TREA

System and method for enforcing security policies in a virtual environment

Follow

Information

  • Patent Grant
  • 9652607
  • Patent Number
    9,652,607
  • Date Filed
    Friday, October 3, 2014
    10 years ago
  • Date Issued
    Tuesday, May 16, 2017
    7 years ago
Information
Abstract
A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.
Description
TECHNICAL FIELD

This disclosure relates in general to the field of security and, more particularly, to enforcing security policies in a virtual environment.


BACKGROUND

The field of network security has become increasingly important in today's society. In particular, the ability to effectively protect computers and systems presents a significant obstacle for component manufacturers, system designers, and network operators. This obstacle is made even more difficult due to the plethora of new security threats, which seem to evolve daily. Virtualization is a software technology allowing an operating system to run unmodified on an isolated virtual environment (typically referred to as a virtual machine), where a platform's physical characteristics and behaviors are reproduced. More specifically, a virtual machine can represent an isolated, virtual environment (lying on top of a host operating system (OS)) and equipped with virtual hardware (processor, memory, disks, network interfaces, etc.). Commonly, the virtual machine is managed by a virtualization product. A virtual machine monitor (VMM) is the virtualization software layer that manages hardware requests from a guest OS (e.g., simulating answers from real hardware). A hypervisor is computer software/hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. Both Xen and Hypervisor represent forms of VMMs and these VMMs can be exploited to better protect computers and systems from emerging security threats.





BRIEF DESCRIPTION OF THE DRAWINGS

To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:



FIG. 1 is a simplified block diagram of a system for enforcing security policies in a privileged domain of a virtual environment in accordance with one embodiment;



FIG. 2 is a simplified view of processor privilege level ring usage in accordance with one embodiment;



FIG. 3 is a simplified block diagram of a system for enforcing security policies in a privileged domain of a virtual environment in accordance with another embodiment;



FIG. 4 is a simplified block diagram providing an overview of components and processes in Domain 0 and, further, their interactions with a virtual machine monitor in accordance with another embodiment; and



FIG. 5 is a simplified flowchart illustrating a series of example steps associated with the system in accordance with one embodiment.





DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

Overview


A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The method further includes denying the execution of the object if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary, and evaluating an origination address of a hypercall associated with the code before executing the code.


EXAMPLE EMBODIMENTS


FIG. 1 is a simplified block diagram of a system 10 for enforcing security policies in a privileged domain of a virtual environment. Such an architecture can provide a secure environment for the execution of operations in the privileged domain, as well as in other guest operating systems. In one example implementation, FIG. 1 includes a user space 12, a kernel space 14, a virtual machine monitor 16, and a kernel module 20, which includes an inventory 24. Virtual machine monitor 16 may include a memory element 18 and a processor 22 in one example implementation. In addition, FIG. 1 may include a system call table 28, a management interface 40, and a control module 34, which includes an inventory 36. A system call 42 is also provided, and this element interfaces with a loading and routines element 30, which interacts with inventory 24. Not shown in FIG. 1 is additional hardware that may be suitably coupled to virtual machine monitor (VMM) 16 (e.g., provided below its logical representation) in the form of memory management units (MMU), symmetric multiprocessing (SMP) elements, physical memory, Ethernet, small computer system interface (SCSI)/integrated drive electronics (IDE) elements, etc.


For purposes of illustrating the techniques of system 10, it is important to understand the activities occurring within a given virtual system. The following foundational information may be viewed as a basis from which the present disclosure may be properly explained. Such information is offered earnestly for purposes of explanation only and, accordingly, should not be construed in any way to limit the broad scope of the present disclosure and its potential applications. Virtual machine monitors (e.g., Xen and HyperV) are hypervisors that currently fail to offer an interface to the end user to properly manage virtual machines and guest operating system (OS) instances. As used herein in this Specification, the term ‘virtual machine element’ is meant to include any such hypervisors, or other devices that operate in a virtual environment. It should also be noted that these hypervisor's fail to offer suitable device drivers. Both of the above functionalities are commonly provided by a special privileged domain/partition. Generally, these privileged domains can host device drivers and, further, provide an interface for managing virtual machine monitor 16 and guest OS instances.


Any grant of special privileges to a particular domain poses security risks for other guest OS instances. A compromised privileged domain can readily degrade the security of all guest OS instances running on a computer. In essence, hypervisors and privileged domains can unknowingly engender new attack vectors that are not adequately protected by current security solutions. System 10 offers a viable architecture to thwart these new categories of attacks, as well as other security risks presented to a given computer.


Consider a first example in which some type of malware is attempting to run a kernel module, which is not authorized. A hypercall is a function that is generally used by a kernel module to interact with a virtual machine. For example, a hypercall could be used by the kernel module to access specific areas of a given machine. The hypercall can shut down the virtual machine and, in a worst-case scenario, control all the other virtual machines to which it can communicate. Thus, the ability of certain code (e.g., in the form of a hypercall) to enter a certain space and to improperly manipulate the system is problematic.


The primary attack vectors that can compromise a privileged domain include: 1) execution of an unauthorized user binary (malware/virus)/kernel module; 2) execution of a vulnerable authorized binary; and 3) execution of unauthorized hypercalls. System 10 can be used to enforce security policies in the privileged domain. The present disclosure is directed towards securing privileged domains/partitions. In certain embodiments, the current disclosure works by inserting a security layer in the Domain 0 kernel, which protects: 1) against execution of unauthorized user space binaries/kernel module; and 2) against execution of vulnerable authorized binary.


The system can be configured to take a snapshot of all the valid binaries and kernel modules and store the information in a user space database/inventory. The kernel security layer (in Domain 0) can intercept a kernel module and binary load routine and, subsequently, fetch inventory data from the user space inventory. When a particular request for execution of a kernel module or of a binary occurs, an intercept function is invoked that checks for an authorization of the loaded module or binary. The intercepting function allows execution of only authorized binaries/modules. Note that in computing, an executable (file) causes a computer to perform indicated tasks according to encoded instructions, as opposed to a file that only contains data. Files that contain instructions for an interpreter or virtual machine may be considered ‘executables’ or ‘binaries’ in contrast to program source code. The more generic term ‘object’ (as used herein in this Specification) is meant to include any such executables, binaries, kernel modules, improper hypercalls, etc., which are sought to be invoked, initiated, or otherwise executed.


