Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: Embodiments described herein are directed to configuring managed virtual machines. For instance, a management service (e.g., a mobile device manager) may provide configuration settings to a parent virtual machine. Upon successful application of the configuration settings, the parent virtual machine notifies a configuration service that it is in a steady state and provides the configuration settings to the configuration service. The configuration service notifies a cloud-based service (e.g., a virtual desktop service) that it is configured to instantiate virtual machines. The notification informs the cloud-based service that it is permitted to instantiate child virtual machines. Responsive to receiving the notification, the cloud-based service instantiates child virtual machine(s) as needed.

Abstract: The technology disclosed herein enables the restoration of a database version across cloud environments. In a particular embodiment, a method provides receiving, in a second cloud environment from a first cloud environment, first metadata describing a first data version stored in the first cloud environment. The first data version includes first data items and the first metadata. After receiving the first metadata, the method provides receiving, in the second cloud environment, an instruction to restore the first data items to the second cloud environment. In response to the instruction, the method provides restoring the first data items to the second cloud environment using the first metadata.

Abstract: The present disclosure relates to computer-implemented methods, software, and systems for providing extension application mechanisms. Memory is allocated for a virtual environment to run in an address space of an application that is to be extended with extension logic in a secure manner. The virtual environment is configured for execution of commands related to an extension functionality of the application. A virtual processor for an execution of a command of the commands is initialized at the virtual environment. The virtual processor is operable to manage one or more guest operating systems (OS). A first guest OS is loaded at the allocated memory and application logic of the extension functionality is copied into the allocated memory. The virtual environment is started to execute the first guest OS and the application logic of the extension functionality in relation to associated data of the application in the allocated memory.

Abstract: Hardware transactions or other techniques, such as custom PCIe handling devices, are used to atomically move pages from one host's memory to another host's memory. The hosts are connected by one or two non-transparent bridges (NTBs), which make each host's memory and devices available to the other, while allowing each host to reboot independently.

Abstract: A method and/or apparatus for creating and/or editing a machine pool with bring your own machine (BYOM) includes creating and/or editing a machine pool with a static list of machines. A user input machine list and an existing machine list are retrieved, and the user input machine list and existing machine list are compared to identify one or more changes between the user input machine list and existing machine list. Next, a new machine specification is created when the one or more changes between the user input machine list and existing machine list are identified. The one or more machines are then moved to the new machine specification.

Abstract: Some embodiments provide a method for scheduling networking threads associated with a data compute node (DCN) executing at a host computer. When a virtual networking device is instantiated for the DCN, the method assigns the virtual networking device to a particular non-uniform memory access (NUMA) node of multiple NUMA nodes associated with the DCN. Based on the assignment of the virtual networking device to the particular NUMA node, the method assigns networking threads associated with the DCN to the same particular NUMA node and provides information to the DCN regarding the particular NUMA node in order for the DCN to assign a thread associated with an application executing on the DCN to the same particular NUMA node.

Abstract: A system for providing computer implemented services using information handling systems includes persistent storage and a system control processor manager. The system control processor manager instantiates composed information handling systems using the information handling systems; monitors, using system control processors of the composed information handling systems, operation of the composed information handling systems to obtain operation information; makes a determination, based on the operation information, that the computing implemented services provided by the composed information handling systems are substandard; and in response to the determination: manages operation of the composed information handling systems to provide standards compliant computer implemented services by modifying a composition of at least one of the composed information handling systems using a system control processor of the system control processors.

Abstract: Aspects of managing inventory for data transport connections within a virtualized computing environment are described. A virtualized management system managing a cluster of host devices obtains a data transport capacity parameter and an aggregate memory consumption value from respective host devices. The virtualized management system further identifies an update status associated with each of the host devices. In response to receiving a data transport connection request, the virtualized management system selects a host from the cluster of hosts to satisfy the data transport connection request based at least in part on the upgrade status, data transport capacity parameter and aggregate memory consumption value.

