公开(公告)号：US07082598B1

公开(公告)日：2006-07-25

申请号：US10197979

申请日：2002-07-17

申请人： Bich Cau Le ,  Matthew Eccleston

发明人： Bich Cau Le ,  Matthew Eccleston

IPC分类号： G06F9/44 ,  G06F13/10

CPC分类号： G06F9/4413 ,  G06F9/4411

摘要： An agent loaded in a computer's operating system (OS) simulates disconnection and reconnection of a device, with no need to actually disconnect the device logically from a computer. During simulated reconnection, when the OS requests the hardware ID of the device, the agent returns a substitute ID, which causes the OS to load a substitute driver. Substitution of the ID also allows driver substitution for a not yet logically connected device; in this cases, no simulated disconnection or reconnection is needed. Driver substitution is dynamic and reversible, with no need to restart the system or reboot the OS and substitution of a driver for one device of a type does not disturb other devices of the same type. The invention may be implemented entirely in software, with no need for hardware modifications or device customization.

摘要翻译： 加载在计算机操作系统（OS）中的代理模拟设备的断开连接和重新连接，而不需要从计算机上实际断开设备的连接。 在模拟重新连接期间，当OS请求设备的硬件ID时，代理返回一个替代ID，这将导致OS加载替代驱动程序。 ID的替换还允许驱动器替换尚未逻辑连接的设备; 在这种情况下，不需要模拟断开或重新连接。 驱动程序替换是动态和可逆的，无需重新启动系统或重新启动操作系统，替换一个类型的一个设备的驱动程序不会干扰同一类型的其他设备。 本发明可以完全以软件实现，而不需要硬件修改或设备定制。

公开(公告)号：US07793279B1

公开(公告)日：2010-09-07

申请号：US11491852

申请日：2006-07-24

申请人： Bich Cau Le ,  Matthew Eccleston

发明人： Bich Cau Le ,  Matthew Eccleston

IPC分类号： G06F9/44 ,  G06F3/00

CPC分类号： G06F9/4413 ,  G06F9/4411

摘要： An agent loaded in a computer's operating system (OS) simulates disconnection and reconnection of a device, with no need to actually disconnect the device logically from a computer. During simulated reconnection, when the OS requests the hardware ID of the device, the agent returns a substitute ID, which causes the OS to load a substitute driver. Substitution of the ID also allows driver substitution for a not yet logically connected device; in this cases, no simulated disconnection or reconnection is needed. Driver substitution is dynamic and reversible, with no need to restart the system or reboot the OS and substitution of a driver for one device of a type does not disturb other devices of the same type. The invention may be implemented entirely in software, with no need for hardware modifications or device customization.

摘要翻译： 加载在计算机操作系统（OS）中的代理模拟设备的断开连接和重新连接，而不需要从计算机上实际断开设备的连接。 在模拟重新连接期间，当OS请求设备的硬件ID时，代理返回一个替代ID，这将导致OS加载替代驱动程序。 ID的替换还允许驱动器替换尚未逻辑连接的设备; 在这种情况下，不需要模拟断开或重新连接。 驱动程序替换是动态和可逆的，无需重新启动系统或重新启动操作系统，替换一个类型的一个设备的驱动程序不会干扰同一类型的其他设备。 本发明可以完全以软件实现，而不需要硬件修改或设备定制。

公开(公告)号：US08528107B1

公开(公告)日：2013-09-03

申请号：US11522172

申请日：2006-09-14

申请人： Matthew Ginzton ,  Matthew Eccleston ,  Srinivas Krishnamurti ,  Gerald C. Chen ,  Nicholas Ryan

发明人： Matthew Ginzton ,  Matthew Eccleston ,  Srinivas Krishnamurti ,  Gerald C. Chen ,  Nicholas Ryan

IPC分类号： G06F11/30 ,  G06F12/14 ,  G06F9/455

CPC分类号： G06F21/6281 ,  G06F9/45558 ,  G06F12/1408 ,  G06F21/121 ,  G06F21/602 ,  G06F2009/45587 ,  G06F2221/0704 ,  G06F2221/2107 ,  H04L63/0236

摘要： An administrator may set restrictions related to the operation of a virtual machine (VM), and virtualization software enforces such restrictions. There may be restrictions related to the general use of the VM, such as who may use the VM, when the VM may be used, and on what physical computers the VM may be used. There may be similar restrictions related to a general ability to modify a VM, such as who may modify the VM. There may also be restrictions related to what modifications may be made to a VM, such as whether the VM may be modified to enable access to various devices or other resources. There may also be restrictions related to how the VM may be used and what may be done with the VM. Information related to the VM and any restrictions placed on the operation of the VM may be encrypted to inhibit a user from circumventing the restrictions.

