公开(公告)号：US11170077B2

公开(公告)日：2021-11-09

申请号：US16296273

申请日：2019-03-08

Applicant: VMWARE, INC.

Inventor： Alok Nemchand Kataria ,  Achindra Bhatnagar ,  Sachin Shinde ,  Martim Carbone ,  Deep Shah

IPC: G06F21/12 ,  G06F21/60 ,  H04L9/32 ,  G06F21/64 ,  G06F21/62

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

公开(公告)号：US20170337011A1

公开(公告)日：2017-11-23

申请号：US15256779

申请日：2016-09-06

Applicant: VMWARE, INC.

Inventor： WEI XU ,  Alok Nemchand Kataria ,  Jeffrey W. Sheldon

IPC: G06F3/06 ,  G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45583

Abstract: Mechanisms to protect the integrity of memory of a virtual machine are provided. The mechanisms involve utilizing certain capabilities of the hypervisor underlying the virtual machine to monitor writes to memory pages of the virtual machine. A guest integrity driver communicates with the hypervisor to request such functionality. Additional protections are provided for protecting the guest integrity driver and associated data, as well as for preventing use of these mechanisms by malicious software. These additional protections include an elevated execution mode, termed “integrity mode,” as well as protections on the memory pages that store the guest integrity driver. To prevent spurious alerts associated with the GI driver accessing its own data, the hypervisor maintains two page tables. In one copy, pages storing data for the GI driver are not protected and in the other, those pages are protected. The hypervisor switches the page tables when entering and exiting integrity mode.

公开(公告)号：US11507415B2

公开(公告)日：2022-11-22

申请号：US16822054

申请日：2020-03-18

Applicant: VMWARE, INC.

Inventor： Vivek Mohan Thampi ,  Alok Nemchand Kataria ,  Martim Carbone ,  Deep Shah

IPC: G06F9/48 ,  G06F9/455 ,  G06F21/62 ,  G06F21/53

Abstract: Techniques for supporting invocations of the RDTSC (Read Time-Stamp Counter) instruction, or equivalents thereof, by guest program code running within a virtual machine (VM), including guest program code running within a secure hardware enclave of the VM, are provided. In one set of embodiments, a hypervisor can activate time virtualization heuristics for the VM, where the time virtualization heuristics cause accelerated delivery of system clock timer interrupts to a guest operating system (OS) of the VM. The hypervisor can further determine a scaling factor to be applied to timestamps generated by one or more physical CPUs, where the timestamps are generated in response to invocations of a CPU instruction made by guest program code running within the VM, and where the scaling factor is based on the activated time virtualization heuristics. The hypervisor can then program the scaling factor into the one or more physical CPUs.

公开(公告)号：US11178105B2

公开(公告)日：2021-11-16

申请号：US16442579

申请日：2019-06-17

Applicant: VMWARE, INC.

Inventor： Shirish Vijayvargiya ,  Alok Nemchand Kataria ,  Deep Shah

IPC: H04L29/06 ,  G06F9/455

Abstract: Techniques for implementing a secure enclave-based guest firewall are provided. In one set of embodiments, a host system can load a policy enforcer for a firewall into a secure enclave of a virtual machine (VM) running on the host system, where the secure enclave corresponds to a region of memory in the VM's guest memory address space that is inaccessible by processes running in other regions of the guest memory address space (including privileged processes that are part of the VM's guest operating system (OS) kernel). The policy enforcer can then, while running within the secure enclave: (1) obtain one or more security policies from a policy manager for the firewall, (2) determine that an event has occurred pertaining to a new or existing network connection between the VM and another machine, and (3) apply the one or more security policies to the network connection.

公开(公告)号：US10430223B2

公开(公告)日：2019-10-01

申请号：US15256779

申请日：2016-09-06

Applicant: VMWARE, INC.

Inventor： Wei Xu ,  Alok Nemchand Kataria ,  Jeffrey W. Sheldon

IPC: G06F9/455

Abstract: Mechanisms to protect the integrity of memory of a virtual machine are provided. The mechanisms involve utilizing certain capabilities of the hypervisor underlying the virtual machine to monitor writes to memory pages of the virtual machine. A guest integrity driver communicates with the hypervisor to request such functionality. Additional protections are provided for protecting the guest integrity driver and associated data, as well as for preventing use of these mechanisms by malicious software. These additional protections include an elevated execution mode, termed “integrity mode,” as well as protections on the memory pages that store the guest integrity driver. To prevent spurious alerts associated with the GI driver accessing its own data, the hypervisor maintains two page tables. In one copy, pages storing data for the GI driver are not protected and in the other, those pages are protected. The hypervisor switches the page tables when entering and exiting integrity mode.