US20120291094A9 - Method and apparatus for lifecycle integrity verification of virtual machines - Google Patents
Method and apparatus for lifecycle integrity verification of virtual machines Download PDFInfo
- Publication number
- US20120291094A9 US20120291094A9 US12/179,303 US17930308A US2012291094A9 US 20120291094 A9 US20120291094 A9 US 20120291094A9 US 17930308 A US17930308 A US 17930308A US 2012291094 A9 US2012291094 A9 US 2012291094A9
- Authority
- US
- United States
- Prior art keywords
- virtual machine
- integrity
- machine images
- images
- verifying
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0894—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
- H04L9/0897—Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
Definitions
- This application pertains to computer virtualization, and more particularly, to determining the integrity of one or more virtual machines and their associated components.
- large batch processing machines used by banks are configured to run large batches of reconciliations. But when a machine is not performing the batches of reconciliations, it may in essence be “wasting” processing power until another batch of reconciliations begins, or until the machine is removed or powered off for maintenance. The wasted processing power results in bloated information technology budgets and an overall increase of costs to the businesses.
- Virtualization of computer resources is changing the face of computing by offering a way to make use of the idling machines to a higher degree.
- Virtualization is a broad term that refers to the abstraction of computer resources. In other words, physical characteristics of computing resources may be hidden from the way in which other systems, applications, or end users interact with those resources.
- the most basic use of virtualization involves reducing the number of servers by increasing the utilization levels of a smaller set of machines. This includes making a single physical resource such as a server or storage device appear to function as one or more logical resources. Additionally, it can make one or more physical resources appear as a single resource. For instance, if a server's average utilization is only 15%, deployment of multiple virtual machines onto that server has the potential to increase the overall utilization by a factor of 5 or more. Thus, not only is the usage of each machine more efficiently managed, but the usability of the system as a whole is also enhanced.
- a virtual machine may be a single instance of a number of discrete identical execution environments on a single computer, each of which runs an operating system (OS). These virtual machines act as individual computing environments and therefore are subject to many of the same operating deficiencies found in standard physical computing environments. The virtual machines can be configured improperly, often by well-intentioned technicians or operators, and then broadly deployed. Operating systems, applications, and configurations can be modified from the expected state, thereby creating a drift between the expected and actual machine configuration.
- OS operating system
- a virtual machine can be provisioned with the same OS, applications, and configurations and placed into physical storage until it is ready to execute. Once copied to a physical machine, it can be executed, perform its monthly cycle functions, and then be shutdown and returned to storage. In this way, virtual machines may be used much like physical servers are today, but may operate less frequently, e.g., running for just hours or minutes at a time rather than months or years, as was often the case with a physical server.
- Another problem that threatens the viability of the virtualization movement is that of access control, security, and data integrity.
- gaining access to a data center most often required interaction with physical servers, buildings, and people, in a virtualized environment, such safe guards are lessened.
- adding a physical server to a data center involved somebody swiping an access card or other security measure to allow access to the data center, carrying a box into the data center under the supervision of other IT professionals or building managers, and installing the physical server into a rack.
- virtualization theoretically a person can sit in a remote location and install a new server into the virtualized environment without ever needing to physically access the data center.
- malicious activity accounts for only about 3-5% of data center issues, most of the data center issues are caused by well-intentioned people who are either inadequately trained or make honest mistakes, thereby leading to system or component failures, which can sometimes be very severe—even catastrophic.
- the present application includes a method and system for verifying the integrity of virtual machines and for verifying the integrity of discrete elements of the virtual machines throughout the lifecycle of the virtual machines.
- the system can include a machine, a virtual machine manager capable of managing one or more virtual machine images installed on the machine, an integrity reference component configured to store a plurality of virtual machine integrity records, and an integrity verification component communicatively coupled to the virtual machine manager and the integrity reference component, the integrity verification component configured to compare a digest of said one or more virtual machine images to a digest of at least one of said plurality of virtual machine integrity records accessible from the integrity reference component.
- FIG. 1 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component according to an embodiment of the present invention.
- FIG. 2 shows a system including a virtual machine environment, a remotely accessible integrity verification component, and an integrity reference component according to another embodiment of the present invention.
- FIG. 3 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component operable within a virtual machine image according to another embodiment of the present invention.
- FIG. 4 shows a system including a virtual machine environment, measurement agents in communication with an integrity verification component, and an integrity reference component according to yet another embodiment of the present invention.
- FIG. 5 shows a state diagram of a virtual machine lifecycle including verification actions performed during different states according to some embodiments of the present invention.
- FIG. 6 shows a flow diagram including a method for verifying the integrity of discrete virtual machine elements of a virtual machine image according to some embodiments of the present invention.
- FIG. 7 shows a flow diagram including a method for verifying the integrity of virtual machine images according to some embodiments of the present invention.
- an embodiment of the invention begins by setting forth a method and system for verifying the integrity of virtual machines in a virtual machine environment.
- a basic use of virtualization involves reducing the number of physical machines or servers by increasing the utilization levels of a smaller set of physical machines or servers. Virtualization enables administrators to perform this consolidation by treating each physical machine as one or more virtual machines. As a result, there are fewer physical machines to support, which use less rack space and result in reduced power consumption.
- virtualization provides an opportunity for administrators to homogenize the physical machine hardware platforms while still running disparate operating systems and applications, including legacy operating systems and applications that might not be usable on more current hardware platforms without a virtualization layer. Further, existing physical machine hardware can be repurposed without modifying the underlying hardware platforms. Virtualization also provides for simpler disaster recovery protection of data because enterprise systems required for business continuity can be deployed into any data center built on virtualized resources, regardless of whether the physical machine hardware platforms are identical.
- a virtual machine manager also referred to as a “Hyperviser,” executes above the physical machine hardware and can provide the base functionality for accessing devices and memory of the physical machine.
- the VMM is also responsible for loading and controlling virtual machines, also referred to as virtual machine images.
- the VMM can control the virtual machines' access to system resources, and can schedule execution cycles in the processor.
- the VMM can ensure that each virtual machine is sufficiently isolated so that a failure in any one of the virtual machines will not affect the ability of any other virtual machine to execute and continue operation.
- a virtual machine image normally appears as a single file, or related set of files, on a normal underlying file system.
- the structure of the virtual machine image is such that internally it can represent a full file system for a given platform.
- Each virtual machine image can be dedicated to a particular task such as operating a web interface, a database, or a payment processor, among other possibilities.
- logical functions of a business can be separated into virtual machines and executed separately. For example, consider an e-commerce storefront that serves up many different pages of a catalog and controls a shopping cart that users can add items to. Unless the users were actually to purchase an item, a payment processor virtual machine would remain mostly idle, consuming little to no execution resources.
- the payment processor virtual machine can be given execution cycles by the VMM and can process the transaction.
- Other examples include virtual machines used for bank or financial institution reconciliations, aircraft control system operations, or weather tracking systems, among many other possibilities.
- the lifecycle of a virtual machine image includes various states. For example, a virtual machine image can be created, started, suspended, stopped, migrated, or destroyed.
- One factor of concern in the execution of virtual machines is the quality of the image as it is loaded from storage into the execution environment.
- virtual machine images are loaded from a storage location (such as a hard disk drive, memory, USB peripheral, etc.), and executed directly by the VMM, which has no expectation or understanding of the quality (i.e., trustworthiness or integrity) of the virtual machine image or of its contents.
- the virtual machine image may not be compliant with expected settings and configurations required for proper execution in a given environment.
- the virtual machine image itself could be corrupted or even maliciously augmented (perhaps by an insider).
- a virtual machine image can be stored as a complete execution-capable environment, it is feasible that another user or system could access the virtual machine, execute it, and change its state by adding software or modifying its configuration, and then replace it back in the original storage location. If such actions are preformed by authorized administrators making authorized changes, such changes would be acceptable.
- the opportunity for unauthorized or unexpected changes exists. As previously mentioned, most of the data center issues are caused by well-intentioned people who are either inadequately trained or make honest mistakes, thereby leading to system or component failures. In other words, changes can be made by both legitimate and illegitimate users. Thus, the original virtual machine image might not be in its original or pristine state.
- an integrity verification component can be communicatively coupled to the VMM or integrated within the VMM to perform a one-way cryptographic hashing function over the virtual machine image.
- the resulting hash also referred to herein as a “digest,” can be compared to virtual machine integrity records, which include known good reference values (i.e., known good digests) stored locally in an integrity reference component, or alternatively stored remotely in an integrity reference component accessible over a network.
- known good reference values i.e., known good digests
- FIG. 1 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component according to an embodiment of the present invention.
- An integrity verification component 105 can be communicatively coupled to a virtual machine manager (VMM)/Hypervisor 110 .
- VMM 110 executes above physical hardware platform/machine 115 .
- Machine 115 can be any desired platform, including among other possibilities a stand-alone computer, a server, a personal digital assistant (PDA), a cellular telephone, and a Smartphone.
- VMM 110 is capable of managing one or more virtual machine images 120 installed on machine 115 , and provides the base functionality for providing virtual machine images 120 with access to devices and memory of machine 115 .
- Integrity verification component 105 can also be communicatively coupled to integrity reference component 125 , which can store virtual machine integrity records 130 having known good digests 135 . Prior to deployment of a virtual machine image 120 , integrity verification component 105 can verify the integrity of virtual machine image 120 and create a hash or digest of virtual machine image 120 while in a known good state so as to facilitate the creation of a trusted library of known good reference values, such as those stored as virtual machine integrity records 130 having digests 135 in the integrity reference component 125 . Integrity verification component 105 can verify the integrity of a software stack used to create virtual machine images 120 prior to creation of virtual machine images 120 . Integrity reference component 125 , including virtual machine integrity records 130 and digests 135 , can also be digitally signed by an integrity reference provider (not shown).
- the integrity verification component 105 can be configured to collect measurements, such as a digest, from one or more of the virtual machine images 120 and compare the digest to a digest 135 of at least one of the virtual machine integrity records 130 accessible from integrity reference component 125 .
- integrity verification component 105 can generate the digest based on measurements collected from virtual machine images 120 , and compare the generated digest to a digest 135 of at least one of the virtual machine integrity records 130 .
- Integrity verification component 105 can then generate a trust score for one or more of the virtual machine images 120 responsive to the comparison. The trust score can further be generated based on an authenticity score authenticating a source of the collected measurements.
- Authenticity is an extension of integrity whereby the contents of the integrity reference component 125 also contains an indicator (not shown) of the source of the information derived from the measurements and stored in the integrity reference component 125 (such as in the form of virtual machine integrity records 130 ), thereby attesting to the origin of the information.
- Integrity reference component 125 can be locally accessible or directly attached to the integrity verification component, as shown in FIG. 1 . As explained below, integrity reference component 125 can also be accessible remotely over a network providing access to virtual machine integrity records 130 .
- FIG. 1 shows a server, a cell phone, and a network component
- FIG. 1 shows a server, a cell phone, and a network component
- FIG. 1 shows a server, a cell phone, and a network component
- virtual machines 120 of FIG. 1 show virtual machines that operate a web interface 140 , database 145 , and a payment processor 150
- virtual machines 120 may perform other 155 operations.
- Integrity verification component 105 can be integrated within VMM 110 .
- integrity verification component 105 can exist as a sub-process having security privileges at least as high as security privileges for VMM 110 .
- integrity verification component 105 can exist as an integrated physical component of the physical hardware platform/machine 115 .
- FIG. 2 shows a system including a virtual machine environment, a remotely accessible integrity verification component, and an integrity reference component according to another embodiment of the present invention.
- integrity reference component 125 can be remotely accessible using networking protocols over network 205 .
- Integrity verification component 105 can perform a comparison of the measurements collected and/or generated from virtual machine images 120 against a global integrity reference component 125 .
- integrity verification component 105 can perform a comparison of the measurements collected and/or generated from virtual machine images 120 against a local integrity reference component 125 .
- the integrity reference component 125 whether local or global, can periodically be updated with known-good virtual machine integrity records 130 .
- a protected and secured version of integrity reference component 125 can be used as a known good manifest of acceptable measurements (not shown).
- the manifest can be stored locally to the enterprise (for example, on some other physical machine accessible from machine 115 via network 205 ), or on machine 115 itself. This manifest can be updated from the integrity reference component 125 as needed, when the integrity reference component is updated with additional virtual machine integrity records 130 and digests 135 .
- FIG. 3 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component operable within a virtual machine image according to another embodiment of the present invention.
- integrity reference component 305 can be provided as a virtual machine image 120 itself. Rather than accessible as a separate database distinct from machine 115 , integrity reference component 305 can be made available as a service installed on machine 115 . Integrity reference component 305 can be periodically updated from a global integrity reference component accessible over a network (not shown). The description above with reference to capabilities of integrity reference component 125 can also apply to integrity reference component 305 , and therefore such description will be omitted for the sake of brevity.
- FIG. 4 shows a system including a virtual machine environment, measurement agents in communication with an integrity verification component, and an integrity reference component according to yet another embodiment of the present invention.
- Individual measurement agents 405 can collect measurements 410 of discrete virtual machine image elements 415 of virtual machine images 120 .
- discrete virtual machine image elements 415 can include operating system files, application files, or configuration files, among other possibilities.
- measurement agents 405 can execute in each of the virtual machine images 120 .
- measurement agents 405 are operable within each of the virtual machine images 120 and configured to collect measurements 410 of the discrete virtual machine image elements 415 corresponding to the virtual machine images 120 .
- measurement agents 405 can exist as integrated physical components of the physical hardware platform/machine 115 .
- Collected measurements 410 can include digests of discrete virtual machine image elements 415 .
- Measurement agents 405 can be configured to transfer collected measurements 410 to integrity verification component 105 .