The current disclosure also protects against execution of unauthorized hypercalls if a currently running binary is exploited. This is important because an attacker could use hypercalls to take over the entire virtual infrastructure. In such an implementation, the security layer checks for an origination address of hypercalls. The security layer can randomize hypercalls such that only authorized binaries can invoke the appropriate hypercalls.


Note that no security solution exists that effectively protects the privileged domain (Domain 0) as a special entity. Common solutions to the issues detailed herein include security software that would normally run on a commodity operating system. Security of privileged domains is an area of active research; however, there is no solution available that proactively protects the critical domains. System 10, by contrast, can treat the privileged domain as special and protect it against the new attack vectors involved. This is in contrast to more generalized solutions, which do not specifically target protection for Domain 0.


Turning to the infrastructure of FIG. 1, virtual machine monitor 16 can run multiple instances of guest OSs. Logically, this element can be thought of as the hypervisor in certain implementations. Virtual machine monitor 16 can be part of a server, a firewall, an antivirus solution, or more generically, a computer. Kernel space 14 of the virtual machine is the area where a security layer can be inserted. In this particular case, kernel space 14 is associated with Domain 0. An operating system usually segregates virtual memory into kernel space and user space. Kernel space is commonly reserved for running a kernel, the kernel extensions, and certain device drivers. In contrast, user space is the memory area where user mode applications work and this memory can be swapped out (if necessary).


Each user space process normally runs in its own virtual memory space and, unless explicitly requested, does not access the memory of other processes. This is the basis for memory protection in mainstream operating systems, and a building block for privilege separation. In another approach, a single address space for all software is used, where the programming language's virtual machine ensures that arbitrary memory cannot be accessed. Applications simply cannot acquire references to the objects that they are not allowed to access.


Kernel module 20 represents the security layer in the Domain 0 kernel, which provides protection to the domain against unauthorized (and vulnerable authorized) binaries and kernel modules. In some attack scenarios, this can be the source of hypercalls. A hypercall is a software trap from a domain (e.g., Domain 0) to the hypervisor, just as a syscall is a software trap from an application to the kernel. Domains can use hypercalls to request privileged operations like updating page tables. Like a syscall, the hypercall is synchronous, where the return path from the hypervisor to the domain can employ event channels.


In one example implementation, virtual machine monitor 16 is a Xen element, which is a hypervisor that runs on bare hardware and which provides the capability of running multiple instances of OSs simultaneously on the same hardware. A typical Xen setup may involve Xen running beneath multiple OSs, where applications are on top of the OSs, which are associated with a group of virtual machines. The entire configuration may be provided in a server (or some other network appliance). One of the virtual machines can be running an OS associated with Domain 0. This VM (Dom 0) provides the user with the interface to manage this complete setup, and also hosts the device drivers. This management includes the hypervisor configuration, VM configuration, creation, deletion, shutdown, startup, etc. of VMs. This kind of setup can be popular in data centers where servers run Xen, which in turn hosts multiple instances of guest OSs (VMs). Each such server can have one Domain 0. The features discussed herein can effectively secure this Domain 0, as detailed below.


In most virtualization scenarios, one of the virtual elements is referred to as Domain 0, and it has administrative authority to control other virtual machines. This domain represents a privileged area and, therefore, it should be protected. In one example implementation, virtual machine monitor 16 is a Xen element configured to carry out some of the protection operations as outlined herein. Note that this Xen implementation is only representing one possible example to which the present disclosure can apply. Any number of additional hypervisors or virtual elements could similarly benefit from the broad teachings discussed herein.


In one example, a hypervisor can offer tools and applications necessary to support a complete virtualization environment. The hypervisor is the basic abstraction layer of software that sits directly on the hardware below operating systems. It is responsible for central processing unit (CPU) scheduling and memory partitioning of the various virtual machines running on a hardware device. The hypervisor not only abstracts the hardware for the virtual machines, but also controls the execution of virtual machines as they share the common processing environment.


Inventory 24 represents a memory element (e.g., a database) that may be provided in a security layer that keeps information about authorized binaries and kernel modules. System call table 28 is configured to intercept loading of modules and binaries in a given computer. Loading routines module 30 provides functionality for hooked routines, which can perform a check on each kernel module and binary. Control module 34 offers control for the security layer in user space 12. Control module 34 may include inventory 36, which represents user space inventory that gets pushed to the kernel security layer. Both instances of inventory 24 and 36 may be updated, and/or suitably modified based on systematic configurations, or events that trigger a change to either of these inventories. Management interface 40 can be configured to control the behavior of a security agent, which is relegated the task of protecting a computer.


In operation of a simple example, a loadable kernel module (LKM) represents a system commonly used by Linux (as well as some other modern operating systems) to allow the linking of object code into a running kernel without interrupting system traffic. At a fundamental level, an object is compiled to a re-locatable object (.o) file, loaded using ‘insmod’ under Linux, and removed using ‘rmmod’. Linux also supports demand loading of modules using ‘kerneld’ (now kmod).


Once ‘insmod’ is called, the module is linked into the running system kernel and the function init_module ( ) is called. All modules should contain this function, as well as a cleanup_module ( ), which is called at unloading. The purpose of the init_module ( ) is to register the functions contained within the module to handle system events, such as to operate as device drivers or interrupt handlers. The actions performed by insmod are similar to that of ‘Id’, for example, in regards to linkage.


In this example, when a request to run a binary or kernel module is intercepted, it is checked to see whether it is authorized. For example, a security agent (e.g., a piece of software running in Domain 0) can be configured to compute checksums in order to validate whether a given element (i.e., a binary or a kernel module) is authorized for the particular system. This may include look up operations in which stored inventories are compared against a new request for binaries or kernel modules in order to discern whether to allow these elements to be executed. Thus, the comparison is being made against internally stored items.


The interaction in the architecture of FIG. 1 occurs between system call 42 and loading routines module 30, where a checksum is computed and looked up in an associated inventory. If the checksum is found, then the request is authorized (e.g., ‘return original init [initiate] module’), but if the request is not authorized, then an ‘EPERM’ command is sent, which indicates that the operation is not permitted. More detailed operations associated with these activities are provided below with reference to specific example flows.


