Abstract: A system includes a host with a memory, a processor, a supervisor, and a device with access to DMAs. The system also includes a guest with access to GMAs and configured to initialize a first driver for the device. The supervisor is configured to map GMAs to a first subset of DMAs, map SMAs to a second subset of DMAs, which are located in a reserved range of addresses, and to initialize a second driver for the device with access to the SMAs. The device is configured to communicate with the guest and the supervisor via the first subset of DMAs and the SMAs respectively. The supervisor is configured to intercept a request from the first driver and validate that memory addresses associated with the request are outside of the reserved range. The supervisor is also configured to send the request to the device via the second driver.

Abstract: A system includes a hypervisor, a memory, and boot firmware stored in the memory. The boot firmware is configured to execute on a processor to load a trusted code that includes a condition checker from the hypervisor, check a signature of the trusted code, and verify the signature is trusted by a guest. The boot firmware is also configured to load the trusted code into an encrypted memory at a known guest address. The hypervisor is configured to protect the known guest address. The trusted code includes a first instruction, one or more intermediate instructions, and a final instruction. The first instruction and the final instruction are exits to the hypervisor. The hypervisor is also configured to execute the condition checker and detect an inconsistency in guest memory.

Abstract: A computing device can receive, from a version control system, a first set of pre-computed checksums for source files for a software program. The computing device can receive, from the version control system, a second set of pre-computed checksums for a second set of source files for the software program. The computing device can determine a first total checksum by combining the first set of pre-computed checksums. The computing device can also determine a second total checksum by combining the first set of pre-computed checksums. The computing device can determine, by comparing the first total checksum to the second total checksum, that the first set of source files was previously built by the build engine. The computing device can then prevent the build engine from re-building the first set of source files.

Abstract: Memory pages can be migrated between non-uniform memory access (NUMA) nodes based on entries in a page modification log according to some examples described herein. In one example, a physical processor can detect a request from a virtual machine to access a memory page. The physical processor can then update a page modification log to include an entry indicating the request. A hypervisor supporting the virtual machine can be configured to detect the request based on the entry in the page modification log and, in response to detecting the request, migrate the memory page from a second NUMA node to a destination NUMA node.

Abstract: An input/output memory management unit (IOMMU) can assign input/output virtual addresses (IOVA) using a predetermined randomness algorithm according to some examples. For instance, the IOMMU can determine an input/output virtual address (IOVA) using the pre-defined randomness algorithm. Then, the IOMMU can store, in a translation table, an entry which maps the IOVA to a physical memory address of a storage device. Subsequent to storing the entry in the translation table the IOMMU can receive a request from an input/output (IO) device, where the request is to access data at the IOVA. In response to receiving the request, the IOMMU can identify the physical memory address that is mapped to the IOVA in the entry. The IOMMU can then allow the IO device to access the data at the physical memory address.

Abstract: An example method may include determining whether a preemption flag associated with a first input/output (I/O) handling thread is equal to a first value indicating that preemption of the first I/O queue handling thread is forthcoming, wherein the first I/O queue handling thread is executing on a first processor, the first I/O queue handling thread is associated with a first set of one or more queue identifiers, and each queue identifier identifies a queue being handled by the first I/O queue handling thread, and, responsive to determining that the preemption flag is equal to the first value, transferring the first set of one or more queue identifiers to a second I/O queue handling thread executing on a second processor. Transferring the first set of queue identifiers may include removing the one or more queue identifiers from the first set.

Abstract: A system includes a memory including a ring buffer having a plurality of slots, a processor in communication with the memory, a guest operating system, and a hypervisor. The hypervisor is configured to detect a request associated with a memory entry, retrieve up to a predetermined quantity of memory entries in the ring buffer from an original slot to an end slot, and test a respective descriptor of each successive slot from the original slot through the end slot while the respective descriptor of each successive slot in the ring buffer remains unchanged. Additionally, the hypervisor is configured to execute the request associated with the memory entries and respective valid descriptors. The hypervisor is also configured to walk the ring buffer backwards from the end slot to the original slot while clearing the valid descriptors.

Abstract: A system includes an application instance or application environment instance and a first cloud service of a trusted cloud provider. The first cloud service is configured to receive an encrypted disk image and to launch the application instance or application environment instance. The system also includes a second cloud service of a first alternate cloud provider, which is configured to launch a first attestation service instance from an attestation disk image that includes a secret and to provide the secret to the application instance or application environment instance.

Abstract: A cryptographic data item is generated based on at least a public cryptographic key associated with a peripheral device connected to a virtualized computing system. The cryptographic data is transmitted to the peripheral device. A shared cryptographic key is generated based on the generated cryptographic data. One or more memory access operations are performed to access data at a region of memory associated with the peripheral device using the shared cryptographic key.

Abstract: Aspects of the disclosure provide for mechanisms providing a captive portal to manage a driver application for a peripheral device. Systems and methods of the disclosure include: providing, by a client device, a first request for a connection with a peripheral device over a wireless network provided by the peripheral device; receiving a message granting the connection to the wireless network; providing a second request to access a first web page at an address; receiving a second web page associated with a driver application for the peripheral device instead of the first web page; and launching the driver application by using a first link that facilitates an installation of the driver application and a second link that launches the driver application.