- Measurement agents 405 can be configured to collect measurements for only important discrete virtual machine image elements 415 , however “important” is defined.
- the important discrete virtual machine image elements 415 can include expected-to-be-static elements of virtual machine image 120 (on the premise that if the static elements change, the virtual machine has potentially been compromised), or the expected-to-be-dynamic elements of virtual machine image 120 (on the premise that the changing elements are the ones that might compromise the virtual machine).
- Integrity verification component 105 can compare collected measurements 410 to at least one of the virtual machine integrity records 130 of integrity reference component 125 . As previously discussed above, integrity verification component 105 can generate a trust score for one or more virtual machine images 120 responsive to a comparison of a hash or digest of a virtual machine image 120 itself to a digest 135 of a virtual machine integrity record 130 stored in the integrity reference component 125 . Furthermore, integrity verification component 105 can generate a trust score for at least one of the discrete virtual machine image elements 415 of virtual machine images 120 . The trust score can also be generated based on both the comparison of the digest of virtual machine image 120 itself, and on the comparison of digests of discrete virtual machine image elements 415 of virtual machine images 120 that can be collected using measurement agents 405 . In both cases, integrity verification component 105 can generate the trust score using an authenticity score authenticating a source of collected measurements 410 , as previously described above.
- Integrity reference component 125 can also include metadata 160 to establish relationships between discrete virtual machine image elements 415 .
- metadata 160 can include version or vendor information of discrete virtual machine image elements 415 , or other information indicating how the discrete virtual machine image elements relate to one another.
- Collected measurements 410 can also include metadata such as version or vendor information so that the collected measurements 410 can be compared to metadata 160 stored in integrity reference component 125 , and can be used together with the digests 135 in determining the trust score for the virtual machine images 120 .
- metadata 160 can include a location of each virtual machine image 120 within the underlying file system of physical hardware platform/machine 115 , or some other machine. If a virtual machine image 120 is expected to be located at a certain file path of the underlying file system, or at a certain location on a network drive, for example, metadata 160 can include such location information. Collected measurements 410 can also include metadata such as the location information so that the collected measurements 410 can be compared to metadata 160 stored in integrity reference component 125 , and can be used together with the digests 135 in determining the trust score for the virtual machine images 120 .
- Metadata 160 can include information regarding VMM 110 itself, such as whether VMM 110 comes from a pre-approved vendor list (not shown), and can be stored in integrity reference component 125 or included in collected measurements 410 .
- the pre-approved vendor list can be created or maintained by a user or customer, or alternatively, the pre-approved vendor list can be created or maintained by a third party. In either case, the pre-approved vendor list can be stored in the integrity reference component 125 and used to help generate the trust score for the virtual machine images 120 .
- the trust score is generated based on the important discrete virtual machine image elements 415 (e.g., the expected-to-be-static elements of virtual machine image 120 ), then the trust score likely remains the same during the lifecycle of virtual machine image 120 as it transitions from one state to another. However, if the important discrete virtual machine image elements 415 happen to change, then the trust score can be affected and might vary depending on the magnitude of the changes.
- the important discrete virtual machine image elements 415 e.g., the expected-to-be-static elements of virtual machine image 120
- FIG. 5 shows a state diagram of a virtual machine lifecycle including verification actions performed during different states according to some embodiments of the present invention.
- the virtual machine image might contain dynamic information or the stored virtual machine image that is loaded for execution by VMM 110 (of FIG. 1 ) can continually change or be expected to change. Or the virtual machine image can be loaded and executed for extended periods of time and eventually be migrated from one physical hardware platform to another. In other words, the virtual machine image can be in a different state each time it is retrieved from storage, and so the cryptographic hash or digest of the virtual machine image as stored can change over time.
- embodiments of the present invention provide integrity measurement and verification to guarantee the authenticity of the virtual machine image as it transitions through its lifecycle.
- the software stack used to create the virtual machine image can be verified as shown at state 505 .
- the virtual machine image can then be created at state 510 , and its integrity can be verified, as further discussed below.
- the virtual machine image can be created from a set of existing software such as an operating system or an application. Once the virtual machine image is created, it can be stored to await execution at a future time, or it can go directly into production where it is started at state 515 .
- the virtual machine image can execute for some period of time such as minutes, days, or years before it transitions to one of three states: a stop state 520 , a suspend state 525 , or a migrate state 530 .
- the virtual machine image is stopped, no longer receiving cycles for execution, and is unloaded from memory.
- the virtual machine image is temporarily suspended from execution and will no longer receive execution cycles until re-stared, but may remain in memory. Alternatively, the suspended virtual machine may be stored to disk (indefinitely) until it is restarted.
- the migrate state 530 the virtual machine image can be migrated from on physical hardware platform to another. While this can be performed on a suspended virtual machine image, the migration can also occur with an active or started virtual machine image, thus resulting in a “hot” migration. The virtual machine image can also be destroyed, thereby removing its existence from execution and storage.
- virtual machine images can be created from sets of software such as an operating system, an application, or a configuration file. Since the virtual machine images can be instantiated (created) at any time, on any number of platforms, the integrity of the software stack can be verified prior to the creation of the virtual machine images, as shown at state 505 . The virtual machine image can then be created at the create state 510 responsive to verifying the integrity of the software stack.
- a digest of the virtual machine can be stored after creation, to support verification of the virtual machine at a later time, such as when the virtual machine is started (by comparing the digest with a digest of the virtual machine taken before it is started).
- the virtual machine image can be loaded from a previously stored virtual machine image, or it can be a re-start of a previously suspended in-memory virtual machine image.
- the integrity of the virtual machine image can be verified when starting the virtual machine image.
- the virtual machine image can be started responsive to verifying its integrity, thereby ensuring that the virtual machine image has not been altered from its expected configuration.
- the virtual machine image can be verified, thereby ensuring that the virtual machine image has not been mis-configured before, during, or after a transfer or migration. Therefore, any doubt about the state of the virtual machine image can be removed.
- the virtual machine image is unloaded from execution and memory.
- the integrity of the virtual machine image can be verified when stopping the virtual machine image to determine whether it is still has a trustworthy configuration.
- the virtual machine image can be stopped responsive to verifying its integrity, thereby ensuring that the virtual machine image has not been altered from its expected configuration. If it is determined that the virtual machine image is not trustworthy, the virtual machine image can be flagged, which can provide an indication of its untrustworthiness when the virtual machine image is later restarted.
- a digest of the stopped virtual machine can also be recorded, for later use in verifying the virtual machine (e.g., when the virtual machine is restarted).
- the integrity of the virtual machine image can be verified prior to leaving the physical hardware platform, thereby creating a verifiable audit record of execution and movement.
- the suspended virtual machine image can be analyzed to determine whether it is still has a trustworthy configuration.
- the virtual machine image can be suspended responsive to verifying its integrity, or suspended before verifying its integrity. In the case where the virtual machine image is suspended in order to perform a migration, the virtual machine image can be taken out of use or the migration aborted if the virtual machine image is determined to be untrustworthy.
- the migrate state 530 can comprise suspend, move, and start operations.
- the integrity verification component 105 is configured to analyze the virtual machine image when migrating the virtual machine image from one physical hardware platform to another.
- the virtual machine image is stopped or suspended on one physical hardware platform, and started on a different physical hardware platform, each of which can include a verification of the integrity of the virtual machine image.
- the contents and any existing state information can be erased from both execution and storage.
- it can be important to capture the integrity state of the virtual machine image at the time of destruction and create an auditable record of its existence or non-existence as it relates to time. Since the virtual machine image is destroyed, and the virtual machine image lifecycles can vary widely, the creation of an integrity record at the time of destruction can be a valuable record of the state of existence of the virtual machine image during the end of its lifecycle. Thus, the virtual machine image can be destroyed responsive to verifying the integrity of the virtual machine image.
- Such commands can be issued from the VMM 110 (of FIG. 1 ) or other management interface.
- Such commands can include: Create_Trusted_VM, Start_Trusted_VM, Migrate_Trusted_VM, Stop_Trusted_VM, Suspend_Trusted_VM, or Destroy_Trusted_VM, among other possibilities.
- FIG. 6 shows a flow diagram including a method for verifying the integrity of discrete virtual machine elements of a virtual machine image according to some embodiments of the present invention.
- the virtual machine integrity records ( 130 of FIG. 4 ) can be stored in an integrity reference component ( 125 of FIG. 4 ).
- the virtual machine integrity records can include known good digests ( 135 of FIG. 4 ) of previously collected and previously verified virtual machine images and discrete virtual machine image elements.
- measurements 410 of FIG. 4
- measurements can be collected including digests of discrete virtual machine image elements ( 415 of FIG. 4 ) that have been deployed for general use.
- the collected measurements ( 410 of FIG. 4 ) can include digests of at least one of the discrete virtual machine image elements ( 415 of FIG. 4 ).
- the measurement agents ( 405 of FIG. 4 ) can generate the digests of the discrete virtual machine image elements ( 415 of FIG. 4 ).
- the integrity verification component ( 105 of FIG. 4 ) can generate the digests based on the collected measurements ( 410 of FIG. 4 ).
- the digests of the discrete virtual machine image elements ( 415 of FIG. 4 ) stored in at least one of the virtual machine images ( 120 of FIG. 4 ) can be compared to digests stored in at least one of the virtual machine integrity records ( 130 of FIG. 4 ) stored in the integrity reference component ( 125 of FIG. 4 ).
- the integrity verification component ( 105 of FIG. 4 ) can generate a trust score for one or more of the virtual machine images ( 120 of FIG. 4 ) responsive to comparing the digests of one or more discrete virtual machine image elements ( 415 of FIG. 4 ) to digests ( 135 of FIG. 4 ) of at least one of the virtual machine integrity records ( 130 of FIG. 4 ).
- the environment can be a virtualized environment. If it is determined that a given virtual machine image ( 120 of FIG. 4 ) is authorized for the environment, then access to the environment can be granted to the virtual machine image responsive to the determination at 630 . Conversely, if it is determined that the given virtual machine image ( 120 of FIG. 4 ) is not authorized for the environment, then access to the environment can be denied to the virtual machine image ( 120 of FIG. 4 ) responsive to the determination at 635 .
- generating the trust score for the virtual machine images ( 120 of FIG. 4 ) can include using an authenticity score authenticating a source of the collected measurements ( 410 of FIG. 4 ).
- the discrete virtual machine image elements ( 415 of FIG. 4 ) can include an operating system file, an application file, or a configuration file, among other possibilities.
- the operation 610 of collecting measurements ( 410 of FIG. 4 ) can include generating digests of the operating system file, the application file, or the configuration file, among other possibilities.
- the collected measurements ( 410 of FIG. 4 ) can be transferred between the measurement agents ( 405 of FIG. 4 ) and the integrity verification component ( 105 of FIG. 4 ), and then compared to at least one of the virtual machine integrity records ( 130 of FIG. 4 ) of the integrity reference component ( 125 of FIG. 4 ).
- the integrity reference component ( 125 of FIG. 4 ) can be remotely accessed over a network.
- FIG. 7 shows a flow diagram including a method for verifying the integrity of virtual machine images according to some embodiments of the present invention.
- the virtual machine integrity records ( 130 of FIG. 1 ) can be stored in an integrity reference component ( 125 of FIG. 1 ).
- the virtual machine integrity records can include known good digests ( 135 of FIG. 1 ) of previously collected and previously verified virtual machine images and discrete virtual machine image elements.
- Measurements ( 410 of FIG. 4 ) can be collected including digests of at least one virtual machine image ( 120 of FIG. 1 ) that have been deployed for general use.
- the integrity verification component ( 105 of FIG. 1 ) can generate the digests based on the collected measurements ( 410 of FIG. 4 ).
- the measurement agents ( 405 of FIG. 4 ) can generate the digests of the virtual machine images ( 120 of FIG. 1 )
- the digests of the virtual machine images ( 120 of FIG. 1 ) can be compared to digests stored in at least one of the virtual machine integrity records ( 130 of FIG. 1 ) stored in the integrity reference component ( 125 of FIG. 1 ).
- the integrity verification component (I 05 of FIG. 1 ) can generate a trust score for one or more of the virtual machine images ( 120 of FIG. 1 ) responsive to comparing the digests of one or more virtual machine images ( 120 of FIG. 1 ) to digests ( 135 of FIG. 1 ) of at least one of the virtual machine integrity records ( 130 of FIG. 1 ).
- the trust score can also be generated based on both a comparison of the digests of the virtual machine images ( 120 of FIG.
- the environment can be a virtualized environment. If it is determined that a given virtual machine image ( 120 of FIG. 1 ) is authorized for the environment, then access to the environment can be granted to the virtual machine image responsive to the determination at 725 . Conversely, if it is determined that the given virtual machine image ( 120 of FIG. 1 ) is not authorized for the environment, then access to the environment can be denied to the virtual machine image ( 120 of FIG. 1 ) responsive to the determination at 730 .
- the machine includes a system bus to which is attached processors, memory, e.g., random access memory (RAM), read-only memory (ROM), or other state preserving medium, storage devices, a video interface, and input/output interface ports.
- processors e.g., random access memory (RAM), read-only memory (ROM), or other state preserving medium
- RAM random access memory
- ROM read-only memory
- machine is intended to broadly encompass a single machine, a virtual machine, or a system of communicatively coupled machines, virtual machines, or devices operating together.
- exemplary machines include computing devices such as personal computers, workstations, servers, portable computers, handheld devices, telephones, tablets, etc., as well as transportation devices, such as private or public transportation, e.g., automobiles, trains, cabs, etc.
- the machine can include embedded controllers, such as programmable or non-programmable logic devices or arrays, Application Specific Integrated Circuits, embedded computers, smart cards, and the like.
- the machine can utilize one or more connections to one or more remote machines, such as through a network interface, modem, or other communicative coupling.