Turning to FIG. 2, FIG. 2 is a simplified schematic diagram illustrating a hierarchy 50 of domains within a given computer. More specifically, FIG. 2 depicts a processor privilege level ring usage (x86) in accordance with one embodiment. This ring usage can be associated with a para virtualized system, where a Xen VMM runs in Ring 0, Domain 0, and other guest OS kernels run in Ring 1 and Domain 0 (and additional guest OS user space applications can run in Ring3). Note that the Rings correspond to specific domains in this illustration such that the most privileged domain is represented By Ring 0 (i.e., Domain 0). This is associated with virtual machine monitor 16, where a guest operating system corresponds to Ring 1, and applications correspond to Ring 2 and/or Ring 3. It should also be noted that hypercalls could easily jump to virtual machine monitor 16, or Ring 0, which is problematic for the reasons discussed herein.


Domain 0, a modified Linux kernel, is a unique virtual machine running on the hypervisor that has special rights to access physical I/O resources, as well as interact with the other virtual machines (Domain U: PV and HVM Guests) running on the system. Domain 0 is the first domain launched when the system is booted, and it can be used to create and configure all other regular guest domains. Domain 0 is also sometimes called Dom0 and, similarly, a regular guest domain is called a DomU or unprivileged domain. Virtualization environments can require Domain 0 to be running before other virtual machines can be started. Two drivers are generally included in Domain 0 to support network and local disk requests from Domain U PV and HVM Guests: the Network Backend Driver and the Block Backend Driver. The Network Backend Driver communicates directly with the local networking hardware to process all virtual machines requests coming from the Domain U guests. The Block Backend Driver communicates with the local storage disk to read and write data from the drive based upon Domain U requests.


Thus, a given hypervisor is not alone in its task of administering the guest domains on the system. A special privileged domain (Domain 0) serves as an administrative interface to Xen. Domain 0 has direct physical access to hardware, and it exports the simplified generic class devices to each DomU. Rather than emulating the actual physical devices exactly, the hypervisor exposes idealized devices. For example, the guest domain views the network card as a generic network class device or the disk as a generic block class device. Domain 0 runs a device driver specific to each actual physical device and then communicates with other guest domains through an asynchronous shared memory transport.


Domain 0 can also delegate responsibility for a particular device to another domain. A driver domain is a DomU that runs a minimal kernel and the backend for a particular device. This has the advantage of moving the complexity and risk of device management out of the Domain 0. Moving device management to driver domains can make the system more stable because hardware drivers are notoriously the most error-prone code in an operating system. A driver domain could be stopped and restarted to recover from an error, while stopping and restarting Domain 0 can disrupt the entire system.


As a general proposition, a smaller and simpler Domain 0 is better for the security and stability of the system. Moving device management into driver domains is just one example of this. Although Domain 0 typically runs a general-purpose operating system, it is wise to use Domain 0 strictly for the administration of virtual machines on the system. All other applications can be run in a guest domain. Overall, a bare-bones Domain 0 is less vulnerable to attack or accidental software fault.



FIG. 3 is a simplified block diagram of an LKM authentication implementation 60 in accordance with one example of the present disclosure. FIG. 3 includes many of the same components as FIG. 1, with the addition of a filename based inventory 52 and a checksum based inventory (LKM) 54. In addition, a logical representation of an inventory entry 56 is depicted. Inventory entry 56 includes various fields including a filename, a checksum, an LKM, etc.


As discussed above, there are several Domain 0 security issues in such a scenario. These include unauthorized binary execution, or the propagation of malware capable of modifying the VM state (e.g., via ioctl). Another security risk is presented by the remote code injection in authorized binary to modify the VM state (e.g., via ioctl). Note that in computing, an ioctl is typically the part of the user-to-kernel interface of an operating system. The acronym is short for “Input/output control,” where ioctls are commonly employed to allow user space code to communicate with hardware devices or kernel components. The other threat in such a scenario involves an unauthorized Linux kernel module (e.g., a hypercall). The architecture of FIG. 3 may operate to protect Domain 0 in the following ways. First, the architecture can prevent any execution of unauthorized binaries. Second, the architecture can prevent an ioctl from a writable memory area (e.g., in the context of a buffer overflow attack). In addition, the architecture can protect the system by allowing only authorized LKMs to load.



FIG. 4 is a simplified block diagram of an exploit prevention implementation 62 in accordance with one example of the present disclosure. FIG. 4 depicts an overview of components and processes in Domain 0 and, further, their interactions with a virtual machine monitor (e.g., a Xen VMM). The architecture of FIG. 4 includes a user space 64, a kernel space 66, and a virtual machine monitor 68. The operations of this particular architecture are akin to those outlined herein in protecting an associated system from unauthorized kernel modules or binaries being run, for example, through malware.


Xend shown in FIG. 4 is a special process (e.g., a daemon) that runs as root in Domain 0. It is a part of the Xen system, where users typically interface with xend via the Xen Management (xm) commands. Xm commands to start, stop, and manage guest domains send requests to the xend daemon first, which are in turn relayed to the Xen hypervisor via a hypercall. Commonly, the xend daemon listens for requests on an open network port. The xm commands typically send requests to the listening xend daemon on the same machine. Xm is in the user interface and xend handles the validation and sequencing of requests from multiple sources. The Xen hypervisor carries out the request in most implementations. In this example, an ioctl system call is intercepted and evaluated. If the EIP address is from a writable region, the system call is failed and not performed.


Software for intercepting unauthorized binaries and kernel modules (as well as inhibiting dangerous code from being executed for already running binaries) can be provided at various locations. In one example implementation, this software is resident in a computer sought to be protected from a security attack (or protected from unwanted, or unauthorized manipulations of a privileged area). In a more detailed configuration, this software is specifically resident in Domain 0. One implementation involves providing in a security layer of a virtual machine monitor, which may include (or otherwise interface with) a kernel space and a user space, as depicted by FIG. 1.


