |
| Entry |
|---|
| Espacenet search, Espacent Result List, Jan. 2012. |
| U.S. Appl. No. 12/615,521, entitled “System and Method for Preventing Data Loss Using Virtual Machine Wrapped Applications,” filed Nov. 10, 2009, Inventor(s): Sonali Agarwal, et al. |
| Desktop Management and Control, Website: http://www.vmware.com/solutions/desktop/, printed Oct. 12, 2009, 1 page. |
| Secure Mobile Computing, Website: http://www.vmware.com/solutions/desktop/mobile.html, printed Oct. 12, 2009, 2 pages. |
| U.S. Appl. No. 12/636,414, entitled “System and Method for Managing Virtual Machine Configurations,” filed Dec. 11, 2009, Inventor(s): Harvinder Singh Sawhney, et al. |
| Eli M. Dow, et al., “The Xen Hypervisor,” INFORMIT, dated Apr. 10, 2008, http://www.informit.com/articles/printerfriendly.aspx?p=1187966, printed Aug. 11, 2009 (13 pages). |
| “Xen Architecture Overview,” Xen, dated Feb. 13, 2008, Version 1.2, http://wiki.xensource.com/xenwiki/XenArchitecture?action=AttachFile&do=get&target=Xen+Architecture—Q1+2008.pdf, printed Aug. 18, 2009 (9 pages). |
| Kurt Gutzmann, “Access Control and Session Management in the HTTP Environment,” Jan./Feb. 2001, pp. 26-35, IEEE Internet Computing. |
| U.S. Appl. No. 11/379,953, entitled “Software Modification by Group to Minimize Breakage,” filed Apr. 24, 2006, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/277,596, entitled “Execution Environment File Inventory,” filed Mar. 27, 2006, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 10/651,591, entitled “Method and System for Containment of Networked Application Client Software by Explicit Human Input,” filed Aug. 29, 2003, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 10/806,578, entitled Containment of Network communication, filed Mar. 22, 2004, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 10/739,230, entitled “Method and System for Containment of Usage of Lanugage Interfaces,” filed Dec. 17, 2003, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 10/935,772, entitled “Solidifying the Executable Software Set of a Computer,” filed Sep. 7, 2004, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/060,683, entitled “Distribution and Installation of Solidified Software on a Computer,” filed Feb. 16, 2005, Inventor(s): Bakul Shah et al. |
| U.S. Appl. No. 11/122,872, entitled “Piracy Prevention Using Unique Module Translation,” filed May 4, 2005, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/346,741, entitled “Enforcing Alignment of Approved Changes and Deployed Changes in the Software Change Life-Cycle,” filed Feb. 2, 2006, Inventor(s): Rahul Roy-Chowdhury et al. |
| U.S. Appl. No. 11/182,320, entitled “Classification of Software on Networked Systems,” filed Jul. 14, 2005, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 11/400,085, entitled “Program-Based Authorization,” filed Apr. 7, 2006, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 11/437,317, entitled “Connectivity-Based Authorization,” filed May 18, 2006, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 12/290,380, entitled “Application Change Control,” filed Oct. 29, 2008, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 12/008,274, entitled Method and Apparatus for Process Enforced Configuration Management, filed Jan. 9, 2008, Inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 12/291,232, entitled “Method of and System for Computer System State Checks,” filed Nov. 7, 2008, inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 12/322,220, entitled “Method of and System for Malicious Software Detection Using Critical Address Space Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/322,321, entitled “Method of and System for Computer System Denial-of-Service Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/426,859, entitled “Method of and System for Reverse Mapping Vnode Pointers,” filed Apr. 20, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/545,745, entitled “System and Method for Providing Address Protection in a Virtual Environment,” filed Aug. 21, 2009, Inventor(s): Preet Mohinder. |
| U.S. Appl. No. 12/551,673, entitled “Piracy Prevention Using Unique Module Translation,” filed Sep. 1, 2009, Inventor(s): E. John Sebes et al. |
| Barrantes et al., “Randomized Instruction Set Emulation to Dispurt Binary Code Injection Attacks,” Oct. 27-31, 2003, ACM, pp. 281-289. |
| Check Point Software Technologies Ltd.: “ZoneAlarm Security Software User Guide Version 9”, Aug. 24, 2009, XP002634548, 259 pages, retrieved from Internet: URL:http://download.zonealarm.com/bin/media/pdf/zaclient91—user—manual.pdf. |
| Gaurav et al., “Countering Code-Injection Attacks with Instruction-Set Randomization,” Oct. 27-31, 2003, ACM, pp. 272-280. |
| IA-32 Intel® Architecture Software Developer's Manual, vol. 3B; Jun. 2006; pp. 13, 15, 22 and 145-146. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority (1 page), International Search Report (4 pages), and Written Opinion (3 pages), mailed Mar. 2, 2011, International Application No. PCT/US2010/055520. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (6 pages), and Written Opinion of the International Searching Authority (10 pages) for International Application No. PCT/US2011/020677 mailed Jul. 22, 2011. |
| Notification of Transmittal of the International Search Report and Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (3 pages), and Written Opinion of the International Search Authority (6 pages) for International Application No. PCT/US2011/024869 mailed Jul. 14, 2011. |
| Tal Garfinkel, et al., “Terra: A Virtual Machine-Based Platform for Trusted Computing,” XP-002340992, SOSP'03, Oct. 19-22, 2003, 14 pages. |
| U.S. Appl. No. 12/880,125, entitled “System and Method for Clustering Host Inventories,” filed Sep. 12, 2010, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 12/903,993, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Oct. 13, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 12/946,344, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 13/012,138, entitled “System and Method for Selectively Grouping and Managing Program Files,” filed Jan. 24, 2011, Inventor(s) Rishi Bhargava, et al. |
| U.S. Appl. No. 13/037,988, entitled “System and Method for Botnet Detection by Comprehensive Email Behavioral Analysis,” filed Mar. 1, 2011, Inventor(s) Sven Krasser, et al. |
| Notification of International Preliminary Report on Patentability and Written Opinion mailed May 24, 2012 for International Application No. PCT/US2010/055520, 5 pages. |
| Sailer et al., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems, IBM research Report, Feb. 2, 2005, 13 pages. |
| U.S. Appl. No. 13/558,181, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| U.S. Appl. No. 13/558,227, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| U.S. Appl. No. 13/558,277, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| Number | Date | Country | |
|---|---|---|---|
| 20110047542 A1 | Feb 2011 | US |