- Machines can be interconnected by way of a physical and/or logical network, such as an intranet, the Internet, local area networks, wide area networks, etc.
- network communication can utilize various wired and/or wireless short range or long range carriers and protocols, including radio frequency (RF), satellite, microwave, Institute of Electrical and Electronics Engineers (IEEE) 545.11, Bluetooth, optical, infrared, cable, laser, etc.
- RF radio frequency
- IEEE Institute of Electrical and Electronics Engineers
- Associated data can be stored in, for example, the volatile and/or non-volatile memory, e.g., RAM, ROM, etc., or in other storage devices and their associated storage media, including hard-drives, floppy-disks, optical storage, tapes, flash memory, memory sticks, digital video disks, biological storage, etc.
- Associated data can be delivered over transmission environments, including the physical and/or logical network, in the form of packets, serial data, parallel data, propagated signals, etc., and can be used in a compressed or encrypted format.
- Associated data can be used in a distributed environment, and stored locally and/or remotely for machine access.
Abstract
Description
- This application claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/953,314, titled “ARCHITECTURE, METHOD AND APPARATUS FOR THE LIFECYCLE INTEGRITY VERIFICATION OF VIRTUAL MACHINES, THEIR SPECIFIED CONFIGURATIONS, AND THEIR DISCRETE ELEMENTS”, filed Aug. 1, 2007, which is hereby incorporated by reference.
- This application is a continuation-in-part of commonly-assigned U.S. patent application Ser. No. 11/608,742, titled “METHOD TO VERIFY THE INTEGRITY OF COMPONENTS ON A TRUSTED PLATFORM USING INTEGRITY DATABASE SERVICES”, filed Dec. 8, 2006, which claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/749,368, titled “METHOD TO VERIFY THE INTEGRITY OF COMPONENTS ON A TRUSTED PLATFORM USING INTEGRITY DATABASE SERVICES”, filed Dec. 9, 2005, and commonly-assigned U.S. Provisional Patent Application Ser. No. 60/759,742, titled “METHOD AND APPARATUS FOR IP NETWORK ACCESS CONTROL BASED ON PLATFORM COMPONENT SIGNATURES AND TRUST SCORES,” filed Jan. 17, 2006, which are hereby incorporated by reference.
- This application is related to commonly-assigned U.S. patent application Ser. No. 11/288,820, titled “METHOD TO CONTROL ACCESS BETWEEN NETWORK ENDPOINTS BASED ON TRUST SCORES CALCULATED FROM INFORMATION SYSTEM COMPONENT ANALYSIS”, filed Nov. 28, 2005, now U.S. Pat. No. 7,272,719, which claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/631,449, titled “METHOD TO HARVEST, SUBMIT, PERSIST, AND VALIDATE DATA MEASUREMENTS EMPLOYING WEB SERVICES”, filed Nov. 29, 2004, commonly-assigned U.S. Provisional Patent Application Ser. No. 60/631,450, titled “METHOD TO VERIFY SYSTEM STATE AND VALIDATE INFORMATION SYSTEM COMPONENTS BY MEANS OF WEB SERVICES USING A DATABASE OF CRYPTOGRAPHIC HASH VALUES”, filed Nov. 29, 2004, and commonly-assigned U.S. Provisional Patent Application Ser. No. 60/637,066, titled “METHOD TO CONTROL ACCESS BETWEEN NETWORK ENDPOINTS BASED ON TRUST SCORES CALCULATED FROM INFORMATION SYSTEM COMPONENTS”, filed Dec. 17, 2004, which are hereby incorporated by reference.
- This application is related to commonly-assigned U.S. patent application Ser. No. 11/422,146, titled “SYSTEM AND METHOD TO REGISTER A DOCUMENT WITH A VERSION MANAGEMENT SYSTEM”, filed Jun. 5, 2006, which claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/688,035, titled “METHOD TO CERTIFY AND REGISTER INSTANCES OF AN ELECTRONIC DOCUMENT WITH A CENTRALIZED DATABASE ENABLING TRACKING AND ATTESTATION TO THE AUTHENTICITY AND ACCURACY OF COPIES OF THE REGISTERED DOCUMENT”, filed Jun. 7, 2005, and commonly-assigned U.S. patent application Ser. No. 11/624,001, titled “METHOD AND APPARATUS TO ESTABLISH ROUTES BASED ON THE TRUST SCORES OF ROUTERS WITHIN AN IP ROUTING DOMAIN”, filed Jan. 17, 2007, which claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/824,740, titled “METHOD AND APPARATUS TO ESTABLISH ROUTES BASED ON THE TRUST SCORES OF ROUTERS WITHIN AN IP ROUTING DOMAIN”, and commonly-assigned U.S. patent application Ser. No. 11/422,151, titled “SYSTEM AND METHOD TO MANAGE A DOCUMENT WITH A VERSION MANAGEMENT”, filed Jun. 5, 2006, and commonly-assigned U.S. patent application Ser. No. 11/776,498, titled “METHOD AND SYSTEM TO ISSUE TRUST SCORE CERTIFICATES FOR NETWORKED DEVICES USING A TRUST SCORING SERVICE”, filed Jul. 11, 2007, which claims the benefit of commonly-assigned U.S. Provisional Patent Application Ser. No. 60/807,180, titled “METHOD AND APPARATUS TO ISSUE TRUST SCORE CERTIFICATES FOR NETWORKED DEVICES USING A TRUST SCORING SERVICE”, filed Jul. 12, 2006, and commonly-assigned U.S. patent application Ser. No. 11/832,781, titled “METHOD TO CONTROL ACCESS BETWEEN NETWORK ENDPOINTS BASED ON TRUST SCORES CALCULATED FROM INFORMATION SYSTEM COMPONENT ANALYSIS”, filed Aug. 2, 2007, all of which are hereby incorporated by reference.
- This application pertains to computer virtualization, and more particularly, to determining the integrity of one or more virtual machines and their associated components.
- Businesses are making tremendous investments in computer hardware and data centers. Meanwhile, the costs associated with powering and cooling the data centers are steadily increasing. To make matters worse, data center real estate is at a premium while demand relentlessly expands for more computer hardware to produce the sheer processing power necessary to meet the complex and growing needs of the businesses. Juxtaposing the need for more computer hardware and larger data centers is a troubling statistic that on average only 8-12% of the processing power of any given machine used in a data center is active, while the processors remain essentially idle the rest of the time.
- For example, large batch processing machines used by banks are configured to run large batches of reconciliations. But when a machine is not performing the batches of reconciliations, it may in essence be “wasting” processing power until another batch of reconciliations begins, or until the machine is removed or powered off for maintenance. The wasted processing power results in bloated information technology budgets and an overall increase of costs to the businesses.
- Virtualization of computer resources is changing the face of computing by offering a way to make use of the idling machines to a higher degree. Virtualization is a broad term that refers to the abstraction of computer resources. In other words, physical characteristics of computing resources may be hidden from the way in which other systems, applications, or end users interact with those resources. The most basic use of virtualization involves reducing the number of servers by increasing the utilization levels of a smaller set of machines. This includes making a single physical resource such as a server or storage device appear to function as one or more logical resources. Additionally, it can make one or more physical resources appear as a single resource. For instance, if a server's average utilization is only 15%, deployment of multiple virtual machines onto that server has the potential to increase the overall utilization by a factor of 5 or more. Thus, not only is the usage of each machine more efficiently managed, but the usability of the system as a whole is also enhanced.
- While the virtualization of computer resources promises to deliver many benefits, there are worrisome problems that lurk beneath the surface of this new and exciting computing trend. A virtual machine may be a single instance of a number of discrete identical execution environments on a single computer, each of which runs an operating system (OS). These virtual machines act as individual computing environments and therefore are subject to many of the same operating deficiencies found in standard physical computing environments. The virtual machines can be configured improperly, often by well-intentioned technicians or operators, and then broadly deployed. Operating systems, applications, and configurations can be modified from the expected state, thereby creating a drift between the expected and actual machine configuration.
- Additionally, the lifecycle of a virtual machine can vary widely depending upon the specific operation that it was provisioned and intended for. No longer must a physical server be dedicated to running a monthly task (such as billings and reconciliations). A virtual machine can be provisioned with the same OS, applications, and configurations and placed into physical storage until it is ready to execute. Once copied to a physical machine, it can be executed, perform its monthly cycle functions, and then be shutdown and returned to storage. In this way, virtual machines may be used much like physical servers are today, but may operate less frequently, e.g., running for just hours or minutes at a time rather than months or years, as was often the case with a physical server. As a result, no longer are the auditors, technicians, or other operators able to sit down at a specific physical server that is dedicated to a specific task or group of transactions. Instead, virtual resources of an entire data center are used to perform the transactions. It is therefore difficult to know which physical server ran which transaction, what its state was, whether correct software was being used, whether correct controls were in place, whether they were compliant with regulatory environments, and so forth.
- Another problem that threatens the viability of the virtualization movement is that of access control, security, and data integrity. Whereas before, gaining access to a data center most often required interaction with physical servers, buildings, and people, in a virtualized environment, such safe guards are lessened. For example, before virtualization, adding a physical server to a data center involved somebody swiping an access card or other security measure to allow access to the data center, carrying a box into the data center under the supervision of other IT professionals or building managers, and installing the physical server into a rack. With the advent of virtualization, theoretically a person can sit in a remote location and install a new server into the virtualized environment without ever needing to physically access the data center. Thus, the ability to control the data center environment is diminished. And while malicious activity accounts for only about 3-5% of data center issues, most of the data center issues are caused by well-intentioned people who are either inadequately trained or make honest mistakes, thereby leading to system or component failures, which can sometimes be very severe—even catastrophic.
- Accordingly, a need remains for a way to identify and authenticate the integrity of virtual machines and their components. The present application addresses these and other problems associated with the prior art.
- The present application includes a method and system for verifying the integrity of virtual machines and for verifying the integrity of discrete elements of the virtual machines throughout the lifecycle of the virtual machines. The system can include a machine, a virtual machine manager capable of managing one or more virtual machine images installed on the machine, an integrity reference component configured to store a plurality of virtual machine integrity records, and an integrity verification component communicatively coupled to the virtual machine manager and the integrity reference component, the integrity verification component configured to compare a digest of said one or more virtual machine images to a digest of at least one of said plurality of virtual machine integrity records accessible from the integrity reference component.
- The foregoing and other features, objects, and advantages of the invention will become more readily apparent from the following detailed description, which proceeds with reference to the accompanying drawings.
-
FIG. 1 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component according to an embodiment of the present invention. -
FIG. 2 shows a system including a virtual machine environment, a remotely accessible integrity verification component, and an integrity reference component according to another embodiment of the present invention. -
FIG. 3 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component operable within a virtual machine image according to another embodiment of the present invention. -
FIG. 4 shows a system including a virtual machine environment, measurement agents in communication with an integrity verification component, and an integrity reference component according to yet another embodiment of the present invention. -
FIG. 5 shows a state diagram of a virtual machine lifecycle including verification actions performed during different states according to some embodiments of the present invention. -
FIG. 6 shows a flow diagram including a method for verifying the integrity of discrete virtual machine elements of a virtual machine image according to some embodiments of the present invention. -
FIG. 7 shows a flow diagram including a method for verifying the integrity of virtual machine images according to some embodiments of the present invention. - To solve the problems in the prior art, an embodiment of the invention begins by setting forth a method and system for verifying the integrity of virtual machines in a virtual machine environment. A basic use of virtualization involves reducing the number of physical machines or servers by increasing the utilization levels of a smaller set of physical machines or servers. Virtualization enables administrators to perform this consolidation by treating each physical machine as one or more virtual machines. As a result, there are fewer physical machines to support, which use less rack space and result in reduced power consumption. In addition, virtualization provides an opportunity for administrators to homogenize the physical machine hardware platforms while still running disparate operating systems and applications, including legacy operating systems and applications that might not be usable on more current hardware platforms without a virtualization layer. Further, existing physical machine hardware can be repurposed without modifying the underlying hardware platforms. Virtualization also provides for simpler disaster recovery protection of data because enterprise systems required for business continuity can be deployed into any data center built on virtualized resources, regardless of whether the physical machine hardware platforms are identical.
- A virtual machine manager (VMM), also referred to as a “Hyperviser,” executes above the physical machine hardware and can provide the base functionality for accessing devices and memory of the physical machine. The VMM is also responsible for loading and controlling virtual machines, also referred to as virtual machine images. The VMM can control the virtual machines' access to system resources, and can schedule execution cycles in the processor. The VMM can ensure that each virtual machine is sufficiently isolated so that a failure in any one of the virtual machines will not affect the ability of any other virtual machine to execute and continue operation.
- A virtual machine image normally appears as a single file, or related set of files, on a normal underlying file system. The structure of the virtual machine image is such that internally it can represent a full file system for a given platform. Each virtual machine image can be dedicated to a particular task such as operating a web interface, a database, or a payment processor, among other possibilities. In other words, logical functions of a business can be separated into virtual machines and executed separately. For example, consider an e-commerce storefront that serves up many different pages of a catalog and controls a shopping cart that users can add items to. Unless the users were actually to purchase an item, a payment processor virtual machine would remain mostly idle, consuming little to no execution resources. Once a consumer decided to purchase the items in the shopping cart, then the payment processor virtual machine can be given execution cycles by the VMM and can process the transaction. Other examples include virtual machines used for bank or financial institution reconciliations, aircraft control system operations, or weather tracking systems, among many other possibilities.
- The lifecycle of a virtual machine image includes various states. For example, a virtual machine image can be created, started, suspended, stopped, migrated, or destroyed. One factor of concern in the execution of virtual machines is the quality of the image as it is loaded from storage into the execution environment. Conventionally, virtual machine images are loaded from a storage location (such as a hard disk drive, memory, USB peripheral, etc.), and executed directly by the VMM, which has no expectation or understanding of the quality (i.e., trustworthiness or integrity) of the virtual machine image or of its contents.