In still other embodiments, software could be received or downloaded from a web server (e.g., in the context of purchasing individual end-user licenses for separate devices, separate virtual machines, hypervisors, servers, etc.) in order to carry out these intercepting and authorizing functions in Domain 0. In other examples, the intercepting and authorizing functions could involve a proprietary element (e.g., as part of an antivirus solution), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, etc., or be provided as a complementary solution (e.g., in conjunction with a firewall), or provisioned somewhere in the network. As used herein in this Specification, the term ‘computer’ is meant to encompass these possible elements (VMMs, hypervisors, Xen devices, virtual devices, network appliances, routers, switches, gateway, processors, servers, loadbalancers, firewalls, or any other suitable device, component, element, or object) operable to affect or process electronic information in a security environment. Moreover, this computer may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective authorization of kernel modules, binaries, etc. In addition, the intercepting and authorizing functions can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules and components of FIGS. 1, 3, and 4 may be combined in various possible configurations: all of which are clearly within the broad scope of this Specification.


In certain example implementations, the intercepting and authorizing functions outlined herein may be implemented by logic encoded in one or more tangible media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (as shown in FIG. 1) can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, the processor (as shown in the FIGURES) could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array (FPGA), an erasable programmable read only memory (EPROM), an electrically erasable programmable ROM (EEPROM)) or an ASIC that includes digital logic, software, code, electronic instructions, or any suitable combination thereof.


Any of these elements (e.g., a computer, a server, a network appliance, a firewall, a virtual machine element, etc.) can include memory elements for storing information to be used in achieving the intercepting and authorizing operations as outlined herein. Additionally, each of these devices may include a processor that can execute software or an algorithm to perform the intercepting and authorizing activities as discussed in this Specification. These devices may further keep information in any suitable memory element (random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., inventory, table(s), user space, kernel space, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers, network appliances, virtual elements, etc. can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a secure environment.



FIG. 5 is a flowchart 100 illustrating how security agents can provide security to Domain 0 in accordance with one example embodiment. The flow begins at step 110, where a security agent is installed in Domain 0 of the virtual machine monitor. This initiates the security protection being provided for a given system. At step 120, a system snapshot is performed using the security agent. This could involve evaluating a number of entries in the system's inventory such that authorized elements (binaries, kernel modules, etc.) are identified for future reference. At step 130, the security agent is enabled and this could further involve one or more commands that initiate the protection mechanism.


Step 140 represents copying of an unauthorized binary on Domain 0. The security agent is configured to compute checksums in order to validate whether a given element (a binary or kernel module) is authorized for the particular system. These activities may include look up operations in which stored inventories are compared against new requests for binaries or kernel modules in order to discern whether to allow these elements to be executed. Thus, the comparison is being made against stored items.


At step 150, the query is answered as to whether this particular binary has been authorized. If it has not been authorized, the flow moves to step 160 where execution of the binary is denied. In such a context, an inference can be made that if the lookup reveals that the particular binary is not found, then the request is presumed to be a security risk that should not be executed. If the binary is authorized, then from step 150 the flow moves to step 170, where execution of the binary is allowed.


Note that with the examples provided herein, interaction may be described in terms of two, three, four, or more network elements. However, this has been done for purposes of clarity and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of components or network elements. It should be appreciated that system 10 of FIG. 1 (and its teachings) is readily scalable. System 10 can accommodate a large number of components, as well as more complicated or sophisticated arrangements and configurations. Accordingly, the examples provided should not limit the scope or inhibit the broad teachings of system 10 as potentially applied to a myriad of other architectures. In addition, system 10 has been described herein as operating on particular Xen architectures; however, other systems can readily be accommodated by the present solution.


It is also important to note that the steps described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, system 10. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, a number of these operations have been described as being executed concurrently with, or in parallel to, one or more additional operations. However, the timing of these operations may be altered considerably. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by system 10 in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts.

Claims
  • 1. A method, comprising: inserting a security layer in a privileged domain of a computer configured to perform virtualization, wherein: the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; andthe privileged domain of the computer manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;storing an indication of authorized objects, the authorized objects in a user space of the privileged domain;intercepting, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;verifying the request for execution of the object by evaluating the indication of authorized objects; andallowing or denying the execution of the object based upon the verification of the request.
  • 2. The method of claim 1, wherein evaluating the indication of authorized objects includes evaluating authorized binaries and kernel modules.
  • 3. The method of claim 1, further comprising: intercepting an attempt to execute code from a previously authorized binary; andevaluating an origination address of a hypercall associated with the code before executing the code.
  • 4. The method of claim 1, wherein evaluating the indication of authorized objects includes comparing the object to an inventory of authorized objects stored in a user space of the computer.
  • 5. The method of claim 4, further comprising populating a log based on a determination that the execution of the object is not authorized.
  • 6. The method of claim 1, wherein: the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; andevaluating the indication of authorized objects includes evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  • 7. The method of claim 1, wherein: the attempted execution of the object is an attempted modification of a virtual machine state; andevaluating the indication of authorized objects includes evaluating whether the attempted modification of the virtual machine state is authorized.
  • 8. A logic encoded in one or more tangible non-transitory media that includes code for execution and when executed by a processor is operable to: insert a security layer in a privileged domain of a computer, wherein: the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; andthe privileged domain is configured to manage a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;store an indication of authorized objects in a user space of the privileged domain;intercept, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;verify the request for execution of the object by evaluating the indication of authorized objects; andallow or deny the execution of the object based upon the verification of the request.
  • 9. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to evaluate the indication of authorized objects by evaluating whether the object is included in authorized binaries and kernel modules.
  • 10. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to: intercept, by the security layer, an attempt to execute code from a previously authorized binary; andevaluate an origination address of a hypercall associated with the code before executing the code.
  • 11. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to evaluate the indication of authorized objects by comparing the object to an inventory of authorized objects stored in a user space of the computer.
  • 12. The logic encoded in tangible non-transitory media of claim 11, wherein the processor is further operable to populate a log based on a determination that the execution of the object is not authorized.
  • 13. The logic encoded in tangible non-transitory media of claim 8, wherein: the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; andthe processor is further operable to evaluate the indication of authorized objects by evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  • 14. The logic encoded in tangible non-transitory media of claim 8, wherein: the attempted execution of the object is an attempted modification of a virtual machine state; andthe processor is further configured to evaluate the indication of authorized objects by evaluating whether the attempted modification of the virtual machine state is authorized.
  • 15. An apparatus, comprising: a virtual machine element comprising instructions in a memory; anda processor operable to execute the instructions in the memory to operate the virtual machine element;wherein the virtual machine element is configured to:insert a security layer in a privileged domain of the apparatus, wherein: the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; andthe privileged domain of the apparatus manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems; andstore an indication of authorized objects in a user space of the privileged domain;wherein the security layer is configured to intercept a request for an execution of an object in the computer from the user space of the privileged domain; andwherein the virtual machine element is further configured to:verify the request for execution of the object by evaluating the indication of authorized objects;allow or deny the execution of the object based upon the verification of the request.
  • 16. The apparatus of claim 15, wherein: the security layer is further configured to intercept an attempt to execute code from a previously authorized binary; andthe virtual machine element is further configured to evaluate an origination address of a hypercall associated with the code before executing the code.
  • 17. The apparatus of claim 15, wherein the virtual machine element is further configured to evaluate the indication of authorized objects by comparing the object to an inventory of authorized objects stored in a user space of the computer.
  • 18. The apparatus of claim 17, wherein the virtual machine element is further configured to populate a log based on a determination that the execution of the object is not authorized.
  • 19. The apparatus of claim 15, wherein: the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; andwherein the virtual machine element is further configured to evaluate the indication of authorized objects by evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  • 20. The apparatus of claim 15, wherein: the attempted execution of the object is an attempted modification of a virtual machine state; andwherein the virtual machine element is further configured to evaluate the indication of authorized objects by evaluating whether the attempted modification of the virtual machine state is authorized.
RELATED APPLICATIONS