Abstract: A network-accessible service provides an enterprise with a view of identity and data activity in the enterprise's cloud accounts. The service enables distinct cloud provider management models to be normalized with centralized analytics and views across large numbers of cloud accounts. Based on identity and audit data received from a set of cloud deployments, and according to a cloud intelligence model, a set of permissions associated with each of a set of identities are determined. For each identity, and based on a set of identity chains extracted from the cloud intelligence model, a set of identity account action paths (IAAPs) are then determined. An IAAP defines how the identity obtains an ability to perform a given action in a given account. Using the identity account action paths together with context information, one or more roles, groups and accounts in the enterprise that are propagating permissions within the public cloud environment are then identified.

Abstract: Systems and methods for supporting efficient virtualization in a lossless interconnection network. An exemplary method can provide, one or more switches, including at least a leaf switch, a plurality of host channel adapters, wherein each of the host channel adapters comprise at least one virtual function, at least one virtual switch, and at least one physical function, a plurality of hypervisors, and a plurality of virtual machines, wherein each of the plurality of virtual machines are associated with at least one virtual function. The method can arrange the plurality of host channel adapters with one or more of a virtual switch with prepopulated local identifiers (LIDs) architecture or a virtual switch with dynamic LID assignment architecture. The method can assign each virtual switch with a LID. The method can calculate one or more linear forwarding tables based at least upon the LIDs assigned to each of the virtual switches.

Abstract: A method for protecting an OS disk of a computing device without block encrypting the OS disk. The method identifies one or more files that store configuration data associated with OS binaries executed on the computing device. The method encrypts the configuration data stored in the one or more files using an encryption key and seals the encryption key to a TPM of the computing device. The method then boots the computing device by attempting to unseal the encryption key by authenticating one or more of the OS binaries with the TPM. When authenticating the one or more of the OS binaries is successful, the method completes boot of the computing device by decrypting the configuration data using the encryption key. If authentication of the one or more of the OS binaries is not successful, however, the method aborts boot of the computing device.

Abstract: A virtual machine management method and apparatus, a device, and a readable storage medium. The virtual machine management method is applied to a private cloud, and comprises: acquiring a SELinux label, the SELinux label comprising five elements: User, Role, Type, Sensitivity, and Category (S101); setting elements other than Category in the SELinux label as default values (S102); assigning different values to Category according to a preset Category variable combination so as to obtain multiple non-duplicate label groups (S103); and configuring each label group to a virtual machine in the private cloud, so that virtual machines configured with the same label group communicate with each other, and virtual machines configured with different label groups are isolated from each other (S104).

Abstract: Virtual machine (VM) proliferation may be reduced through the use of Virtual Server Agents (VSAs) assigned to a group of VM hosts that may determine the availability of a VM to perform a task. Tasks may be assigned to existing VMs instead of creating a new VM to perform the task. Furthermore, a VSA coordinator may determine a grouping of VMs or VM hosts based on one or more factors associated with the VMs or the VM hosts, such as VM type or geographical location of the VM hosts. The VSA coordinator may also assign one or more VSAs to facilitate managing the group of VM hosts. In some embodiments, the VSA coordinators may facilitate load balancing of VSAs during operation, such as during a backup operation, a restore operation, or any other operation between a primary storage system and a secondary storage system.

Abstract: A method for storing data, the method comprising receiving, by an offload component in a client application node, an augmented write request originating from an application executing in an application container on the client application node, wherein the augmented write request is associated with data and wherein the offload component is located in a hardware layer of the client application node, and processing, by the offload component, the augmented write request by a file system (FS) client and a memory hypervisor module executing in a modified client FS container on the offload component, wherein processing the request results in at least a portion of the data being written to a location in a storage pool.

Abstract: Systems and methods are described for efficient ways to manage storage of data in virtual desktops on writable volumes contained in attachable virtual disks. Multiple writeable volumes can be attached to a user's virtual desktop and data writes on the virtual desktop can be allocated among the writeable volumes based on preset policies or criteria, allowing the storage of different types of data in different writable volumes located on different storage devices.

Abstract: The disclosure provides an approach for implementing a distributed firewall within a data center. The firewall is implemented as a kernel space filter driver within the operating system of virtual machines. Each virtual machine hosts several user sessions. The firewall may be dynamically updated with new security policies, either by an administrator or a component of the data center.