- Since the virtual machine is loaded from the storage location, the virtual machine image may not be compliant with expected settings and configurations required for proper execution in a given environment. The virtual machine image itself could be corrupted or even maliciously augmented (perhaps by an insider). Since a virtual machine image can be stored as a complete execution-capable environment, it is feasible that another user or system could access the virtual machine, execute it, and change its state by adding software or modifying its configuration, and then replace it back in the original storage location. If such actions are preformed by authorized administrators making authorized changes, such changes would be acceptable. However, the opportunity for unauthorized or unexpected changes exists. As previously mentioned, most of the data center issues are caused by well-intentioned people who are either inadequately trained or make honest mistakes, thereby leading to system or component failures. In other words, changes can be made by both legitimate and illegitimate users. Thus, the original virtual machine image might not be in its original or pristine state.
- According to some embodiments of the present invention, an integrity verification component can be communicatively coupled to the VMM or integrated within the VMM to perform a one-way cryptographic hashing function over the virtual machine image. The resulting hash, also referred to herein as a “digest,” can be compared to virtual machine integrity records, which include known good reference values (i.e., known good digests) stored locally in an integrity reference component, or alternatively stored remotely in an integrity reference component accessible over a network. As a result, throughout the course of its lifecycle, the virtual machine image can be verified to be in an expected state for the given environment.
-
FIG. 1 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component according to an embodiment of the present invention. Anintegrity verification component 105 can be communicatively coupled to a virtual machine manager (VMM)/Hypervisor 110.VMM 110 executes above physical hardware platform/machine 115.Machine 115 can be any desired platform, including among other possibilities a stand-alone computer, a server, a personal digital assistant (PDA), a cellular telephone, and a Smartphone.VMM 110 is capable of managing one or morevirtual machine images 120 installed onmachine 115, and provides the base functionality for providingvirtual machine images 120 with access to devices and memory ofmachine 115. -
Integrity verification component 105 can also be communicatively coupled tointegrity reference component 125, which can store virtual machine integrity records 130 having knowngood digests 135. Prior to deployment of avirtual machine image 120,integrity verification component 105 can verify the integrity ofvirtual machine image 120 and create a hash or digest ofvirtual machine image 120 while in a known good state so as to facilitate the creation of a trusted library of known good reference values, such as those stored as virtual machine integrity records 130 havingdigests 135 in theintegrity reference component 125.Integrity verification component 105 can verify the integrity of a software stack used to createvirtual machine images 120 prior to creation ofvirtual machine images 120.Integrity reference component 125, including virtual machine integrity records 130 and digests 135, can also be digitally signed by an integrity reference provider (not shown). - After deployment of
virtual machine images 120, theintegrity verification component 105 can be configured to collect measurements, such as a digest, from one or more of thevirtual machine images 120 and compare the digest to a digest 135 of at least one of the virtual machine integrity records 130 accessible fromintegrity reference component 125. Alternatively,integrity verification component 105 can generate the digest based on measurements collected fromvirtual machine images 120, and compare the generated digest to a digest 135 of at least one of the virtual machine integrity records 130.Integrity verification component 105 can then generate a trust score for one or more of thevirtual machine images 120 responsive to the comparison. The trust score can further be generated based on an authenticity score authenticating a source of the collected measurements. Authenticity is an extension of integrity whereby the contents of theintegrity reference component 125 also contains an indicator (not shown) of the source of the information derived from the measurements and stored in the integrity reference component 125 (such as in the form of virtual machine integrity records 130), thereby attesting to the origin of the information. Once the trust score has been generated, a determination can be made whether to grant or deny thevirtual machine images 120 access to a given virtualized environment based on the trust score. -
Integrity reference component 125 can be locally accessible or directly attached to the integrity verification component, as shown inFIG. 1 . As explained below,integrity reference component 125 can also be accessible remotely over a network providing access to virtual machine integrity records 130. - While the physical hardware platform/
machine 115 ofFIG. 1 shows a server, a cell phone, and a network component, persons with skill in the art will recognize that other physical hardware platforms or machines can be used. Similarly, whilevirtual machines 120 ofFIG. 1 show virtual machines that operate aweb interface 140,database 145, and apayment processor 150, persons with skill in the art will recognize thatvirtual machines 120 may perform other 155 operations. -
Integrity verification component 105 can be integrated withinVMM 110. Alternatively,integrity verification component 105 can exist as a sub-process having security privileges at least as high as security privileges forVMM 110. In addition,integrity verification component 105 can exist as an integrated physical component of the physical hardware platform/machine 115. -
FIG. 2 shows a system including a virtual machine environment, a remotely accessible integrity verification component, and an integrity reference component according to another embodiment of the present invention. As mentioned above,integrity reference component 125 can be remotely accessible using networking protocols overnetwork 205.Integrity verification component 105 can perform a comparison of the measurements collected and/or generated fromvirtual machine images 120 against a globalintegrity reference component 125. Alternatively, as discussed with reference toFIG. 1 above,integrity verification component 105 can perform a comparison of the measurements collected and/or generated fromvirtual machine images 120 against a localintegrity reference component 125. Theintegrity reference component 125, whether local or global, can periodically be updated with known-good virtual machine integrity records 130. - For advanced functions that would enhance performance, or for verifying smaller known sets of applications, a protected and secured version of
integrity reference component 125 can be used as a known good manifest of acceptable measurements (not shown). The manifest can be stored locally to the enterprise (for example, on some other physical machine accessible frommachine 115 via network 205), or onmachine 115 itself. This manifest can be updated from theintegrity reference component 125 as needed, when the integrity reference component is updated with additional virtual machine integrity records 130 and digests 135. -
FIG. 3 shows a system including a virtual machine environment, an integrity verification component, and an integrity reference component operable within a virtual machine image according to another embodiment of the present invention. InFIG. 3 ,integrity reference component 305 can be provided as avirtual machine image 120 itself. Rather than accessible as a separate database distinct frommachine 115,integrity reference component 305 can be made available as a service installed onmachine 115.Integrity reference component 305 can be periodically updated from a global integrity reference component accessible over a network (not shown). The description above with reference to capabilities ofintegrity reference component 125 can also apply tointegrity reference component 305, and therefore such description will be omitted for the sake of brevity. -
FIG. 4 shows a system including a virtual machine environment, measurement agents in communication with an integrity verification component, and an integrity reference component according to yet another embodiment of the present invention.Individual measurement agents 405 can collectmeasurements 410 of discrete virtualmachine image elements 415 ofvirtual machine images 120. For example, discrete virtualmachine image elements 415 can include operating system files, application files, or configuration files, among other possibilities. In one embodiment of the invention,measurement agents 405 can execute in each of thevirtual machine images 120. In other words,measurement agents 405 are operable within each of thevirtual machine images 120 and configured to collectmeasurements 410 of the discrete virtualmachine image elements 415 corresponding to thevirtual machine images 120. In another embodiment of the invention,measurement agents 405 can exist as integrated physical components of the physical hardware platform/machine 115. In this embodiment, there can be asingle measurement agent 405 responsible for collecting measurements from allvirtual machine images 120 operating onmachine 115.Collected measurements 410 can include digests of discrete virtualmachine image elements 415.Measurement agents 405 can be configured to transfer collectedmeasurements 410 tointegrity verification component 105. - It is not necessary to collect
measurements 410 for every discrete virtualmachine image element 415.Measurement agents 405 can be configured to collect measurements for only important discrete virtualmachine image elements 415, however “important” is defined. For example, the important discrete virtualmachine image elements 415 can include expected-to-be-static elements of virtual machine image 120 (on the premise that if the static elements change, the virtual machine has potentially been compromised), or the expected-to-be-dynamic elements of virtual machine image 120 (on the premise that the changing elements are the ones that might compromise the virtual machine). -
Integrity verification component 105 can compare collectedmeasurements 410 to at least one of the virtual machine integrity records 130 ofintegrity reference component 125. As previously discussed above,integrity verification component 105 can generate a trust score for one or morevirtual machine images 120 responsive to a comparison of a hash or digest of avirtual machine image 120 itself to a digest 135 of a virtualmachine integrity record 130 stored in theintegrity reference component 125. Furthermore,integrity verification component 105 can generate a trust score for at least one of the discrete virtualmachine image elements 415 ofvirtual machine images 120. The trust score can also be generated based on both the comparison of the digest ofvirtual machine image 120 itself, and on the comparison of digests of discrete virtualmachine image elements 415 ofvirtual machine images 120 that can be collected usingmeasurement agents 405. In both cases,integrity verification component 105 can generate the trust score using an authenticity score authenticating a source of collectedmeasurements 410, as previously described above. -
Integrity reference component 125 can also includemetadata 160 to establish relationships between discrete virtualmachine image elements 415. For example,metadata 160 can include version or vendor information of discrete virtualmachine image elements 415, or other information indicating how the discrete virtual machine image elements relate to one another.Collected measurements 410 can also include metadata such as version or vendor information so that the collectedmeasurements 410 can be compared tometadata 160 stored inintegrity reference component 125, and can be used together with thedigests 135 in determining the trust score for thevirtual machine images 120. - In some embodiments of the present invention,
metadata 160 can include a location of eachvirtual machine image 120 within the underlying file system of physical hardware platform/machine 115, or some other machine. If avirtual machine image 120 is expected to be located at a certain file path of the underlying file system, or at a certain location on a network drive, for example,metadata 160 can include such location information.Collected measurements 410 can also include metadata such as the location information so that the collectedmeasurements 410 can be compared tometadata 160 stored inintegrity reference component 125, and can be used together with thedigests 135 in determining the trust score for thevirtual machine images 120. - As another example,
metadata 160 can includeinformation regarding VMM 110 itself, such as whetherVMM 110 comes from a pre-approved vendor list (not shown), and can be stored inintegrity reference component 125 or included in collectedmeasurements 410. The pre-approved vendor list can be created or maintained by a user or customer, or alternatively, the pre-approved vendor list can be created or maintained by a third party. In either case, the pre-approved vendor list can be stored in theintegrity reference component 125 and used to help generate the trust score for thevirtual machine images 120. - If the trust score is generated based on the important discrete virtual machine image elements 415 (e.g., the expected-to-be-static elements of virtual machine image 120), then the trust score likely remains the same during the lifecycle of
virtual machine image 120 as it transitions from one state to another. However, if the important discrete virtualmachine image elements 415 happen to change, then the trust score can be affected and might vary depending on the magnitude of the changes. -
FIG. 5 shows a state diagram of a virtual machine lifecycle including verification actions performed during different states according to some embodiments of the present invention. In some cases, the virtual machine image might contain dynamic information or the stored virtual machine image that is loaded for execution by VMM 110 (ofFIG. 1 ) can continually change or be expected to change. Or the virtual machine image can be loaded and executed for extended periods of time and eventually be migrated from one physical hardware platform to another. In other words, the virtual machine image can be in a different state each time it is retrieved from storage, and so the cryptographic hash or digest of the virtual machine image as stored can change over time. Thus, embodiments of the present invention provide integrity measurement and verification to guarantee the authenticity of the virtual machine image as it transitions through its lifecycle. - Prior to creation of the virtual machine image, the software stack used to create the virtual machine image can be verified as shown at
state 505. The virtual machine image can then be created atstate 510, and its integrity can be verified, as further discussed below. The virtual machine image can be created from a set of existing software such as an operating system or an application. Once the virtual machine image is created, it can be stored to await execution at a future time, or it can go directly into production where it is started atstate 515. The virtual machine image can execute for some period of time such as minutes, days, or years before it transitions to one of three states: astop state 520, a suspendstate 525, or a migratestate 530. - In the