摘要翻译： 管理员可以设置与虚拟机（VM）的操作有关的限制，虚拟化软件会强制执行这些限制。 可能存在与VM的一般使用有关的限制，例如可以使用VM的VM，可以使用VM以及可以在什么物理计算机上使用VM。 可能存在与修改VM的一般能力相关的类似限制，例如可能修改VM的人。 还可能存在与对VM进行什么修改有关的限制，例如VM是否可被修改以允许访问各种设备或其他资源。 还可能存在与VM的使用方式有关的限制，以及可能对VM做什么。 与VM相关的信息和对VM的操作的任何限制可以被加密，以阻止用户规避限制。

公开(公告)号：US08972981B2

公开(公告)日：2015-03-03

申请号：US13432940

申请日：2012-03-28

申请人： Matthew Delco ,  Matthew Eccleston ,  Matthew Ginzton ,  Gustav Wibling

发明人： Matthew Delco ,  Matthew Eccleston ,  Matthew Ginzton ,  Gustav Wibling

IPC分类号： G06F9/455 ,  G06F15/173

CPC分类号： G06F9/45558 ,  G06F2009/45595

摘要： A virtualization framework provides security between multiple virtual machines with respect to network communications between the virtual machines and between the virtual machines and a physical network coupled to the underlying physical computer platform. The virtualization framework includes a network interface controller driver that provides an interface to the platform network interface controller and supports execution of a plurality of virtual machines. Each virtual machine includes a virtual network interface controller that provides a network communications path between the virtual machines and to the network interface controller driver. Each virtual network interface controller further contains a programmable network packet filter that controls the selective transfer of network packets with respect to a corresponding virtual machine.

摘要翻译： 虚拟化框架提供了多个虚拟机之间相对于虚拟机之间以及虚拟机之间的网络通信以及耦合到底层物理计算机平台的物理网络之间的安全性。 虚拟化框架包括一个网络接口控制器驱动程序，它为平台网络接口控制器提供一个接口并支持多个虚拟机的执行。 每个虚拟机包括虚拟网络接口控制器，其提供虚拟机之间的网络通信路径和网络接口控制器驱动程序。 每个虚拟网络接口控制器还包括可编程网络分组过滤器，其控制相对于相应虚拟机的网络分组的选择性传送。

公开(公告)号：US08640126B2

公开(公告)日：2014-01-28

申请号：US12390819

申请日：2009-02-23

申请人： Yaron Halperin ,  Jad Chamcham ,  Christian M. Leroy ,  Gerald I. L. Cheong ,  Matthew Eccleston ,  Ji Feng

发明人： Yaron Halperin ,  Jad Chamcham ,  Christian M. Leroy ,  Gerald I. L. Cheong ,  Matthew Eccleston ,  Ji Feng

IPC分类号： G06F9/455 ,  G06F15/16

CPC分类号： G06F9/45558 ,  G06F9/45537 ,  G06F9/4856 ,  G06F2009/45575 ,  G06F2009/45583 ,  G06F2009/45595 ,  H04L63/10 ,  H04L67/10

摘要： A server-based desktop-virtual machines architecture may be extended to a client machine. In one embodiment, a user desktop is remotely accessed from a client system. The remote desktop is generated by a first virtual machine running on a server system, which may comprise one or more server computers. During execution of the first virtual machine, writes to a corresponding virtual disk are directed to a delta disk file or redo log. A copy of the virtual disk is created on the client system. When a user decides to “check out” his or her desktop, the first virtual machine is terminated (if it is running) and a copy of the delta disk is created on the client system. Once the delta disk is present on the client system, a second virtual machine can be started on the client system using the virtual disk and delta disk to provide local access to the user's desktop at the client system. This allows the user to then access his or her desktop without being connected to a network.

摘要翻译： 基于服务器的桌面虚拟机架构可以扩展到客户端机器。 在一个实施例中，从客户端系统远程访问用户桌面。 远程桌面由在服务器系统上运行的第一虚拟机生成，该虚拟机可以包括一个或多个服务器计算机。 在执行第一个虚拟机期间，对相应虚拟磁盘的写入将定向到增量磁盘文件或重做日志。 在客户端系统上创建虚拟磁盘的副本。 当用户决定“检出”他的桌面时，第一个虚拟机被终止（如果它正在运行），并且在客户端系统上创建增量磁盘的副本。 一旦增量磁盘存在于客户机系统上，可以使用虚拟磁盘和增量磁盘在客户端系统上启动第二个虚拟机，以在客户端系统上提供对用户桌面的本地访问。 这允许用户在不连接到网络的情况下访问他或她的桌面。

公开(公告)号：US07890754B2

公开(公告)日：2011-02-15

申请号：US12202873

申请日：2008-09-02

申请人： Carl A. Waldspurger ,  Matthew Eccleston

发明人： Carl A. Waldspurger ,  Matthew Eccleston

IPC分类号： H04L29/06

CPC分类号： H04L63/083

摘要： Upon occurrence of a trigger condition, writes of allocation units of data (including code) to a device, such as writes of blocks to a disk, are first encrypted. Each allocation unit is preferably a predetermined integral multiple number of minimum I/O units. A data structure is marked to indicate which units are encrypted. Upon reads from the device, only those allocation units marked as encrypted are decrypted. The disk protected by selective encryption is preferably the virtual disk of a virtual machine (VM). The trigger condition is preferably either that the virtual disk has been initialized or that the VM has been powered on. Mechanisms are also provided for selectively declassifying (storing in unencrypted form) already-encrypted, stored data, and for determining which data units represent public, general-use data units that do not need to be encrypted. The “encrypt-on-write” feature of the invention may be used in conjunction with a “copy-on-write” technique.

