公开(公告)号：US09094413B2

公开(公告)日：2015-07-28

申请号：US13848347

申请日：2013-03-21

Applicant: VMware, Inc.

Inventor： Harvey Tuch ,  Mark Zeren ,  Craig F. Newell

IPC: H04L9/32 ,  G06F21/62 ,  G06F21/33 ,  H04L29/06

CPC classification number: H04L63/0823 ,  G06F21/33 ,  G06F21/6218 ,  G06F21/6281 ,  H04L9/3265 ,  H04L9/3268 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/168

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.

Abstract translation: 运行在无线通信设备上的应用管理代理限制对设备功能的访问（例如，应用和设备特征），除非应用管理代理已经确定特定配置简档已经安装在设备上（之后应用管理代理允许访问 到设备功能，并且设备的操作系统实施配置简档中指定的策略设置）。 应用程序管理代理通过启动与配置配置文件中嵌入的客户端SSL证书的客户端证书请求的SSL握手来确认配置配置文件的存在。 对嵌入式客户端SSL证书的验证隐含地确认配置配置文件的存在并验证配置配置文件的内容。

公开(公告)号：US11093259B2

公开(公告)日：2021-08-17

申请号：US16149971

申请日：2018-10-02

Applicant: VMware, Inc.

Inventor： Andrei Warkentin ,  Harvey Tuch ,  William Lam

IPC: G06F9/44 ,  G06F9/4401 ,  G06F9/455 ,  G06F8/61

Abstract: Examples provide for automatically provisioning hosts in a cloud environment. A cloud daemon generates a cloud host-state configuration, for a given cloud instance of a host, stored on a cloud metadata service prior to first boot of the given cloud instance of the host. A first boot of a plurality of cloud instances of hosts is performed using a stateless, master boot image lacking host-specific configuration data. On completion of the first boot of a given cloud instance of a host, the cloud host-state configuration is installed on the master boot image to generate a self-configured boot image including host-specific configuration data for the given cloud instance of the host. A second boot is performed on the given cloud instance of the host by executing the self-configured boot image to automatically provision the given cloud instance of the host in the cloud environment.

公开(公告)号：US10331556B2

公开(公告)日：2019-06-25

申请号：US14838541

申请日：2015-08-28

Applicant: VMware, Inc.

Inventor： Cyprien Laplace ,  Harvey Tuch ,  Andrei Warkentin ,  Adrian Drzewiecki

IPC: G06F12/02 ,  G06F12/06 ,  G06F12/04 ,  G06F9/455

Abstract: A computer system provides a mechanism for assuring a safe, non-preemptible access to a private data area (PRDA) belonging to a CPU. PRDA accesses generally include obtaining an address of a PRDA and performing operations on the PRDA using the obtained address. Safe, non-preemptible access to a PRDA generally ensures that a context accesses the PRDA of the CPU on which the context is executing, but not the PRDA of another CPU. While a context executes on a first CPU, the context obtains the address of the PRDA. After the context is migrated to a second CPU, the context performs one or more operations on the PRDA belonging to the second CPU using the address obtained while the context executed on the first CPU. In another embodiment, preemption and possible migration of a context from one CPU to another CPU is delayed while a context executes non-preemptible code.

公开(公告)号：US09489211B2

公开(公告)日：2016-11-08

申请号：US14675381

申请日：2015-03-31

Applicant: VMware, Inc.

Inventor： Andrei Warkentin ,  Alexander Fainkichen ,  Harvey Tuch

IPC: G06F13/00 ,  G06F9/44

CPC classification number: G06F9/4411

Abstract: A mapping table is passed to system software upon loading of the system software in a computer system. The mapping table is generated from a user-defined configuration file and maps device identifiers of various devices implemented in the computer system, as assigned by the device manufacturers, to device identifiers that are recognizable by the system software. The mapping is used by the system software when it performs binding of device drivers to devices so that devices that have been given generic and sometimes obscure names by the device manufacturers can still be associated with and bound to device drivers loaded by the system software.

Abstract translation: 在计算机系统中加载系统软件时，将映射表传递给系统软件。 映射表是从用户定义的配置文件生成的，并将在设备制造商分配的计算机系统中实现的各种设备的设备标识符映射到系统软件可识别的设备标识符。 当系统软件执行设备驱动程序到设备的绑定时，系统软件将使用该映射，以便设备制造商给予通用且有时是模糊的名称的设备仍然可以与系统软件加载的设备驱动程序相关联并绑定到设备驱动程序。

公开(公告)号：US09465617B1

公开(公告)日：2016-10-11

申请号：US14753720

申请日：2015-06-29

Applicant: VMware, Inc.