stop state 520, the virtual machine image is stopped, no longer receiving cycles for execution, and is unloaded from memory. In the suspendstate 525, the virtual machine image is temporarily suspended from execution and will no longer receive execution cycles until re-stared, but may remain in memory. Alternatively, the suspended virtual machine may be stored to disk (indefinitely) until it is restarted. In the migratestate 530, the virtual machine image can be migrated from on physical hardware platform to another. While this can be performed on a suspended virtual machine image, the migration can also occur with an active or started virtual machine image, thus resulting in a “hot” migration. The virtual machine image can also be destroyed, thereby removing its existence from execution and storage. - Traditionally, businesses take great care in provisioning non-virtualized physical hardware platforms to ensure that they are properly established before moving them into production. In virtualized environments, and with the ease of which the virtual machine images can be created, started, and migrated, greater care should be taken to ensure they are properly provisioned. In the create
state 510, virtual machine images can be created from sets of software such as an operating system, an application, or a configuration file. Since the virtual machine images can be instantiated (created) at any time, on any number of platforms, the integrity of the software stack can be verified prior to the creation of the virtual machine images, as shown atstate 505. The virtual machine image can then be created at the createstate 510 responsive to verifying the integrity of the software stack. A digest of the virtual machine can be stored after creation, to support verification of the virtual machine at a later time, such as when the virtual machine is started (by comparing the digest with a digest of the virtual machine taken before it is started). - When the virtual machine image is started at
state 515, the virtual machine image can be loaded from a previously stored virtual machine image, or it can be a re-start of a previously suspended in-memory virtual machine image. The integrity of the virtual machine image can be verified when starting the virtual machine image. Thus, the virtual machine image can be started responsive to verifying its integrity, thereby ensuring that the virtual machine image has not been altered from its expected configuration. In particular, when the virtual machine image is migrated from one physical hardware platform to another or restarted from a suspended state, the virtual machine image can be verified, thereby ensuring that the virtual machine image has not been mis-configured before, during, or after a transfer or migration. Therefore, any doubt about the state of the virtual machine image can be removed. - When the virtual machine image is stopped at
state 520, the virtual machine image is unloaded from execution and memory. The integrity of the virtual machine image can be verified when stopping the virtual machine image to determine whether it is still has a trustworthy configuration. Thus, the virtual machine image can be stopped responsive to verifying its integrity, thereby ensuring that the virtual machine image has not been altered from its expected configuration. If it is determined that the virtual machine image is not trustworthy, the virtual machine image can be flagged, which can provide an indication of its untrustworthiness when the virtual machine image is later restarted. A digest of the stopped virtual machine can also be recorded, for later use in verifying the virtual machine (e.g., when the virtual machine is restarted). - When the virtual machine image is suspended at
state 525, as might happen in advance of a migration, for example, the integrity of the virtual machine image can be verified prior to leaving the physical hardware platform, thereby creating a verifiable audit record of execution and movement. The suspended virtual machine image can be analyzed to determine whether it is still has a trustworthy configuration. The virtual machine image can be suspended responsive to verifying its integrity, or suspended before verifying its integrity. In the case where the virtual machine image is suspended in order to perform a migration, the virtual machine image can be taken out of use or the migration aborted if the virtual machine image is determined to be untrustworthy. - When the virtual machine image is migrated at
state 530, the contents of the virtual machine image are moved from one physical hardware platform to another. Depending on the implementation of the migration function of the VMM, verification of the virtual machine image may or may not be desirable. For example, the migratestate 530 can comprise suspend, move, and start operations. In some embodiments of the present invention, theintegrity verification component 105 is configured to analyze the virtual machine image when migrating the virtual machine image from one physical hardware platform to another. In some embodiments of the present invention, when the virtual machine image is migrated, the virtual machine image is stopped or suspended on one physical hardware platform, and started on a different physical hardware platform, each of which can include a verification of the integrity of the virtual machine image. - When the virtual machine image is destroyed at
state 535, the contents and any existing state information can be erased from both execution and storage. As is the case in highly regulated industries, such as financial services, healthcare, human services, government, and telecommunications, among other possibilities, it can be important to capture the integrity state of the virtual machine image at the time of destruction and create an auditable record of its existence or non-existence as it relates to time. Since the virtual machine image is destroyed, and the virtual machine image lifecycles can vary widely, the creation of an integrity record at the time of destruction can be a valuable record of the state of existence of the virtual machine image during the end of its lifecycle. Thus, the virtual machine image can be destroyed responsive to verifying the integrity of the virtual machine image. - Integration of integrity verification services as described above provides support for higher level commands for controlling the integrity lifecycle of a virtual machine image. Such commands can be issued from the VMM 110 (of
FIG. 1 ) or other management interface. Such commands can include: Create_Trusted_VM, Start_Trusted_VM, Migrate_Trusted_VM, Stop_Trusted_VM, Suspend_Trusted_VM, or Destroy_Trusted_VM, among other possibilities. -
FIG. 6 shows a flow diagram including a method for verifying the integrity of discrete virtual machine elements of a virtual machine image according to some embodiments of the present invention. At 605, the virtual machine integrity records (130 ofFIG. 4 ) can be stored in an integrity reference component (125 ofFIG. 4 ). The virtual machine integrity records can include known good digests (135 ofFIG. 4 ) of previously collected and previously verified virtual machine images and discrete virtual machine image elements. At 610, measurements (410 ofFIG. 4 ) can be collected including digests of discrete virtual machine image elements (415 ofFIG. 4 ) that have been deployed for general use. Measurement agents (405 ofFIG. 4 ), which can be configured within each of the virtual machine images (120 ofFIG. 4 ), can be used to collect the measurements (410 ofFIG. 4 ). The collected measurements (410 ofFIG. 4 ) can include digests of at least one of the discrete virtual machine image elements (415 ofFIG. 4 ). The measurement agents (405 ofFIG. 4 ) can generate the digests of the discrete virtual machine image elements (415 ofFIG. 4 ). Alternatively, the integrity verification component (105 ofFIG. 4 ) can generate the digests based on the collected measurements (410 ofFIG. 4 ). - At 615, the digests of the discrete virtual machine image elements (415 of
FIG. 4 ) stored in at least one of the virtual machine images (120 ofFIG. 4 ) can be compared to digests stored in at least one of the virtual machine integrity records (130 ofFIG. 4 ) stored in the integrity reference component (125 ofFIG. 4 ). At 620, the integrity verification component (105 ofFIG. 4 ) can generate a trust score for one or more of the virtual machine images (120 ofFIG. 4 ) responsive to comparing the digests of one or more discrete virtual machine image elements (415 ofFIG. 4 ) to digests (135 ofFIG. 4 ) of at least one of the virtual machine integrity records (130 ofFIG. 4 ). - A determination can be made at 625 as to whether one or more of the virtual machine images (120 of
FIG. 4 ) is authorized for an environment based on the trust score generated at 620. The environment can be a virtualized environment. If it is determined that a given virtual machine image (120 ofFIG. 4 ) is authorized for the environment, then access to the environment can be granted to the virtual machine image responsive to the determination at 630. Conversely, if it is determined that the given virtual machine image (120 ofFIG. 4 ) is not authorized for the environment, then access to the environment can be denied to the virtual machine image (120 ofFIG. 4 ) responsive to the determination at 635. - As previously discussed above, generating the trust score for the virtual machine images (120 of
FIG. 4 ) can include using an authenticity score authenticating a source of the collected measurements (410 ofFIG. 4 ). The discrete virtual machine image elements (415 ofFIG. 4 ) can include an operating system file, an application file, or a configuration file, among other possibilities. Theoperation 610 of collecting measurements (410 ofFIG. 4 ) can include generating digests of the operating system file, the application file, or the configuration file, among other possibilities. The collected measurements (410 ofFIG. 4 ) can be transferred between the measurement agents (405 ofFIG. 4 ) and the integrity verification component (105 ofFIG. 4 ), and then compared to at least one of the virtual machine integrity records (130 ofFIG. 4 ) of the integrity reference component (125 of FIG. 4). The integrity reference component (125 ofFIG. 4 ) can be remotely accessed over a network. -
FIG. 7 shows a flow diagram including a method for verifying the integrity of virtual machine images according to some embodiments of the present invention. At 705, the virtual machine integrity records (130 ofFIG. 1 ) can be stored in an integrity reference component (125 ofFIG. 1 ). The virtual machine integrity records can include known good digests (135 ofFIG. 1 ) of previously collected and previously verified virtual machine images and discrete virtual machine image elements. Measurements (410 ofFIG. 4 ) can be collected including digests of at least one virtual machine image (120 ofFIG. 1 ) that have been deployed for general use. The integrity verification component (105 ofFIG. 1 ) can generate the digests based on the collected measurements (410 ofFIG. 4 ). Alternatively, the measurement agents (405 ofFIG. 4 ) can generate the digests of the virtual machine images (120 ofFIG. 1 ) - At 710, the digests of the virtual machine images (120 of
FIG. 1 ) can be compared to digests stored in at least one of the virtual machine integrity records (130 ofFIG. 1 ) stored in the integrity reference component (125 ofFIG. 1 ). At 715, the integrity verification component (I 05 ofFIG. 1 ) can generate a trust score for one or more of the virtual machine images (120 ofFIG. 1 ) responsive to comparing the digests of one or more virtual machine images (120 ofFIG. 1 ) to digests (135 ofFIG. 1 ) of at least one of the virtual machine integrity records (130 ofFIG. 1 ). The trust score can also be generated based on both a comparison of the digests of the virtual machine images (120 ofFIG. 1 ) to digests (135 ofFIG. 1 ) of at least one of the virtual machine integrity records (130 ofFIG. 1 ), and on a comparison of the digests of the discrete virtual machine image elements (415 ofFIG. 4 ) to digests (135 ofFIG. 4 ) of at least one of the virtual machine integrity records (130 ofFIG. 4 ). - A determination can be made at 720 as to whether one or more of the virtual machine images (120 of
FIG. 4 ) is authorized for an environment based on the trust score generated at 715. The environment can be a virtualized environment. If it is determined that a given virtual machine image (120 ofFIG. 1 ) is authorized for the environment, then access to the environment can be granted to the virtual machine image responsive to the determination at 725. Conversely, if it is determined that the given virtual machine image (120 ofFIG. 1 ) is not authorized for the environment, then access to the environment can be denied to the virtual machine image (120 ofFIG. 1 ) responsive to the determination at 730. - The following discussion is intended to provide a brief, general description of a suitable machine in which certain aspects of the invention can be implemented. Typically, the machine includes a system bus to which is attached processors, memory, e.g., random access memory (RAM), read-only memory (ROM), or other state preserving medium, storage devices, a video interface, and input/output interface ports. The machine can be controlled, at least in part, by input from conventional input devices, such as keyboards, mice, etc., as well as by directives received from another machine, interaction with a virtual reality (VR) environment, biometric feedback, or other input signal. As used herein, the term “machine” is intended to broadly encompass a single machine, a virtual machine, or a system of communicatively coupled machines, virtual machines, or devices operating together. Exemplary machines include computing devices such as personal computers, workstations, servers, portable computers, handheld devices, telephones, tablets, etc., as well as transportation devices, such as private or public transportation, e.g., automobiles, trains, cabs, etc.
- The machine can include embedded controllers, such as programmable or non-programmable logic devices or arrays, Application Specific Integrated Circuits, embedded computers, smart cards, and the like. The machine can utilize one or more connections to one or more remote machines, such as through a network interface, modem, or other communicative coupling. Machines can be interconnected by way of a physical and/or logical network, such as an intranet, the Internet, local area networks, wide area networks, etc. One skilled in the art will appreciated that network communication can utilize various wired and/or wireless short range or long range carriers and protocols, including radio frequency (RF), satellite, microwave, Institute of Electrical and Electronics Engineers (IEEE) 545.11, Bluetooth, optical, infrared, cable, laser, etc.
- The invention can be described by reference to or in conjunction with associated data including functions, procedures, data structures, application programs, etc. which when accessed by a machine results in the machine performing tasks or defining abstract data types or low-level hardware contexts. Associated data can be stored in, for example, the volatile and/or non-volatile memory, e.g., RAM, ROM, etc., or in other storage devices and their associated storage media, including hard-drives, floppy-disks, optical storage, tapes, flash memory, memory sticks, digital video disks, biological storage, etc. Associated data can be delivered over transmission environments, including the physical and/or logical network, in the form of packets, serial data, parallel data, propagated signals, etc., and can be used in a compressed or encrypted format. Associated data can be used in a distributed environment, and stored locally and/or remotely for machine access.
- Having described and illustrated the principles of the invention with reference to illustrated embodiments, it will be recognized that the illustrated embodiments can be modified in arrangement and detail without departing from such principles, and can be combined in any desired manner. And although the foregoing discussion has focused on particular embodiments, other configurations are contemplated. In particular, even though expressions such as “according to an embodiment of the invention” or the like are used herein, these phrases are meant to generally reference embodiment possibilities, and are not intended to limit the invention to particular embodiment configurations. As used herein, these terms can reference the same or different embodiments that are combinable into other embodiments.
- Consequently, in view of the wide variety of permutations to the embodiments described herein, this detailed description and accompanying material is intended to be illustrative only, and should not be taken as limiting the scope of the invention. What is claimed as the invention, therefore, is all such modifications as may come within the scope and spirit of the following claims and equivalents thereto.