Abstract: Systems and methods for parsing a software component search query to enable multi entity searches are provided.

Abstract: A configuration for a component of a primary node is synchronized with a configuration for a component of a partner node in a different cluster by replicating the primary node configuration with the partner node. A baseline configuration replication comprises a snapshot of a component configuration on the primary. The baseline configuration can be generated by traversing through the configuration objects, capturing their attributes and encapsulating them in a package. The baseline package can then be transferred to the partner node. The configuration objects can be applied on the partner node in the order in which they were captured on the primary node. Attributes of the configuration objects are identified that are to be transformed. Values for the identified attributes are transformed from a name space in the primary node to a name space in the partner node.

Abstract: Communication fabric-coupled computing architectures, platforms, and systems are provided herein. In one example, an apparatus includes a management entity configured to establish a compute unit comprising components from among a plurality of physical computing components by at least instructing a communication fabric communicatively coupling the plurality of physical computing components to establish logical isolation within the communication fabric to form the compute unit. Responsive to an indication of a change in workload associated with at least a software component deployed to a processing element of the compute unit, the management entity is configured to adjust the logical isolation to alter a quantity of the plurality of physical computing components in the compute unit in accordance with the change in the workload.

Abstract: A program is executed using a call stack and shadow stack. The call stack includes frames having respective return addresses. The frames may also store variables and/or parameters. The shadow stack stores duplicates of the return addresses in the call stack. The call stack and the shadow stack are maintained by, (i) each time a function is called, adding a corresponding stack frame to the call stack and adding a corresponding return address to the shadow stack, and (ii) each time a function is exited, removing a corresponding frame from the call stack and removing a corresponding return address from the shadow stack. A backtrace of the program's current call chain is generated by accessing the return addresses in the shadow stack. The outputted backtrace includes the return addresses from the shadow stack and/or information about the traced functions that is derived from the shadow stack's return addresses.

Abstract: Systems and methods are provided for assigning and associating resources in a cloud computing environment. Virtual machines in the cloud computing environment can be assigned or associated with pools corresponding to users as dedicated, standby, or preemptible machines. The various states provide users with the ability to reserve a desired level of resources while also allowing the operator of the cloud computing environment to increase resource utilization.

Abstract: Embodiments relate to a virtualization layer capturing replayable execution traces of VMs managed by the virtualization layer. Execution tracing can be performed on any unit of execution managed by the virtualization layer, e.g., threads, processes, virtual processors, individual VMs, multiple VMs, etc. Traced execution units may be executing in parallel. Execution tracing involves capturing to a buffer: executed instructions, memory inputted to instructions, memory outputted by instructions, registers touched by instructions, and ordering markers. Trace data can be captured in chunks, where causality is preserved and ordering is preserved between chunks but not necessarily within chunks. The chunks may be delineated by inserting monotonically increasing markers between context switches, thus relatively ordering the chunks. Determinism may be partially provided by identifying non-deterministic events. VM tracing may be transparent to guest software, which need not be instrumented.

Abstract: A data processing device that can monitor properly the state of the interrupt processing of a virtual machine is provided. The data processing device according to an aspect of the present disclosure includes an arithmetic unit that executes multiple virtual machines, respectively, and an interrupt controller that instructs execution of the interrupt processing to the arithmetic unit with the virtual machine information to specify at least one of the multiple virtual machines. The interrupt controller includes a counter to count the number of interrupts for each virtual machine based on the virtual machine information.

Abstract: An electronic control unit is configured to perform: allocating CPU resources to provide a plurality of virtual machines under a management by a hypervisor; monitoring an abnormality that occurs in one specific virtual machine by another virtual machine different from the specific virtual machine; outputting a stop request that requests stop of the allocation of the CPU resources to the specific virtual machine in a case that the abnormality is detected; and stopping allocation of the CPU resources to the specific virtual machine, by the hypervisor, in response to the stop request. The electronic control unit further comprises a DMA controller. The DMA controller transfers data transmitted to the specific virtual machine to a common memory which is common among a plurality of virtual machines.