This Application is a continuation of U.S. application Ser. No. 13/723,445, filed Dec. 21, 2012, which is a continuation application (and claims the benefit of priority under 35 U.S.C. §120) of U.S. application Ser. No. 12/545,609, filed Aug. 21, 2009 The disclosure of the prior applications are considered part of (and are incorporated by reference in) the disclosure of this application.

US Referenced Citations (301)
Number Name Date Kind
4688169 Joshi Aug 1987 A
4982430 Frezza et al. Jan 1991 A
5155847 Kirouac et al. Oct 1992 A
5222134 Waite et al. Jun 1993 A
5390314 Swanson Feb 1995 A
5521849 Adelson et al. May 1996 A
5560008 Johnson et al. Sep 1996 A
5699513 Feigen et al. Dec 1997 A
5778226 Adams et al. Jul 1998 A
5778349 Okonogi Jul 1998 A
5787427 Benantar et al. Jul 1998 A
5842017 Hookway et al. Nov 1998 A
5907709 Cantey et al. May 1999 A
5907860 Garibay et al. May 1999 A
5926832 Wing et al. Jul 1999 A
5944839 Isenberg Aug 1999 A
5974149 Leppek Oct 1999 A
5987610 Franczek et al. Nov 1999 A
5987611 Freund Nov 1999 A
5991881 Conklin et al. Nov 1999 A
6064815 Hohensee et al. May 2000 A
6073142 Geiger et al. Jun 2000 A
6141698 Krishnan et al. Oct 2000 A
6192401 Modiri et al. Feb 2001 B1
6192475 Wallace Feb 2001 B1
6256773 Bowman-Amuah Jul 2001 B1
6275938 Bond et al. Aug 2001 B1
6321267 Donaldson Nov 2001 B1
6338149 Ciccone, Jr. et al. Jan 2002 B1
6356957 Sanchez, II et al. Mar 2002 B2
6393465 Leeds May 2002 B2
6442686 McArdle et al. Aug 2002 B1
6449040 Fujita Sep 2002 B1
6453468 D'Souza Sep 2002 B1
6460050 Pace et al. Oct 2002 B1
6496477 Perkins et al. Dec 2002 B1
6587877 Douglis et al. Jul 2003 B1
6611925 Spear Aug 2003 B1
6662219 Nishanov et al. Dec 2003 B1
6748534 Gryaznov et al. Jun 2004 B1
6769008 Kumar et al. Jul 2004 B1
6769115 Oldman Jul 2004 B1
6795966 Lim et al. Sep 2004 B1
6832227 Seki et al. Dec 2004 B2
6834301 Hanchett Dec 2004 B1
6847993 Novaes et al. Jan 2005 B1
6907600 Neiger et al. Jun 2005 B2
6918110 Hundt et al. Jul 2005 B2
6930985 Rathi et al. Aug 2005 B1
6934755 Saulpaugh et al. Aug 2005 B1
6988101 Ham et al. Jan 2006 B2
6988124 Douceur et al. Jan 2006 B2
7007302 Jagger et al. Feb 2006 B1
7010796 Strom et al. Mar 2006 B1
7024548 O'Toole, Jr. Apr 2006 B1
7039949 Cartmell et al. May 2006 B2
7054930 Cheriton May 2006 B1
7065767 Kambhammettu et al. Jun 2006 B2
7069330 McArdle et al. Jun 2006 B1
7082456 Mani-Meitav et al. Jul 2006 B2
7093239 van der Made Aug 2006 B1
7124409 Davis et al. Oct 2006 B2
7139916 Billingsley et al. Nov 2006 B2
7152148 Williams et al. Dec 2006 B2
7159036 Hinchliffe et al. Jan 2007 B2
7177267 Oliver et al. Feb 2007 B2
7203864 Goin et al. Apr 2007 B2
7251655 Kaler et al. Jul 2007 B2
7290266 Gladstone et al. Oct 2007 B2
7302558 Campbell et al. Nov 2007 B2
7330849 Gerasoulis et al. Feb 2008 B2
7346781 Cowie et al. Mar 2008 B2
7349931 Horne Mar 2008 B2
7350204 Lambert et al. Mar 2008 B2
7353501 Tang et al. Apr 2008 B2
7363022 Whelan et al. Apr 2008 B2
7370360 van der Made May 2008 B2
7406517 Hunt et al. Jul 2008 B2
7441265 Staamann et al. Oct 2008 B2
7464408 Shah et al. Dec 2008 B1
7506155 Stewart et al. Mar 2009 B1
7506170 Finnegan Mar 2009 B2
7506364 Vayman Mar 2009 B2
7546333 Alon et al. Jun 2009 B2
7546594 McGuire et al. Jun 2009 B2
7552479 Conover et al. Jun 2009 B1
7577995 Chebolu et al. Aug 2009 B2
7603552 Sebes et al. Oct 2009 B1
7607170 Chesla Oct 2009 B2
7657599 Smith Feb 2010 B2
7669195 Qumei Feb 2010 B1
7685635 Vega et al. Mar 2010 B2
7698744 Fanton et al. Apr 2010 B2
7703090 Napier et al. Apr 2010 B2
7739497 Fink et al. Jun 2010 B1
7757269 Roy-Chowdhury et al. Jul 2010 B1
7765538 Zweifel et al. Jul 2010 B2
7783735 Sebes et al. Aug 2010 B1
7809704 Surendran et al. Oct 2010 B2
7818377 Whitney et al. Oct 2010 B2
7823148 Deshpande et al. Oct 2010 B2
7836504 Ray et al. Nov 2010 B2
7840968 Sharma et al. Nov 2010 B1
7849507 Bloch et al. Dec 2010 B1
7856661 Sebes et al. Dec 2010 B1
7865931 Stone et al. Jan 2011 B1
7870387 Bhargava et al. Jan 2011 B1
7873955 Sebes Jan 2011 B1
7895573 Bhargava et al. Feb 2011 B1
7908653 Brickell et al. Mar 2011 B2
7937455 Saha et al. May 2011 B2
7966659 Wilkinson et al. Jun 2011 B1
7996836 McCorkendale et al. Aug 2011 B1
8015388 Rihan et al. Sep 2011 B1
8015563 Araujo et al. Sep 2011 B2
8028340 Sebes et al. Sep 2011 B2
8195931 Sharma et al. Jun 2012 B1
8234713 Roy-Chowdhury et al. Jul 2012 B2