Claims (56)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/179,303 US9450966B2 (en) | 2004-11-29 | 2008-07-24 | Method and apparatus for lifecycle integrity verification of virtual machines |
PCT/US2008/071630 WO2009018366A1 (en) | 2007-08-01 | 2008-07-30 | Method and apparatus for lifecycle integrity verification of virtual machines |
Applications Claiming Priority (10)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US63145004P | 2004-11-29 | 2004-11-29 | |
US63144904P | 2004-11-29 | 2004-11-29 | |
US63706604P | 2004-12-17 | 2004-12-17 | |
US11/288,820 US7272719B2 (en) | 2004-11-29 | 2005-11-28 | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US74936805P | 2005-12-09 | 2005-12-09 | |
US75974206P | 2006-01-17 | 2006-01-17 | |
US11/608,742 US8266676B2 (en) | 2004-11-29 | 2006-12-08 | Method to verify the integrity of components on a trusted platform using integrity database services |
US95331407P | 2007-08-01 | 2007-08-01 | |
US11/832,781 US7487358B2 (en) | 2004-11-29 | 2007-08-02 | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US12/179,303 US9450966B2 (en) | 2004-11-29 | 2008-07-24 | Method and apparatus for lifecycle integrity verification of virtual machines |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/608,742 Continuation-In-Part US8266676B2 (en) | 2004-11-29 | 2006-12-08 | Method to verify the integrity of components on a trusted platform using integrity database services |
Publications (3)
Publication Number | Publication Date |
---|---|
US20090089860A1 US20090089860A1 (en) | 2009-04-02 |
US20120291094A9 true US20120291094A9 (en) | 2012-11-15 |
US9450966B2 US9450966B2 (en) | 2016-09-20 |
Family
ID=40509947
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/179,303 Expired - Fee Related US9450966B2 (en) | 2004-11-29 | 2008-07-24 | Method and apparatus for lifecycle integrity verification of virtual machines |
Country Status (1)
Country | Link |
---|---|
US (1) | US9450966B2 (en) |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120059930A1 (en) * | 2010-09-02 | 2012-03-08 | International Business Machines Corporation | Reactive monitoring of guests in a hypervisor environment |
US20120227058A1 (en) * | 2011-03-03 | 2012-09-06 | Microsoft Corporation | Dynamic application migration |
US20130111018A1 (en) * | 2011-10-28 | 2013-05-02 | International Business Machines Coporation | Passive monitoring of virtual systems using agent-less, offline indexing |
US20130151846A1 (en) * | 2011-12-12 | 2013-06-13 | Microsoft Corporation | Cryptographic Certification of Secure Hosted Execution Environments |
US20130325815A1 (en) * | 2012-05-31 | 2013-12-05 | Core Logic Inc. | Method and apparatus for managing and verifying car traveling information, and system using the same |
US20140108652A1 (en) * | 2013-01-04 | 2014-04-17 | Iomaxis, Inc. | Method and system for identifying virtualized operating system threats in a cloud computing environment |
US20140230024A1 (en) * | 2013-02-13 | 2014-08-14 | Hitachi, Ltd. | Computer system and virtual computer management method |
US8903705B2 (en) | 2010-12-17 | 2014-12-02 | Microsoft Corporation | Application compatibility shims for minimal client computers |
WO2015065739A1 (en) * | 2013-11-01 | 2015-05-07 | Intuit Inc. | Method and system for validating a virtual asset |
US20150373046A1 (en) * | 2014-06-20 | 2015-12-24 | Vencore Labs, Inc. | System and method for mitigating toc/tou attacks in a cloud computing environment |
US9298927B2 (en) | 2014-02-27 | 2016-03-29 | Intuit Inc. | Method and system for providing an efficient vulnerability management and verification service |
US9323921B2 (en) | 2010-07-13 | 2016-04-26 | Microsoft Technology Licensing, Llc | Ultra-low cost sandboxing for application appliances |
US9389933B2 (en) | 2011-12-12 | 2016-07-12 | Microsoft Technology Licensing, Llc | Facilitating system service request interactions for hardware-protected applications |
US9418236B2 (en) | 2013-11-13 | 2016-08-16 | Intuit Inc. | Method and system for dynamically and automatically managing resource access permissions |
US9495183B2 (en) | 2011-05-16 | 2016-11-15 | Microsoft Technology Licensing, Llc | Instruction set emulation for guest operating systems |
US9516044B2 (en) | 2014-07-31 | 2016-12-06 | Intuit Inc. | Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database |
US9588803B2 (en) | 2009-05-11 | 2017-03-07 | Microsoft Technology Licensing, Llc | Executing native-code applications in a browser |
US9720723B2 (en) | 2015-07-01 | 2017-08-01 | International Business Machines Corporation | Protected guests in a hypervisor controlled system |
US9742794B2 (en) | 2014-05-27 | 2017-08-22 | Intuit Inc. | Method and apparatus for automating threat model generation and pattern identification |
US9923909B2 (en) | 2014-02-03 | 2018-03-20 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10102082B2 (en) | 2014-07-31 | 2018-10-16 | Intuit Inc. | Method and system for providing automated self-healing virtual assets |
US10121007B2 (en) | 2014-02-21 | 2018-11-06 | Intuit Inc. | Method and system for providing a robust and efficient virtual asset vulnerability management and verification service |
US10757133B2 (en) | 2014-02-21 | 2020-08-25 | Intuit Inc. | Method and system for creating and deploying virtual assets |
US11294700B2 (en) | 2014-04-18 | 2022-04-05 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
US11334670B2 (en) * | 2020-01-28 | 2022-05-17 | Hewlett Packard Enterprise Development Lp | Integrity verification for a software stack or part of a software stack |
US11620719B2 (en) | 2011-09-12 | 2023-04-04 | Microsoft Technology Licensing, Llc | Identifying unseen content of interest |
Families Citing this family (62)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7487358B2 (en) * | 2004-11-29 | 2009-02-03 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US9450966B2 (en) | 2004-11-29 | 2016-09-20 | Kip Sign P1 Lp | Method and apparatus for lifecycle integrity verification of virtual machines |
US8266676B2 (en) | 2004-11-29 | 2012-09-11 | Harris Corporation | Method to verify the integrity of components on a trusted platform using integrity database services |
US8327131B1 (en) | 2004-11-29 | 2012-12-04 | Harris Corporation | Method and system to issue trust score certificates for networked devices using a trust scoring service |
US7733804B2 (en) | 2004-11-29 | 2010-06-08 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain |
US20110179477A1 (en) * | 2005-12-09 | 2011-07-21 | Harris Corporation | System including property-based weighted trust score application tokens for access control and related methods |
US8327350B2 (en) * | 2007-01-02 | 2012-12-04 | International Business Machines Corporation | Virtual resource templates |
US8108855B2 (en) | 2007-01-02 | 2012-01-31 | International Business Machines Corporation | Method and apparatus for deploying a set of virtual software resource templates to a set of nodes |
US8108856B2 (en) | 2007-03-30 | 2012-01-31 | Intel Corporation | Method and apparatus for adaptive integrity measurement of computer software |
US8464251B2 (en) * | 2007-03-31 | 2013-06-11 | Intel Corporation | Method and apparatus for managing page tables from a non-privileged software domain |
US8041338B2 (en) * | 2007-09-10 | 2011-10-18 | Microsoft Corporation | Mobile wallet and digital payment |
US8370802B2 (en) | 2007-09-18 | 2013-02-05 | International Business Machines Corporation | Specifying an order for changing an operational state of software application components |
KR101071962B1 (en) * | 2008-09-24 | 2011-10-11 | 한국전자통신연구원 | Automatic Managing System and Method for Integrity Reference Manifest |
US20100088745A1 (en) * | 2008-10-06 | 2010-04-08 | Fujitsu Limited | Method for checking the integrity of large data items rapidly |
US8321863B2 (en) * | 2009-03-06 | 2012-11-27 | Hitachi, Ltd. | Security management device and method |
US20110041126A1 (en) * | 2009-08-13 | 2011-02-17 | Levy Roger P | Managing workloads in a virtual computing environment |
US8505103B2 (en) * | 2009-09-09 | 2013-08-06 | Fujitsu Limited | Hardware trust anchor |
US9027038B2 (en) * | 2009-10-21 | 2015-05-05 | General Dynamics C4 Systems, Inc. | Methods and apparatus for constructing a secure and flexible operating system |
US8161012B1 (en) * | 2010-02-05 | 2012-04-17 | Juniper Networks, Inc. | File integrity verification using a verified, image-based file system |
US9081989B2 (en) * | 2010-03-25 | 2015-07-14 | Virtustream Canada Holdings, Inc. | System and method for secure cloud computing |
US8683495B1 (en) * | 2010-06-30 | 2014-03-25 | Emc Corporation | Sync point coordination providing high throughput job processing across distributed virtual infrastructure |
US8769493B2 (en) * | 2010-09-30 | 2014-07-01 | International Business Machines Corporation | System for managing lifecycles for virtual image assets |
US9645839B2 (en) * | 2010-10-27 | 2017-05-09 | Microsoft Technology Licensing, Llc | Stateful applications operating in a stateless cloud computing environment |
US20120159634A1 (en) * | 2010-12-15 | 2012-06-21 | International Business Machines Corporation | Virtual machine migration |
US9250863B1 (en) * | 2010-12-28 | 2016-02-02 | Amazon Technologies, Inc. | Managing virtual machine migration |
US8607067B1 (en) * | 2011-03-01 | 2013-12-10 | Amazon Technologies, Inc. | Techniques for attesting to information |
US8601583B1 (en) * | 2011-04-14 | 2013-12-03 | Trend Micro Incorporated | Certification of virtual machine images in cloud computing environments |
US8752123B2 (en) | 2011-08-15 | 2014-06-10 | Bank Of America Corporation | Apparatus and method for performing data tokenization |
US9069943B2 (en) | 2011-08-15 | 2015-06-30 | Bank Of America Corporation | Method and apparatus for token-based tamper detection |
US8566918B2 (en) | 2011-08-15 | 2013-10-22 | Bank Of America Corporation | Method and apparatus for token-based container chaining |
US8474056B2 (en) * | 2011-08-15 | 2013-06-25 | Bank Of America Corporation | Method and apparatus for token-based virtual machine recycling |
WO2013028636A1 (en) * | 2011-08-19 | 2013-02-28 | Panavisor, Inc | Systems and methods for managing a virtual infrastructure |
US8694786B2 (en) * | 2011-10-04 | 2014-04-08 | International Business Machines Corporation | Virtual machine images encryption using trusted computing group sealing |
WO2013097903A1 (en) * | 2011-12-29 | 2013-07-04 | Telefonaktiebolaget L M Ericsson (Publ) | Virtual machine migration using 3gpp mcim |
US8843650B2 (en) * | 2012-01-09 | 2014-09-23 | Fujitsu Limited | Trusted network booting system and method |
US9183031B2 (en) * | 2012-06-19 | 2015-11-10 | Bank Of America Corporation | Provisioning of a virtual machine by using a secured zone of a cloud environment |
US8656482B1 (en) | 2012-08-20 | 2014-02-18 | Bitdefender IPR Management Ltd. | Secure communication using a trusted virtual machine |
US9009705B2 (en) * | 2012-10-01 | 2015-04-14 | International Business Machines Corporation | Authenticated distribution of virtual machine images |
US10275267B1 (en) | 2012-10-22 | 2019-04-30 | Amazon Technologies, Inc. | Trust-based resource allocation |
US20140181984A1 (en) | 2012-12-21 | 2014-06-26 | International Business Machines Corporation | Method and apparatus for authentication of solution topology |
US10409980B2 (en) * | 2012-12-27 | 2019-09-10 | Crowdstrike, Inc. | Real-time representation of security-relevant system state |
US9495560B2 (en) * | 2013-04-29 | 2016-11-15 | Sri International | Polymorphic virtual appliance rule set |
WO2015102714A2 (en) * | 2013-10-11 | 2015-07-09 | Sri International | Polymorphic computing architectures |
US10461937B1 (en) | 2013-12-18 | 2019-10-29 | Amazon Technologies, Inc. | Hypervisor supported secrets compartment |
US9756074B2 (en) * | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US10395029B1 (en) | 2015-06-30 | 2019-08-27 | Fireeye, Inc. | Virtual system and method with threat protection |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10216927B1 (en) | 2015-06-30 | 2019-02-26 | Fireeye, Inc. | System and method for protecting memory pages associated with a process using a virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US9998284B2 (en) | 2015-09-24 | 2018-06-12 | Intel Corporation | Methods and apparatus to provide isolated execution environments |
US10033759B1 (en) | 2015-09-28 | 2018-07-24 | Fireeye, Inc. | System and method of threat detection under hypervisor control |
US10365907B2 (en) * | 2015-11-12 | 2019-07-30 | Vmware, Inc. | Offline tools installation for virtual machines |
US10296318B2 (en) * | 2015-11-12 | 2019-05-21 | Vmware, Inc. | Offline tools upgrade for virtual machines |
US10333951B1 (en) * | 2017-07-31 | 2019-06-25 | EMC IP Holding Company LLC | Method and system for implementing golden container storage |
JP7006265B2 (en) * | 2017-12-28 | 2022-01-24 | 富士通株式会社 | Information processing equipment, control programs and information processing methods |
JP6794383B2 (en) | 2018-01-15 | 2020-12-02 | 株式会社東芝 | Electronics, methods, programs and servers, methods, programs |
US11750654B2 (en) * | 2018-04-25 | 2023-09-05 | Dell Products, L.P. | Integrity assurance of a secured virtual environment |
US10917793B2 (en) * | 2018-08-17 | 2021-02-09 | T-Moblle USA, Inc. | Verifying network subsystem integrity with blockchain |
US10678586B1 (en) | 2019-10-08 | 2020-06-09 | Cyberark Software Ltd. | Recovery of state, configuration, and content for virtualized instances |
US11385881B2 (en) * | 2020-10-31 | 2022-07-12 | Nutanix, Inc. | State-driven virtualization system imaging |
US20230214822A1 (en) * | 2022-01-05 | 2023-07-06 | Mastercard International Incorporated | Computer-implemented methods and systems for authentic user-merchant association and services |
Citations (32)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030115453A1 (en) * | 2001-12-17 | 2003-06-19 | Grawrock David W. | Connecting a virtual token to a physical token |
US20040172544A1 (en) * | 1999-05-12 | 2004-09-02 | Fraunhofer Crcg, Inc. | Protecting mobile code against malicious hosts |
US20050021968A1 (en) * | 2003-06-25 | 2005-01-27 | Zimmer Vincent J. | Method for performing a trusted firmware/bios update |