Inventor： Andrei Warkentin ,  Harvey Tuch

IPC: G06F9/48 ,  G06F9/38 ,  G06F13/26 ,  G06F9/30 ,  G06F9/46 ,  G06F9/54 ,  G06F9/455

CPC classification number: G06F9/3865 ,  G06F9/30145 ,  G06F9/45533 ,  G06F9/45558 ,  G06F9/461 ,  G06F9/4812 ,  G06F9/545 ,  G06F13/26 ,  G06F2009/45579

Abstract: A computer system that does not natively support non-maskable interrupts (NMIs) implements NMI-like functionality in a secure monitor. The computer system detects a high priority interrupt and determines whether or not interrupts are enabled or disabled. If interrupts are enabled, the computer system injects an exception into a currently executing thread of system software operating at the second privilege level, and an exception handler processes the exception like a standard exception. If interrupts are disabled, the computer system saves the current system state (e.g., the current program counter and CPU state) and values of one or more exception handling registers in temporary storage and injects an exception into the currently executing thread of the system software, and the exception handler processes the exception in a special manner.

Abstract translation: 本机不支持不可屏蔽中断（NMI）的计算机系统在安全监视器中实现类似NMI的功能。 计算机系统检测到高优先级中断，并确定中断是否被使能或禁止。 如果启用了中断，则计算机系统将在第二个权限级别的系统软件当前正在执行的线程中注入异常，并且异常处理程序像标准异常一样处理异常。 如果中断被禁用，计算机系统将临时存储器中的当前系统状态（例如当前程序计数器和CPU状态）以及一个或多个异常处理寄存器的值保存在系统软件当前正在执行的线程中， 异常处理程序以特殊方式处理异常。

公开(公告)号：US09383983B2

公开(公告)日：2016-07-05

申请号：US13918511

申请日：2013-06-14

Applicant: VMware, Inc.

Inventor： Perry Hung ,  Harvey Tuch

IPC: G06F7/04 ,  G06F9/445 ,  G06F21/54 ,  G06F9/54 ,  G06F21/31 ,  G06F21/60 ,  G06F21/53 ,  H04W12/02 ,  H04L29/08 ,  H04L29/06 ,  H04W12/00

CPC classification number: G06F8/54 ,  G06F8/61 ,  G06F9/44521 ,  G06F9/54 ,  G06F21/31 ,  G06F21/53 ,  G06F21/54 ,  G06F21/602 ,  G06F21/604 ,  G06F2221/2107 ,  G06F2221/2143 ,  G06F2221/2149 ,  H04L63/0272 ,  H04L63/10 ,  H04L63/20 ,  H04L67/146 ,  H04W12/00 ,  H04W12/02

Abstract: Particular embodiments provide a method to authenticate a user of an application running on a mobile operating system (OS) installed on a mobile device, wherein the mobile OS invokes callback methods of the application upon making changes to an execution state of the application. Code embedded into the application causes the application to communicate with a management agent installed in the mobile OS upon invocation of a hooked callback method. Upon invocation of the hooked callback method, the embedded code assesses whether the user should be provided an authentication challenge prior to enabling the application to run in the foreground, and presents the authentication challenge if necessary. Finally, the embedded code returns execution control from the management agent back to the application wherein the application executes the at least one callback method prior to running in the foreground.

Abstract translation: 特定实施例提供了一种验证在安装在移动设备上的移动操作系统（OS）上运行的应用的用户的方法，其中移动OS在对应用的执行状态进行改变时调用应用的回调方法。 嵌入到应用程序中的代码导致应用程序在调用挂钩回调方法时与安装在移动操作系统中的管理代理进行通信。 在调用挂钩回调方法时，嵌入代码评估在使应用程序在前台运行之前是否应该向用户提供认证挑战，并在必要时呈现认证挑战。 最后，嵌入式代码将执行控制从管理代理返回到应用程序，其中应用程序在前台运行之前执行至少一个回调方法。

公开(公告)号：US11422840B2

公开(公告)日：2022-08-23

申请号：US14982837

申请日：2015-12-29

Applicant: VMware, Inc.