摘要翻译： 在发生触发条件时，首先对数据（包括代码）的分配单元写入到设备进行写入，诸如写入磁盘的块。 每个分配单元优选地是预定的整数倍的最小I / O单元。 标记数据结构以指示哪些单位被加密。 从设备读取时，只有标记为加密的分配单元被解密。 通过选择性加密保护的磁盘优选地是虚拟机（VM）的虚拟磁盘。 触发条件优选地是虚拟磁盘已被初始化或者VM已经被通电。 还提供了用于选择性地解密（以未加密形式存储）已经加密的，存储的数据以及用于确定哪些数据单元表示不需要被加密的公共的一般用途数据单元的机制。 本发明的“写时加密”特征可以结合“写时复制”技术来使用。

公开(公告)号：US07428636B1

公开(公告)日：2008-09-23

申请号：US10448825

申请日：2003-05-30

申请人： Carl A. Waldspurger ,  Matthew Eccleston

发明人： Carl A. Waldspurger ,  Matthew Eccleston

IPC分类号： H04L9/00

CPC分类号： H04L63/083

摘要： Upon occurrence of a trigger condition, writes of allocation units of data (including code) to a device, such as writes of blocks to a disk, are first encrypted. Each allocation unit is preferably a predetermined integral multiple number of minimum I/O units. A data structure is marked to indicate which units are encrypted. Upon reads from the device, only those allocation units marked as encrypted are decrypted. The disk protected by selective encryption is preferably the virtual disk of a virtual machine (VM). The trigger condition is preferably either that the virtual disk has been initialized or that the VM has been powered on. Mechanisms are also provided for selectively declassifying (storing in unencrypted form) already-encrypted, stored data, and for determining which data units represent public, general-use data units that do not need to be encrypted. The “encrypt-on-write” feature of the invention may be used in conjunction with a “copy-on-write” technique.

摘要翻译： 在发生触发条件时，首先对数据（包括代码）的分配单元写入到设备进行写入，诸如写入磁盘的块。 每个分配单元优选地是预定的整数倍的最小I / O单元。 标记数据结构以指示哪些单位被加密。 从设备读取时，只有标记为加密的分配单元被解密。 通过选择性加密保护的磁盘优选地是虚拟机（VM）的虚拟磁盘。 触发条件优选地是虚拟磁盘已被初始化或者VM已经被通电。 还提供了用于选择性地解密（以未加密形式存储）已经加密的，存储的数据以及用于确定哪些数据单元表示不需要被加密的公共的一般用途数据单元的机制。 本发明的“写时加密”特征可以结合“写时复制”技术来使用。

公开(公告)号：US08166474B1

公开(公告)日：2012-04-24

申请号：US11231127

申请日：2005-09-19

申请人： Matthew Delco ,  Matthew Eccleston ,  Matthew Ginzton ,  Gustav Wibling

发明人： Matthew Delco ,  Matthew Eccleston ,  Matthew Ginzton ,  Gustav Wibling

IPC分类号： G06F9/455 ,  G06F15/173

CPC分类号： G06F9/45558 ,  G06F2009/45595

摘要： A virtualization framework provides security between multiple virtual machines with respect to network communications between the virtual machines and between the virtual machines and a physical network coupled to the underlying physical computer platform. The virtualization framework includes a network interface controller driver that provides an interface to the platform network interface controller and supports execution of a plurality of virtual machines. Each virtual machine includes a virtual network interface controller that provides a network communications path between the virtual machines and to the network interface controller driver. Each virtual network interface controller further contains a programmable network packet filter that controls the selective transfer of network packets with respect to a corresponding virtual machine.

摘要翻译： 虚拟化框架提供了多个虚拟机之间相对于虚拟机之间以及虚拟机之间的网络通信以及耦合到底层物理计算机平台的物理网络之间的安全性。 虚拟化框架包括一个网络接口控制器驱动程序，它为平台网络接口控制器提供一个接口并支持多个虚拟机的执行。 每个虚拟机包括虚拟网络接口控制器，其提供虚拟机之间的网络通信路径和网络接口控制器驱动程序。 每个虚拟网络接口控制器还包括可编程网络分组过滤器，其控制相对于相应虚拟机的网络分组的选择性传送。