US20050114687A1 (en) * | 2003-11-21 | 2005-05-26 | Zimmer Vincent J. | Methods and apparatus to provide protection for firmware resources |
US20050132122A1 (en) * | 2003-12-16 | 2005-06-16 | Rozas Carlos V. | Method, apparatus and system for monitoring system integrity in a trusted computing environment |
US6922782B1 (en) * | 2000-06-15 | 2005-07-26 | International Business Machines Corporation | Apparatus and method for ensuring data integrity of unauthenticated code |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US20060005254A1 (en) * | 2004-06-09 | 2006-01-05 | Ross Alan D | Integration of policy compliance enforcement and device authentication |
US20060048228A1 (en) * | 2004-08-30 | 2006-03-02 | Kddi Corporation; Keio University | Communication system and security assurance device |
US20060117184A1 (en) * | 2004-11-29 | 2006-06-01 | Bleckmann David M | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US20070016888A1 (en) * | 2005-07-15 | 2007-01-18 | The Mathworks, Inc. | System and method for verifying the integrity of read-only components in deployed mixed-mode applications |
US7188230B2 (en) * | 2005-02-15 | 2007-03-06 | Hitachi, Ltd. | Method of assuring data integrity on storage volumes |
US20070180495A1 (en) * | 2004-11-29 | 2007-08-02 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers within an ip routing domain |
US20070204153A1 (en) * | 2006-01-04 | 2007-08-30 | Tome Agustin J | Trusted host platform |
US20070260738A1 (en) * | 2006-05-05 | 2007-11-08 | Microsoft Corporation | Secure and modifiable configuration files used for remote sessions |
US7310817B2 (en) * | 2001-07-26 | 2007-12-18 | Mcafee, Inc. | Centrally managed malware scanning |
US7350204B2 (en) * | 2000-07-24 | 2008-03-25 | Microsoft Corporation | Policies for secure software execution |
US20080126779A1 (en) * | 2006-09-19 | 2008-05-29 | Ned Smith | Methods and apparatus to perform secure boot |
US20080189702A1 (en) * | 2007-02-02 | 2008-08-07 | Morgan Jeffery A | Change management |
US7581103B2 (en) * | 2001-06-13 | 2009-08-25 | Intertrust Technologies Corporation | Software self-checking systems and methods |
US7689676B2 (en) * | 2003-03-06 | 2010-03-30 | Microsoft Corporation | Model-based policy application |
US7793355B2 (en) * | 2002-12-12 | 2010-09-07 | Reasearch In Motion Limited | System and method of owner control of electronic devices |
US7844828B2 (en) * | 2003-12-04 | 2010-11-30 | Axalto Sa | Method to secure the execution of a program against attacks by radiation or other |
US7877613B2 (en) * | 2002-09-04 | 2011-01-25 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | Protecting mobile code against malicious hosts |
US7904727B2 (en) * | 2004-11-29 | 2011-03-08 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US20110179477A1 (en) * | 2005-12-09 | 2011-07-21 | Harris Corporation | System including property-based weighted trust score application tokens for access control and related methods |
US7987495B2 (en) * | 2006-12-26 | 2011-07-26 | Computer Associates Think, Inc. | System and method for multi-context policy management |
US8010973B2 (en) * | 2007-05-31 | 2011-08-30 | Calix, Inc. | Class loader for managing a network |
US20110320816A1 (en) * | 2009-03-13 | 2011-12-29 | Rutgers, The State University Of New Jersey | Systems and method for malware detection |
US20120023568A1 (en) * | 2010-01-22 | 2012-01-26 | Interdigital Patent Holdings, Inc. | Method and Apparatus for Trusted Federated Identity Management and Data Access Authorization |
US8108856B2 (en) * | 2007-03-30 | 2012-01-31 | Intel Corporation | Method and apparatus for adaptive integrity measurement of computer software |
US20150033038A1 (en) * | 2004-04-08 | 2015-01-29 | Texas Instruments Incorporated | Methods, apparatus, and systems for secure demand paging and other paging operations for processor devices |
Family Cites Families (59)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5465299A (en) * | 1992-12-03 | 1995-11-07 | Hitachi, Ltd. | Electronic document processing system and method of forming digital signature |
US5825880A (en) * | 1994-01-13 | 1998-10-20 | Sudia; Frank W. | Multi-step digital signature method and system |
US6760840B1 (en) * | 1994-03-15 | 2004-07-06 | Kabushiki Kaisha Toshiba | File editing system and shared file editing system with file content secrecy, file version management, and asynchronous editing |
US5535276A (en) * | 1994-11-09 | 1996-07-09 | Bell Atlantic Network Services, Inc. | Yaksha, an improved system and method for securing communications using split private key asymmetric cryptography |
US6157721A (en) * | 1996-08-12 | 2000-12-05 | Intertrust Technologies Corp. | Systems and methods using cryptography to protect secure computing environments |
US6470448B1 (en) * | 1996-10-30 | 2002-10-22 | Fujitsu Limited | Apparatus and method for proving transaction between users in network environment |
EP0956673A4 (en) * | 1996-12-20 | 2005-04-06 | Financial Services Technology | Method and system for processing electronic documents |
US5919257A (en) * | 1997-08-08 | 1999-07-06 | Novell, Inc. | Networked workstation intrusion detection system |
US6330670B1 (en) | 1998-10-26 | 2001-12-11 | Microsoft Corporation | Digital rights management operating system |
US6327652B1 (en) * | 1998-10-26 | 2001-12-04 | Microsoft Corporation | Loading and identifying a digital rights management operating system |
WO2000048063A1 (en) | 1999-02-15 | 2000-08-17 | Hewlett-Packard Company | Trusted computing platform |
EP1056010A1 (en) * | 1999-05-28 | 2000-11-29 | Hewlett-Packard Company | Data integrity monitoring in trusted computing entity |
US6393420B1 (en) * | 1999-06-03 | 2002-05-21 | International Business Machines Corporation | Securing Web server source documents and executables |
EP1076279A1 (en) * | 1999-08-13 | 2001-02-14 | Hewlett-Packard Company | Computer platforms and their methods of operation |
US6289460B1 (en) * | 1999-09-13 | 2001-09-11 | Astus Corporation | Document management system |
CA2287871C (en) * | 1999-11-01 | 2007-07-31 | Ibm Canada Limited-Ibm Canada Limitee | Secure document management system |
US6823454B1 (en) * | 1999-11-08 | 2004-11-23 | International Business Machines Corporation | Using device certificates to authenticate servers before automatic address assignment |
US6826690B1 (en) * | 1999-11-08 | 2004-11-30 | International Business Machines Corporation | Using device certificates for automated authentication of communicating devices |
US6978364B1 (en) * | 2000-04-12 | 2005-12-20 | Microsoft Corporation | VPN enrollment protocol gateway |
US6950522B1 (en) * | 2000-06-15 | 2005-09-27 | Microsoft Corporation | Encryption key updating for multiple site automated login |
US7233942B2 (en) * | 2000-10-10 | 2007-06-19 | Truelocal Inc. | Method and apparatus for providing geographically authenticated electronic documents |
US7178030B2 (en) * | 2000-10-25 | 2007-02-13 | Tecsec, Inc. | Electronically signing a document |
US6976087B1 (en) * | 2000-11-24 | 2005-12-13 | Redback Networks Inc. | Service provisioning methods and apparatus |
BR0115897A (en) * | 2000-11-28 | 2003-11-04 | Swivel Technologies Ltd | Secure File Transfer Method and System |
JP2002170066A (en) * | 2000-12-04 | 2002-06-14 | Hitachi Ltd | Joint ownership system of trust information using certificate |
US7085925B2 (en) * | 2001-04-03 | 2006-08-01 | Sun Microsystems, Inc. | Trust ratings in group credentials |
US7003578B2 (en) * | 2001-04-26 | 2006-02-21 | Hewlett-Packard Development Company, L.P. | Method and system for controlling a policy-based network |
US20030014755A1 (en) * | 2001-07-13 | 2003-01-16 | Williams Marvin Lynn | Method and system for processing correlated audio-video segments with digital signatures within a broadcast system |
US7222187B2 (en) | 2001-07-31 | 2007-05-22 | Sun Microsystems, Inc. | Distributed trust mechanism for decentralized networks |
US7383433B2 (en) * | 2001-07-31 | 2008-06-03 | Sun Microsystems, Inc. | Trust spectrum for certificate distribution in distributed peer-to-peer networks |
US7162525B2 (en) * | 2001-08-07 | 2007-01-09 | Nokia Corporation | Method and system for visualizing a level of trust of network communication operations and connection of servers |
US6978018B2 (en) * | 2001-09-28 | 2005-12-20 | Intel Corporation | Technique to support co-location and certification of executable content from a pre-boot space into an operating system runtime environment |
US6944772B2 (en) * | 2001-12-26 | 2005-09-13 | D'mitri Dozortsev | System and method of enforcing executable code identity verification over the network |
US7268906B2 (en) * | 2002-01-07 | 2007-09-11 | Xerox Corporation | Systems and methods for authenticating and verifying documents |
US7024548B1 (en) * | 2003-03-10 | 2006-04-04 | Cisco Technology, Inc. | Methods and apparatus for auditing and tracking changes to an existing configuration of a computerized device |
AR043588A1 (en) * | 2003-03-12 | 2005-08-03 | Nationwide Mutual Insurance Co | METHOD FOR IMPLEMENTING A RISK ADMINISTRATION PROGRAM |
US7114076B2 (en) * | 2003-05-23 | 2006-09-26 | International Business Machines Corporation | Consolidated technique for authenticating a user to two or more applications |
US7203944B1 (en) * | 2003-07-09 | 2007-04-10 | Veritas Operating Corporation | Migrating virtual machines among computer systems to balance load caused by virtual machines |
US7634807B2 (en) * | 2003-08-08 | 2009-12-15 | Nokia Corporation | System and method to establish and maintain conditional trust by stating signal of distrust |
US20040107363A1 (en) * | 2003-08-22 | 2004-06-03 | Emergency 24, Inc. | System and method for anticipating the trustworthiness of an internet site |
US20050048961A1 (en) * | 2003-08-27 | 2005-03-03 | Jambo Networks, Inc. | System and method for providing communication services to mobile device users |
US20050138417A1 (en) * | 2003-12-19 | 2005-06-23 | Mcnerney Shaun C. | Trusted network access control system and method |
US7382880B2 (en) * | 2004-01-26 | 2008-06-03 | Hewlett-Packard Development Company, L.P. | Method and apparatus for initializing multiple security modules |
US6935687B1 (en) * | 2004-02-23 | 2005-08-30 | Delphi Technologies, Inc. | Mounting anchor for a motor vehicle |
US7574600B2 (en) * | 2004-03-24 | 2009-08-11 | Intel Corporation | System and method for combining user and platform authentication in negotiated channel security protocols |
US7664965B2 (en) * | 2004-04-29 | 2010-02-16 | International Business Machines Corporation | Method and system for bootstrapping a trusted server having redundant trusted platform modules |
WO2006020095A2 (en) * | 2004-07-16 | 2006-02-23 | Geotrust, Inc. | Security systems and services to provide identity and uniform resource identifier verification |
US20060074600A1 (en) * | 2004-09-15 | 2006-04-06 | Sastry Manoj R | Method for providing integrity measurements with their respective time stamps |
US9450966B2 (en) | 2004-11-29 | 2016-09-20 | Kip Sign P1 Lp | Method and apparatus for lifecycle integrity verification of virtual machines |
US8266676B2 (en) * | 2004-11-29 | 2012-09-11 | Harris Corporation | Method to verify the integrity of components on a trusted platform using integrity database services |
WO2006058313A2 (en) | 2004-11-29 | 2006-06-01 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US7860802B2 (en) * | 2005-02-01 | 2010-12-28 | Microsoft Corporation | Flexible licensing architecture in content rights management systems |
US20070050622A1 (en) * | 2005-09-01 | 2007-03-01 | Rager Kent D | Method, system and apparatus for prevention of flash IC replacement hacking attack |
CA2632590A1 (en) | 2005-12-09 | 2008-02-28 | Signacert, Inc. | Method to verify the integrity of components on a trusted platform using integrity database services |
US20070174429A1 (en) * | 2006-01-24 | 2007-07-26 | Citrix Systems, Inc. | Methods and servers for establishing a connection between a client system and a virtual machine hosting a requested computing environment |
WO2008030629A1 (en) | 2006-09-06 | 2008-03-13 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers withtn an ip routing domain |
US7809955B2 (en) * | 2006-10-17 | 2010-10-05 | Blue Ridge Networks, Inc. | Trustable communities for a computer system |
US9053323B2 (en) * | 2007-04-13 | 2015-06-09 | Hewlett-Packard Development Company, L.P. | Trusted component update system and method |
WO2009018366A1 (en) | 2007-08-01 | 2009-02-05 | Signacert. Inc. | Method and apparatus for lifecycle integrity verification of virtual machines |
-
2008
- 2008-07-24 US US12/179,303 patent/US9450966B2/en not_active Expired - Fee Related
Patent Citations (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040172544A1 (en) * | 1999-05-12 | 2004-09-02 | Fraunhofer Crcg, Inc. | Protecting mobile code against malicious hosts |
US6922782B1 (en) * | 2000-06-15 | 2005-07-26 | International Business Machines Corporation | Apparatus and method for ensuring data integrity of unauthenticated code |
US7350204B2 (en) * | 2000-07-24 | 2008-03-25 | Microsoft Corporation | Policies for secure software execution |
US7581103B2 (en) * | 2001-06-13 | 2009-08-25 | Intertrust Technologies Corporation | Software self-checking systems and methods |
US7310817B2 (en) * | 2001-07-26 | 2007-12-18 | Mcafee, Inc. | Centrally managed malware scanning |
US20030115453A1 (en) * | 2001-12-17 | 2003-06-19 | Grawrock David W. | Connecting a virtual token to a physical token |
US7877613B2 (en) * | 2002-09-04 | 2011-01-25 | Fraunhofer-Gesellschaft Zur Foerderung Der Angewandten Forschung E.V. | Protecting mobile code against malicious hosts |
US7793355B2 (en) * | 2002-12-12 | 2010-09-07 | Reasearch In Motion Limited | System and method of owner control of electronic devices |
US7689676B2 (en) * | 2003-03-06 | 2010-03-30 | Microsoft Corporation | Model-based policy application |
US20050021968A1 (en) * | 2003-06-25 | 2005-01-27 | Zimmer Vincent J. | Method for performing a trusted firmware/bios update |
US20050114687A1 (en) * | 2003-11-21 | 2005-05-26 | Zimmer Vincent J. | Methods and apparatus to provide protection for firmware resources |
US7844828B2 (en) * | 2003-12-04 | 2010-11-30 | Axalto Sa | Method to secure the execution of a program against attacks by radiation or other |