8307437 Sebes et al. Nov 2012 B2
8321932 Bhargava et al. Nov 2012 B2
8332929 Bhargava et al. Dec 2012 B1
8352930 Sebes et al. Jan 2013 B1
8381284 Dang et al. Feb 2013 B2
8515075 Saraf et al. Aug 2013 B1
8539063 Sharma et al. Sep 2013 B1
8544003 Sawhney et al. Sep 2013 B1
8549003 Bhargava et al. Oct 2013 B1
8555404 Sebes et al. Oct 2013 B1
8561082 Sharma et al. Oct 2013 B2
8615502 Saraf et al. Dec 2013 B2
8701189 Saraf et al. Apr 2014 B2
8739272 Cooper et al. May 2014 B1
8762928 Sharma et al. Jun 2014 B2
20020056076 Made May 2002 A1
20020069367 Tindal et al. Jun 2002 A1
20020083175 Afek et al. Jun 2002 A1
20020099671 Mastin Crosbie et al. Jul 2002 A1
20020114319 Liu et al. Aug 2002 A1
20030014667 Kolichtchak Jan 2003 A1
20030023736 Abkemeier Jan 2003 A1
20030033510 Dice Feb 2003 A1
20030065945 Lingafelt et al. Apr 2003 A1
20030073894 Chiang et al. Apr 2003 A1
20030074552 Olkin et al. Apr 2003 A1
20030115222 Oashi et al. Jun 2003 A1
20030120601 Ouye et al. Jun 2003 A1
20030120811 Hanson et al. Jun 2003 A1
20030120935 Teal et al. Jun 2003 A1
20030145232 Poletto et al. Jul 2003 A1
20030163718 Johnson et al. Aug 2003 A1
20030167292 Ross Sep 2003 A1
20030167399 Audebert et al. Sep 2003 A1
20030200332 Gupta et al. Oct 2003 A1
20030212902 van der Made Nov 2003 A1
20030220944 Lyman Schottland et al. Nov 2003 A1
20030221190 Deshpande et al. Nov 2003 A1
20040003258 Billingsley et al. Jan 2004 A1
20040015554 Wilson Jan 2004 A1
20040051736 Daniell Mar 2004 A1
20040054928 Hall Mar 2004 A1
20040143749 Tajalli et al. Jul 2004 A1
20040167906 Smith et al. Aug 2004 A1
20040172551 Fielding et al. Sep 2004 A1
20040230794 England et al. Nov 2004 A1
20040230963 Rothman et al. Nov 2004 A1
20040243678 Smith Dec 2004 A1
20040255161 Cavanaugh Dec 2004 A1
20040268149 Aaron Dec 2004 A1
20050005006 Chauffour et al. Jan 2005 A1
20050018651 Yan et al. Jan 2005 A1
20050086047 Uchimoto et al. Apr 2005 A1
20050091321 Daniell et al. Apr 2005 A1
20050108516 Balzer et al. May 2005 A1
20050108562 Khazan et al. May 2005 A1
20050114672 Duncan et al. May 2005 A1
20050132346 Tsantilis Jun 2005 A1
20050228990 Kato et al. Oct 2005 A1
20050235360 Pearson Oct 2005 A1
20050257207 Blumfield et al. Nov 2005 A1
20050257265 Cook et al. Nov 2005 A1
20050260996 Groenendaal Nov 2005 A1
20050262558 Usov Nov 2005 A1
20050273858 Zadok et al. Dec 2005 A1
20050283823 Okajo et al. Dec 2005 A1
20050289538 Black-Ziegelbein et al. Dec 2005 A1
20060004875 Baron et al. Jan 2006 A1
20060015501 Sanamrad et al. Jan 2006 A1
20060037016 Saha et al. Feb 2006 A1
20060072451 Ross Apr 2006 A1
20060075478 Hyndman et al. Apr 2006 A1
20060080656 Cain et al. Apr 2006 A1
20060085785 Garrett Apr 2006 A1
20060101277 Meenan et al. May 2006 A1
20060104295 Worley et al. May 2006 A1
20060123416 Cibrario Bertolotti et al. Jun 2006 A1
20060133223 Nakamura et al. Jun 2006 A1
20060136910 Brickell et al. Jun 2006 A1
20060136911 Robinson et al. Jun 2006 A1
20060143713 Challener et al. Jun 2006 A1
20060195906 Jin et al. Aug 2006 A1
20060200863 Ray et al. Sep 2006 A1
20060230314 Sanjar et al. Oct 2006 A1
20060236094 Leung et al. Oct 2006 A1
20060236398 Trakic et al. Oct 2006 A1
20060259734 Sheu et al. Nov 2006 A1
20060277603 Kelso et al. Dec 2006 A1
20070011746 Malpani et al. Jan 2007 A1
20070028303 Brennan Feb 2007 A1
20070033645 Jones Feb 2007 A1
20070039049 Kupferman et al. Feb 2007 A1
20070050579 Hall et al. Mar 2007 A1
20070050764 Traut Mar 2007 A1
20070074199 Schoenberg Mar 2007 A1
20070083522 Nord et al. Apr 2007 A1
20070101435 Konanka et al. May 2007 A1
20070136579 Levy et al. Jun 2007 A1
20070143851 Nicodemus et al. Jun 2007 A1
20070157303 Pankratov Jul 2007 A1
20070169079 Keller et al. Jul 2007 A1
20070192329 Croft et al. Aug 2007 A1
20070220061 Tirosh et al. Sep 2007 A1
20070220507 Back et al. Sep 2007 A1
20070253430 Minami et al. Nov 2007 A1
20070256138 Gadea et al. Nov 2007 A1
20070271561 Winner et al. Nov 2007 A1
20070300215 Bardsley Dec 2007 A1
20080005737 Saha et al. Jan 2008 A1
20080005798 Ross Jan 2008 A1
20080010304 Vempala et al. Jan 2008 A1
20080022384 Yee et al. Jan 2008 A1
20080034416 Kumar et al. Feb 2008 A1
20080034418 Venkatraman et al. Feb 2008 A1
20080052468 Speirs et al. Feb 2008 A1
20080082977 Araujo et al. Apr 2008 A1
20080091891 Shiota et al. Apr 2008 A1
20080120499 Zimmer et al. May 2008 A1
20080141371 Bradicich et al. Jun 2008 A1