Inventor： Andrei Warkentin ,  Harvey Tuch ,  Cyprien Laplace ,  Alexander Fainkichen

IPC: G06F9/455

Abstract: In an example, a computer system includes a hardware platform and a hypervisor executing on the hardware platform. The hypervisor includes a kernel and a plurality of user-space instances within a user-space above the kernel. Each user-space instance is isolated from each other user-space instance through namespaces. Each user-space instance includes resources confined by hierarchical resource groups. The computer system includes a plurality of virtual hypervisors, where each virtual hypervisor executes in a respective user-space instance of the plurality of user-space instances.

公开(公告)号：US10255090B2

公开(公告)日：2019-04-09

申请号：US14312207

申请日：2014-06-23

Applicant: VMware, Inc.

Inventor： Harvey Tuch ,  Andrei Warkentin

IPC: G06F9/455

Abstract: In a virtualized computer system operable in more than two hierarchical privilege levels, components of a hypervisor, which include a virtual machine kernel and virtual machine monitors (VMMs), are assigned to different privilege levels. The virtual machine kernel operates at a low privilege level to be able to exploit certain features provided by the low privilege level, and the VMMs operate at a high privilege level to support execution of virtual machines. Upon determining that a context switch from the virtual machine kernel to a VMM is to be performed, the computer system exits the low privilege level, and enters the high privilege level to execute a trampoline that supports context switches to VMMs, such as state changes, and then the VMM. The trampoline is deactivated after execution control is switched to the VMM.

公开(公告)号：US10037199B2

公开(公告)日：2018-07-31

申请号：US14689787

申请日：2015-04-17

Applicant: VMware, Inc.

Inventor： Perry Hung ,  Harvey Tuch ,  Craig F. Newell ,  Haim Tebeka

IPC: G06F3/00 ,  G06F9/44 ,  G06F9/46 ,  G06F13/00 ,  G06F8/54 ,  G06F21/54 ,  G06F9/54 ,  G06F9/445 ,  G06F21/31 ,  G06F21/60 ,  G06F21/53 ,  H04W12/02 ,  G06F8/61 ,  H04L29/08 ,  H04L29/06 ,  H04W12/00

CPC classification number: G06F8/54 ,  G06F8/61 ,  G06F9/44521 ,  G06F9/54 ,  G06F21/31 ,  G06F21/53 ,  G06F21/54 ,  G06F21/602 ,  G06F21/604 ,  G06F2221/2107 ,  G06F2221/2143 ,  G06F2221/2149 ,  H04L63/0272 ,  H04L63/10 ,  H04L63/20 ,  H04L67/146 ,  H04W12/00 ,  H04W12/0027 ,  H04W12/02

Abstract: In an example, a method of creating a secured workspace in a mobile device includes installing an application management agent on the mobile device, wherein the application management agent is configured to communicate with a remote server to obtain a security policy. The method further includes installing a wrapped enterprise application to the mobile device. The wrapped enterprise application includes code injected therein that, when executed by the mobile device, causes the mobile device to intercept at least a portion of instructions being executed by the wrapped enterprise application and to interpose alternative instructions that comply with the security policy. The method further includes communicating among the wrapped enterprise application, the application management agent, and other wrapped enterprise applications through pasteboard and uniform resource locator (URL) handlers provided by an operating system of the mobile device.

公开(公告)号：US09674174B2

公开(公告)日：2017-06-06

申请号：US14807187

申请日：2015-07-23

Applicant: VMware, Inc.

Inventor： Harvey Tuch ,  Mark Zeren ,  Craig F. Newell

IPC: H04L9/32 ,  G06F21/62 ,  G06F21/33 ,  H04L29/06

CPC classification number: H04L63/0823 ,  G06F21/33 ,  G06F21/6218 ,  G06F21/6281 ,  H04L9/3265 ,  H04L9/3268 ,  H04L63/0272 ,  H04L63/102 ,  H04L63/168

Abstract: An application management agent running on a wireless communications device restricts access to device functionality (e.g., applications and device features) unless the application management agent has determined that a particular configuration profile has been installed on the device (after which the application management agent permits access to device functionality, and an operating system of the device enforces policy settings specified in the configuration profile). The application management agent confirms the presence of the configuration profile by initiating an SSL handshake with a client certificate request for a client SSL certificate embedded in the configuration profile. Validation against the embedded client SSL certificate implicitly confirms the presence of the configuration profile and validates the content of the configuration profile.