Abstract: Memory deduplication for encrypted virtual machines can be performed according to some examples. In one example, a virtual machine can select a target memory page stored in an encrypted memory of the virtual machine. The encrypted memory can be inaccessible to a hypervisor configured to manage the virtual machine. The virtual machine can store a copy of the target memory page to a shared memory that is accessible to the hypervisor. The hypervisor can then execute a deduplication process with respect to the copy of the target memory page stored in the shared memory. Subsequent to storing the copy of the target memory page to the shared memory, the virtual machine can remove the target memory page from the encrypted memory. The virtual machine can also prompt the hypervisor to reallocate the memory space of the encrypted memory that was previously used to store the target memory page.

Abstract: A computing device can detect an interrupt associated with a virtual machine. Based on detecting the interrupt, the computing device can determine whether the virtual machine is in an idle state. Based on determining that the virtual machine is in the idle state, the computing device can delay the interrupt by storing the interrupt in an interrupt register for a period of time and preventing the interrupt from being transmitted to the virtual machine during the period of time. After storing the interrupt in the interrupt register, the computing device can determine that the virtual machine is in an awake state. In response to determining that the virtual machine is in the awake state, the computing device can transmit the interrupt from the interrupt register to the virtual machine.

Abstract: One example described herein includes a source processing unit that can detect that guest software of a virtual machine has transmitted an interrupt to a virtual central processing unit (vCPU) identifier, where the vCPU identifier that does not match any vCPUs in the virtual machine. Based on the interrupt, the source processing unit can access an interrupt table that is associated with the virtual machine. The interrupt table can include an entry that maps the interrupt to a destination processing unit. Based on the entry in the interrupt table, the source processing unit can determine that the interrupt is to be transmitted to the destination processing unit. The source processing unit can then transmit the interrupt to the destination processing unit, without triggering an exit of the virtual machine on the source processing unit.

Abstract: Deduplication can be performed based on encrypted storage blocks generated by a secure enclave. For example, a secure enclave can generate a first encrypted storage block and a second encrypted storage block using an encryption key. The first encrypted storage block can be an encrypted version of a first storage block and the second encrypted storage block can be an encrypted version of a second storage block. The secure enclave can then provide the first encrypted storage block and the second encrypted storage block to a supervisory program executable on a processor that is separate from the secure enclave. The supervisory program can be configured to initiate deduplication of the first storage block and the second storage block in response to determining that the first encrypted storage block matches the second encrypted storage block.

Abstract: Memory deduplication for encrypted virtual machines is provided by identifying a page in a private memory of an encrypted virtual machine to place into a public memory in a virtualization environment; calculating a checksum for the page and storing the checksum in the private memory of the encrypted virtual machine; passing the page to a hypervisor of the virtualization environment to place into the public memory; calling the page via an application running in the encrypted virtual machine; and in response to verifying the page received from the public memory against the checksum stored in the private memory, proceeding with operation of the application using the page.

Abstract: A virtual device can be provided to a virtual machine from a hypervisor. The virtual can correspond to a backend element accessible to the VM via communications with the virtual device. The hypervisor can intercept a communication from the VM directed to the backend element via the virtual device. The hypervisor can set a timer. The timer can track an elapsed time from the communication to a response from the backend element. The hypervisor can send the communication from the virtual machine to the backend element. The timer can then be determined to have expired without a response being received. The virtual device can then be disabled.

Abstract: Systems and methods for secured peripheral device communication via a bridge device in virtualized computer systems. An example method may comprise receiving, by a virtualized execution environment running on a computing system, a state measurement associated with a bridge device of the computing system; generating an ephemeral key; responsive to validating the state measurement, transmitting, to the bridge device, the ephemeral key encrypted using a device key associated with the bridge device; and transmitting, to the bridge device, an access request directed to a peripheral device accessible via the bridge device, wherein the access request is encrypted using a value derived from the ephemeral key.

Abstract: Protections against browser-in-browser attacks are provided by in response to opening a first browser window and a second browser window, retrieving security key information stored by a browser application that are held outside of a document object model accessible by documents through the browser application; displaying a first instance of the security key information in the first browser window; and displaying, contemporaneously with display of the first instance of the security key information, a second instance of the security key information in the second browser window.

Abstract: An example system includes a memory, a processor in communication with the memory, and a supervisor. The supervisor is configured to allocate a memory space in the memory to a workload executing on the processor. The supervisor is configured to store data written by the workload as dirty memory in the memory space at least until the data is written back to a data storage. Based on a type of the workload being a first type, the supervisor is configured to trigger write back of at least a portion of the dirty memory into the data storage in response to the dirty memory exceeding a threshold level. Based on the type of the workload being a second type, the supervisor is configured to delay write back of the dirty memory into the data storage in response to the dirty memory exceeding the threshold level.

Abstract: A system includes a memory, a processor in communication with the memory, a hypervisor, and a guest OS. The guest OS is configured to store a plurality of hints in a list at a memory location. Each hint includes an address value and the memory location of the list is included in one of the respective address values associated with the plurality of hints. The guest OS is also configured to pass the list to the hypervisor. Each address value points to a respective memory page of a plurality of memory pages including a first memory page and a last memory page. The hypervisor is configured to free the first memory page pointed to by a first hint of the plurality of hints and free the last memory page pointed to by a second hint of the plurality of hints. Additionally, the last memory page includes the list.