20080163207 Reumann et al. Jul 2008 A1
20080163210 Bowman et al. Jul 2008 A1
20080165952 Smith et al. Jul 2008 A1
20080184373 Traut et al. Jul 2008 A1
20080235534 Schunter et al. Sep 2008 A1
20080244206 Heo et al. Oct 2008 A1
20080263676 Mo et al. Oct 2008 A1
20080270825 Goodson et al. Oct 2008 A1
20080282080 Hyndman et al. Nov 2008 A1
20080294703 Craft et al. Nov 2008 A1
20080301770 Kinder Dec 2008 A1
20090007100 Field et al. Jan 2009 A1
20090038017 Durham et al. Feb 2009 A1
20090043993 Ford et al. Feb 2009 A1
20090049220 Conti et al. Feb 2009 A1
20090055693 Budko et al. Feb 2009 A1
20090063665 Bagepalli et al. Mar 2009 A1
20090089790 Manczak et al. Apr 2009 A1
20090113110 Chen et al. Apr 2009 A1
20090125902 Ghosh et al. May 2009 A1
20090144300 Chatley et al. Jun 2009 A1
20090150639 Ohata Jun 2009 A1
20090157936 Goss et al. Jun 2009 A1
20090249053 Zimmer et al. Oct 2009 A1
20090249438 Litvin et al. Oct 2009 A1
20090328185 Berg et al. Dec 2009 A1
20100049973 Chen Feb 2010 A1
20100071035 Budko et al. Mar 2010 A1
20100114825 Siddegowda May 2010 A1
20100188976 Rahman et al. Jul 2010 A1
20100250895 Adams et al. Sep 2010 A1
20100281133 Brendel Nov 2010 A1
20100281273 Lee et al. Nov 2010 A1
20100293225 Sebes et al. Nov 2010 A1
20100332910 Ali et al. Dec 2010 A1
20110029772 Fanton et al. Feb 2011 A1
20110035423 Kobayashi et al. Feb 2011 A1
20110047543 Mohinder Feb 2011 A1
20110077948 Sharma et al. Mar 2011 A1
20110078550 Nabutovsky Mar 2011 A1
20110093842 Sebes Apr 2011 A1
20110113467 Agarwal et al. May 2011 A1
20110119760 Sebes et al. May 2011 A1
20110138461 Bhargava et al. Jun 2011 A1
20110302647 Bhattacharya et al. Dec 2011 A1
20120030731 Bhargava et al. Feb 2012 A1
20120030750 Bhargava et al. Feb 2012 A1
20120216271 Cooper et al. Aug 2012 A1
20120278853 Roy-Chowdhury et al. Nov 2012 A1
20120290827 Bhargava et al. Nov 2012 A1
20120290828 Bhargava et al. Nov 2012 A1
20120297176 Bhargava et al. Nov 2012 A1
20130024934 Sebes et al. Jan 2013 A1
20130091318 Bhattacharjee et al. Apr 2013 A1
20130097355 Dang et al. Apr 2013 A1
20130097356 Dang et al. Apr 2013 A1
20130097658 Cooper et al. Apr 2013 A1
20130097692 Cooper et al. Apr 2013 A1
20130117823 Dang et al. May 2013 A1
20130246423 Bhargava et al. Sep 2013 A1
20130247027 Shah et al. Sep 2013 A1
20130247032 Bhargava et al. Sep 2013 A1
20130247192 Krasser et al. Sep 2013 A1
20140189859 Ramanan et al. Jul 2014 A1
Foreign Referenced Citations (17)
Number Date Country
1383295 Dec 2002 CN
1 482 394 Dec 2004 EP
2 037 657 Mar 2009 EP
2 599 026 Jun 2013 EP
2 599 276 Jun 2013 EP
2004-524598 Aug 2004 JP
9844404 Oct 1998 WO
0184285 Nov 2001 WO
2006012197 Feb 2006 WO
2006124832 Nov 2006 WO
2008054997 May 2008 WO
2011059877 May 2011 WO
2012015485 Feb 2012 WO
2012015489 Feb 2012 WO
2012116098 Aug 2012 WO
2013058940 Apr 2013 WO
2013058944 Apr 2013 WO
Non-Patent Literature Citations (45)
Entry
“Desktop Management and Control”, printed Oct. 12, 2009, 1 page. Website: http://www.vmware.com/solutions/desktop/.
“Secure Mobile Computing”, printed Oct. 12, 2009, 2 pages. Website: http://www.vmware.com/solutions/desktop/mobile.html.
Final Office Action received for U.S. Appl. No. 12/545,609, mailed on Jul. 27, 2012, 22 pages.
Non-Final Office Action received for U.S. Appl. No. 12/545,609, mailed on Feb. 1, 2012, 17 pages.
Notice of Allowance received for U.S. Appl. No. 12/545,609, mailed on Nov. 9, 2012, 15 pages.
Notice of Allowance received for U.S. Appl. No. 13/723,445, mailed on Jun. 19, 2014, 14 pages.
Non-Final Office Action received for U.S. Appl. No. 13/723,445, mailed on Jan. 13, 2014, 35 pages.
Barrantes, et al., “Randomized Instruction Set Emulation to Dispurt Binary Code Injection Attacks”, Oct. 27-31, 2003, ACM, pp. 281-289.
Bhatkar, et al., “Efficient Techniques for Comprehensive Protection from Memory Error Exploits”, USENIX Association, 14th USE NIX Security Symposium, Aug. 1-5, 2005, Baltimore, MD, 16 pages.
Check Point Software Technologies, “Zone Alarm Security Software User Guide Version 9”, Aug. 24, 2009, XP002634548, 259 pages.
Dewan, et al., “A Hypervisor-Based System for Protecting Software Runtime Memory and Persistent Storage”, Spring Simulation Multiconference 2008, Apr. 14-17, 2008, Ottawa, Canada, 8 pages.
E. Rescorla, et al., “Datagram Transport Layer Security Request for Comments 4347”, Stanford University, Apr. 2006, retrieved and printed on Oct. 17, 2011, 26 pages.