US20050132122A1 (en) * | 2003-12-16 | 2005-06-16 | Rozas Carlos V. | Method, apparatus and system for monitoring system integrity in a trusted computing environment |
US20150033038A1 (en) * | 2004-04-08 | 2015-01-29 | Texas Instruments Incorporated | Methods, apparatus, and systems for secure demand paging and other paging operations for processor devices |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US7774824B2 (en) * | 2004-06-09 | 2010-08-10 | Intel Corporation | Multifactor device authentication |
US20060005254A1 (en) * | 2004-06-09 | 2006-01-05 | Ross Alan D | Integration of policy compliance enforcement and device authentication |
US20060048228A1 (en) * | 2004-08-30 | 2006-03-02 | Kddi Corporation; Keio University | Communication system and security assurance device |
US20070180495A1 (en) * | 2004-11-29 | 2007-08-02 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers within an ip routing domain |
US7904727B2 (en) * | 2004-11-29 | 2011-03-08 | Signacert, Inc. | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US20060117184A1 (en) * | 2004-11-29 | 2006-06-01 | Bleckmann David M | Method to control access between network endpoints based on trust scores calculated from information system component analysis |
US7733804B2 (en) * | 2004-11-29 | 2010-06-08 | Signacert, Inc. | Method and apparatus to establish routes based on the trust scores of routers within an IP routing domain |
US7188230B2 (en) * | 2005-02-15 | 2007-03-06 | Hitachi, Ltd. | Method of assuring data integrity on storage volumes |
US20070016888A1 (en) * | 2005-07-15 | 2007-01-18 | The Mathworks, Inc. | System and method for verifying the integrity of read-only components in deployed mixed-mode applications |
US20110179477A1 (en) * | 2005-12-09 | 2011-07-21 | Harris Corporation | System including property-based weighted trust score application tokens for access control and related methods |
US20070204153A1 (en) * | 2006-01-04 | 2007-08-30 | Tome Agustin J | Trusted host platform |
US20070260738A1 (en) * | 2006-05-05 | 2007-11-08 | Microsoft Corporation | Secure and modifiable configuration files used for remote sessions |
US20080126779A1 (en) * | 2006-09-19 | 2008-05-29 | Ned Smith | Methods and apparatus to perform secure boot |
US7987495B2 (en) * | 2006-12-26 | 2011-07-26 | Computer Associates Think, Inc. | System and method for multi-context policy management |
US20080189702A1 (en) * | 2007-02-02 | 2008-08-07 | Morgan Jeffery A | Change management |
US8108856B2 (en) * | 2007-03-30 | 2012-01-31 | Intel Corporation | Method and apparatus for adaptive integrity measurement of computer software |
US8010973B2 (en) * | 2007-05-31 | 2011-08-30 | Calix, Inc. | Class loader for managing a network |
US20110320816A1 (en) * | 2009-03-13 | 2011-12-29 | Rutgers, The State University Of New Jersey | Systems and method for malware detection |
US20120023568A1 (en) * | 2010-01-22 | 2012-01-26 | Interdigital Patent Holdings, Inc. | Method and Apparatus for Trusted Federated Identity Management and Data Access Authorization |
Cited By (45)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9588803B2 (en) | 2009-05-11 | 2017-03-07 | Microsoft Technology Licensing, Llc | Executing native-code applications in a browser |
US10824716B2 (en) | 2009-05-11 | 2020-11-03 | Microsoft Technology Licensing, Llc | Executing native-code applications in a browser |
US9323921B2 (en) | 2010-07-13 | 2016-04-26 | Microsoft Technology Licensing, Llc | Ultra-low cost sandboxing for application appliances |
US8775590B2 (en) * | 2010-09-02 | 2014-07-08 | International Business Machines Corporation | Reactive monitoring of guests in a hypervisor environment |
US20120059930A1 (en) * | 2010-09-02 | 2012-03-08 | International Business Machines Corporation | Reactive monitoring of guests in a hypervisor environment |
US8903705B2 (en) | 2010-12-17 | 2014-12-02 | Microsoft Corporation | Application compatibility shims for minimal client computers |
US20120227058A1 (en) * | 2011-03-03 | 2012-09-06 | Microsoft Corporation | Dynamic application migration |
US8875160B2 (en) * | 2011-03-03 | 2014-10-28 | Microsoft Corporation | Dynamic application migration |
US9495183B2 (en) | 2011-05-16 | 2016-11-15 | Microsoft Technology Licensing, Llc | Instruction set emulation for guest operating systems |
US10289435B2 (en) | 2011-05-16 | 2019-05-14 | Microsoft Technology Licensing, Llc | Instruction set emulation for guest operating systems |
US11620719B2 (en) | 2011-09-12 | 2023-04-04 | Microsoft Technology Licensing, Llc | Identifying unseen content of interest |
US20130111018A1 (en) * | 2011-10-28 | 2013-05-02 | International Business Machines Coporation | Passive monitoring of virtual systems using agent-less, offline indexing |
US9389933B2 (en) | 2011-12-12 | 2016-07-12 | Microsoft Technology Licensing, Llc | Facilitating system service request interactions for hardware-protected applications |
US9413538B2 (en) * | 2011-12-12 | 2016-08-09 | Microsoft Technology Licensing, Llc | Cryptographic certification of secure hosted execution environments |
US9425965B2 (en) | 2011-12-12 | 2016-08-23 | Microsoft Technology Licensing, Llc | Cryptographic certification of secure hosted execution environments |
US20130151846A1 (en) * | 2011-12-12 | 2013-06-13 | Microsoft Corporation | Cryptographic Certification of Secure Hosted Execution Environments |
US9336088B2 (en) * | 2012-05-31 | 2016-05-10 | Core Logic Inc. | Method and apparatus for managing and verifying car traveling information, and system using the same |
US20130325815A1 (en) * | 2012-05-31 | 2013-12-05 | Core Logic Inc. | Method and apparatus for managing and verifying car traveling information, and system using the same |
US9298489B2 (en) * | 2013-01-04 | 2016-03-29 | Iomaxis, Inc. | Method and system for identifying virtualized operating system threats in a cloud computing environment |
US20140143776A1 (en) * | 2013-01-04 | 2014-05-22 | Iomaxis, Inc. | Method and system for identifying virtualized operating system threats in a cloud computing environment |
US9542213B2 (en) * | 2013-01-04 | 2017-01-10 | Iomaxis, Inc. | Method and system for identifying virtualized operating system threats in a cloud computing environment |
US20140108652A1 (en) * | 2013-01-04 | 2014-04-17 | Iomaxis, Inc. | Method and system for identifying virtualized operating system threats in a cloud computing environment |
US9288155B2 (en) * | 2013-02-13 | 2016-03-15 | Hitachi, Ltd. | Computer system and virtual computer management method |
US20140230024A1 (en) * | 2013-02-13 | 2014-08-14 | Hitachi, Ltd. | Computer system and virtual computer management method |
WO2015065739A1 (en) * | 2013-11-01 | 2015-05-07 | Intuit Inc. | Method and system for validating a virtual asset |
AU2014342834B2 (en) * | 2013-11-01 | 2019-12-05 | Intuit Inc. | Method and system for validating a virtual asset |
US9390288B2 (en) | 2013-11-01 | 2016-07-12 | Intuit Inc. | Method and system for validating a virtual asset |
US9418236B2 (en) | 2013-11-13 | 2016-08-16 | Intuit Inc. | Method and system for dynamically and automatically managing resource access permissions |
US9923909B2 (en) | 2014-02-03 | 2018-03-20 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10360062B2 (en) | 2014-02-03 | 2019-07-23 | Intuit Inc. | System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment |
US10757133B2 (en) | 2014-02-21 | 2020-08-25 | Intuit Inc. | Method and system for creating and deploying virtual assets |
US10121007B2 (en) | 2014-02-21 | 2018-11-06 | Intuit Inc. | Method and system for providing a robust and efficient virtual asset vulnerability management and verification service |
US9298927B2 (en) | 2014-02-27 | 2016-03-29 | Intuit Inc. | Method and system for providing an efficient vulnerability management and verification service |
US9888025B2 (en) | 2014-02-27 | 2018-02-06 | Intuit Inc. | Method and system for providing an efficient asset management and verification service |
US10055247B2 (en) | 2014-04-18 | 2018-08-21 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
US11294700B2 (en) | 2014-04-18 | 2022-04-05 | Intuit Inc. | Method and system for enabling self-monitoring virtual assets to correlate external events with characteristic patterns associated with the virtual assets |
US9742794B2 (en) | 2014-05-27 | 2017-08-22 | Intuit Inc. | Method and apparatus for automating threat model generation and pattern identification |
US9654499B2 (en) * | 2014-06-20 | 2017-05-16 | Vencore Labs, Inc. | System and Method for mitigating TOC/TOU attacks in a cloud computing enviroment |
US20150373046A1 (en) * | 2014-06-20 | 2015-12-24 | Vencore Labs, Inc. | System and method for mitigating toc/tou attacks in a cloud computing environment |
US10102082B2 (en) | 2014-07-31 | 2018-10-16 | Intuit Inc. | Method and system for providing automated self-healing virtual assets |
US9516044B2 (en) | 2014-07-31 | 2016-12-06 | Intuit Inc. | Method and system for correlating self-reporting virtual asset data with external events to generate an external event identification database |
US9720721B2 (en) | 2015-07-01 | 2017-08-01 | International Business Machines Corporation | Protected guests in a hypervisor controlled system |
US9720723B2 (en) | 2015-07-01 | 2017-08-01 | International Business Machines Corporation | Protected guests in a hypervisor controlled system |
US11334670B2 (en) * | 2020-01-28 | 2022-05-17 | Hewlett Packard Enterprise Development Lp | Integrity verification for a software stack or part of a software stack |
US11720675B2 (en) | 2020-01-28 | 2023-08-08 | Hewlett Packard Enterprise Development Lp | Integrity verification for a software stack or part of a software stack |
Also Published As
Publication number | Publication date |
---|---|
US9450966B2 (en) | 2016-09-20 |
US20090089860A1 (en) | 2009-04-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9450966B2 (en) | Method and apparatus for lifecycle integrity verification of virtual machines | |
US11237817B2 (en) | Operating system update management for enrolled devices | |
US10389709B2 (en) | Securing client-specified credentials at cryptographically attested resources | |
JP4939851B2 (en) | Information processing terminal, secure device, and state processing method | |
US8745386B2 (en) | Single-use authentication methods for accessing encrypted data | |
EP1946238B1 (en) | Operating system independent data management | |
EP1842127B1 (en) | Method and system for securely identifying computer storage devices | |
US20070300299A1 (en) | Methods and apparatus to audit a computer in a sequestered partition | |
US20220046043A1 (en) | Threat detection and security for edge devices | |
US10382429B2 (en) | Systems and methods for performing secure backup operations | |
WO2009018366A1 (en) | Method and apparatus for lifecycle integrity verification of virtual machines | |
US20230334127A1 (en) | System and method for protecting software licensing information via a trusted platform module | |
US10104163B1 (en) | Secure transfer of virtualized resources between entities | |
Rao et al. | Data backups and cloud computing | |
CN109923525B (en) | System and method for performing a secure backup operation | |
JP2021517688A (en) | Secure data processing | |
Hashizume | A reference architecture for cloud computing and its security applications | |
US20220245238A1 (en) | Trusted Execution Environment to Provide Attestation of Code Execution Result | |
US11394741B1 (en) | Systems and methods for hindering malicious computing actions | |
Durbano et al. | Securing the cloud | |
Jouini et al. | Design challenges of cloud computing | |
Franklin et al. | CA-in-a-Box | |
Pidlubnyi | Increasing Security and reducing risks running services in a potential containerized environment while meeting regulatory standards | |
Kate Tomchik | Comparison of the IaaS Security Available from the Top Three Cloud Providers | |
KR20210043348A (en) | File verification system and file verification method thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: SIGNACERT, INC., OREGON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:FORRESTER, RONALD JAMES;STARNES, WILLIAM WYATT;TYCKSEN, FRANK A., JR;REEL/FRAME:021288/0910 Effective date: 20080722 |
|
AS | Assignment |
Owner name: HARRIS CORPORATION, FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SIGNACERT, INC.;REEL/FRAME:026195/0473 Effective date: 20110426 |
|
AS | Assignment |
Owner name: HARRIS CORPORATION, FLORIDA Free format text: SECURITY AGREEMENT;ASSIGNOR:SIGNACERT, INC.;REEL/FRAME:029467/0639 Effective date: 20121211 |
|
AS | Assignment |
Owner name: SIGNACERT, INC., OREGON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HARRIS CORPORATION;REEL/FRAME:029804/0310 Effective date: 20121211 |
|
AS | Assignment |
Owner name: FORTRESS CREDIT CO LLC, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:SIGNACERT, INC;REEL/FRAME:034700/0390 Effective date: 20141217 Owner name: KIP SIGN P1 LP, NEW YORK Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SIGNACERT, INC;REEL/FRAME:034700/0842 Effective date: 20141217 Owner name: FORTRESS CREDIT CO LLC, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:KIP SIGN P1 LP;REEL/FRAME:034701/0170 Effective date: 20141217 |
|
AS | Assignment |
Owner name: FORTRESS CREDIT OPPORTUNITIES I LP, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:FORTRESS CREDIT CO LLC;REEL/FRAME:039104/0979 Effective date: 20160621 Owner name: FORTRESS CREDIT OPPORTUNITIES I LP, NEW YORK Free format text: SECURITY INTEREST;ASSIGNOR:FORTRESS CREDIT CO LLC;REEL/FRAME:039104/0946 Effective date: 20160621 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
FEPP | Fee payment procedure |
Free format text: MAINTENANCE FEE REMINDER MAILED (ORIGINAL EVENT CODE: REM.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
LAPS | Lapse for failure to pay maintenance fees |
Free format text: PATENT EXPIRED FOR FAILURE TO PAY MAINTENANCE FEES (ORIGINAL EVENT CODE: EXP.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY |
|
STCH | Information on status: patent discontinuation |
Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362 |
|
FP | Lapsed due to failure to pay maintenance fee |
Effective date: 20200920 |