Eli M. Dow, et al., “The Xen Hypervisor”, INFORMIT, dated Apr. 10, 2008, 13 pages.
F. Baker, “Requirements for IP Version 4 Routers Request for Comments 1812”, Cisco Systems, Jun. 1995, 175 pages.
FIPS, “Secure Hash Standard (SHS)”, Federal Information Processing Standards Publication, FIPS PUB 180-4, Mar. 2012, 35 pages.
FIPS, “The Keyed—Hash Message Authentication Code (HMAC)”, FIPS PUB 198, Issued Mar. 6, 2002, Federal Information Processing Standards Publication, 20 pages.
G. Pruett, et al., “BladeCenter Systems Management Software”, vol. 49 Issue 6, Nov. 2005, pp. 963-975.
Gaurav, et al., “Countering Code-Injection Attacks with Instruction-Set Randomization”, ACM, Oct. 27-31, 2003, pp. 272-280.
Hinden, R. et al., “Unique Local IPv6 Unicast Addresses”, Request for Comments: 4193, Oct. 2005, 16 pages.
Intel, “IA-32 Intel Architecture Software Developer's Manual”, vol. 3B; Jun. 2006; pp. 13, 15, 22 and 145-146.
J. Postel, “Internet Control Message Protocol”, Request for Comments 792, ISI, Sep. 1981, 19 pages.
Kurt Gutzmann, “Access Control and Session Management in the HTTP Environment”, IEEE Internet Computing, Jan./Feb. 2001, pp. 26-35.
Mathew J. Schwartz, “Palo Alto Introduces Security for Cloud, Mobile Users”, retrieved Feb. 9, 2011 from http://www.informationweek.com/news/security/perimeter/showArticle.jhtml?articleID—22, 4 pages.
McAfee, “McAfee Management for Optimized Virtual Environments”, copyright 2012, 2 pages.
McAfee, “What's New: McAfee VirusScan Enterprise, 8.8”, copyright 2010, 4 pages.
Myung-Sup Kim, et al., “A Load Cluster Management System Using SNMP and Web”, vol. 12, Issue 6, pages , May 2002, pp. 367-378.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2010/055520, mailed on Mar. 2, 2011, 8 pages.
International Preliminary Report on Patentability and Written Opinion Received for PCT Patent Application No. PCT/US2010/055520, mailed on May 24, 2012, 5 pages.
International Preliminary Report on Patentability and Written Opinion Received for PCT Patent Application No. PCT/US2011/020677, mailed on Jan. 29, 2013, 9 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2011/020677, mailed on Jul. 22, 2011, 17 pages.
International Preliminary Report on Patentability and Written Opinion Received for PCT Patent Application No. PCT/US2011/024869, mailed on Jan. 29, 2013, 6 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2011/024869, mailed on Jul. 14, 2011, 10 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2012/026169, mailed on Jun. 18, 2012, 11 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2012/055674, mailed on Dec. 14, 2012, 9 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2012/057153, mailed on Dec. 26, 2012, 8 pages.
International Search Report and Written Opinion received for PCT Patent Application No. PCT/US2012/057312, mailed on Jan. 31, 2013, 10 pages.
Philip M. Papadopoulos, et al., “NPACI Rocks: Tools and Techniques for Easily Deploying Manageable Linux Clusters”, Aug. 2002, pp. 707-725.
R. Rivest, “The MD5 Message-Digest Algorithm”, Request for Comments: 1321, Apr. 1992, 19 pages.
Sailer, et al., “sHype: Secure Hypervisor Approach to Trusted Virtualized Systems”, IBM research Report, Feb. 2, 2005, 13 pages.
Shacham, et al., “On the Effectiveness of Address-Space Randomization”, CCS'04, Oct. 25-29, 2004, Washington, D.C., Copyright 2004, 10 pages.
Symantec Corporation, “An Analysis of Address Space Layout Randomization on Windows Vistan”, Symantec Advanced Threat Research, copyright 2007, 19 pages.
Tal Garfinkel, “Terra: A Virtual Machine-Based Platform for Trusted Computing”, XP-002340992, SOSP'03, Oct. 19-22, 2003, 14 pages.
Thomas Staub, et al., “Secure Remote Management and Software Distribution for Wireless Mesh Networks”, Sep. 2007, pp. 1-8.
Xen, “Xen Architecture Overview”, Version 1.2, Feb. 13, 2008, 9 pages.
Zhen Chen, et al., “Application Level Network Access Control System Based on TNC Architecture for Enterprise Network”, In: Wireless communications Networking and Information Security (WCNIS), 2010 IEEE International Conference, Jun. 25-27, 2010, 5 pages.
Related Publications (1)
Number Date Country
20150026762 A1 Jan 2015 US
Continuations (2)
Number Date Country
Parent 13723445 Dec 2012 US
Child 14506326 US
Parent 12545609 Aug 2009 US
Child 13723445 US