Abstract: Examples of the present disclosure describe systems and methods for restricting access to application programming interfaces (APIs). For example, when a process calls an API, the API call may be intercepted by a security system for evaluation of its trustfulness before the API is allowed to run. Upon intercepting an API call, the process calling the API may be evaluated to determine if the process is known to the security system, such that known processes that are untrusted may be blocked from calling the API. Further, when the security system cannot identify the process calling the API, the security service may evaluate a call stack associated with the call operation to determine if attributes of the call operation are known to the security system. If the call operation is known to the security system as untrusted, the call operation may be blocked from calling the API.

Abstract: Methods for data visibility in nested transactions in distributed systems are performed by systems and devices. Distributed executions of queries are performed in processing systems according to isolation level protocols with unique nested transaction identifiers for data management and versioning across one or more data sets, one or more compute pools, etc., within a logical server via a single transaction manager that oversees the isolation semantics and data versioning. A distributed query processor of the systems and devices performs nested transaction versioning for distributed tasks by generating nested transaction identifiers, encoded in data rows, which are used to enforce correct data visibility. Data visibility is restricted to previously committed data from distributed transactions and tasks, and is blocked for distributed transactions and tasks that run concurrently.

Abstract: Systems and methods for managing access to a block device. An example method includes receiving, by a processing device from an entity operating in a cloud-computing environment, a memory access command referencing a block device of a distributed storage system that is accessible by a plurality of entities of the cloud computing environment; identifying a data structure associated with the referenced block device, wherein the data structure identifies entities of the cloud-computing environment that are allowed access to the block device; determining, in view of the data structure, whether the entity is allowed access to the block device by the memory access command; and responsive to determining that the entity is allowed access to the block device by memory access command, executing the memory access command.

Abstract: One embodiment of the present invention provides a system that can manage access to a service from a cluster of computing nodes. An instance of the system can operate on a respective computing node. During operation, the system instance can identify an Internet Protocol (IP) address, which provides access to the service from the cluster of computing nodes to a client device at a client site. The system instance can select the computing node for hosting the IP address in the cluster of computing nodes based on a set of selection criteria. The selection is performed independently at the computing node. The system instance can then assign the IP address to the computing node. The assignment allows a request for the service to be directed to the computing node. Subsequently, the system instance can facilitate the service from the cluster of computing nodes based on the request.

Abstract: A system and method for detecting potential lateral movement in a cloud computing environment includes detecting a private encryption key and a certificate, each of which further include a hash value of a respective public key, wherein the certificate is stored on a first resource deployed in the cloud computing environment; generating in a security graph: a private key node, a certificate node, and a resource node connected to the certificate node, wherein the security graph is a representation of the cloud computing environment; generating a connection in the security graph between the private key node and the certificate node, in response to determining a match between the hash values of the public key of the private key and the public key of the certificate; and determining that the first resource node is potentially compromised, in response to receiving an indication that an element of the public key is compromised.

Abstract: The present application discloses a method for modifying an internal configuration of a virtual machine, a system and a device, wherein the method is applied to a virtual machine installed with a proxy service therein, and the proxy service is configured for, after the proxy service itself is started up, sending a datum request to a preset IP address via a virtual network card corresponding to the virtual machine. The method includes, when there is a target virtual network card sending a datum request to the preset IP address, according to a predetermined corresponding relation between virtual network cards and virtual machines, determining a target virtual machine corresponding to the target virtual network card; from a database, obtaining target configuration data corresponding to the target virtual machine.

Abstract: Content of an object of a source system for backup is received at a backup system different from the source system. A standby version of at least a portion of the object of the source system is maintained at a recovery system. A backup of the received content is performed using the backup system. In response to a request to place the standby version at a specified recovery time point, backup data utilized in updating the standby version to the specified recovery time point is provided to the recovery system via the backup system.

Abstract: A system is disclosed. The system may include a first device including a first processor, and a second device including a second processor, a memory, a first storage, and a second storage. The first storage may operate at a first speed, and the second storage may operate at a second speed that is slower than the first speed. The second device may be remote relative to the first device. The first device may load a metadata from a memory address in the memory of the second device. The first device may also access a data from the second device based at least in part on the metadata in the memory of the second device.

Abstract: This present disclosure provides for a work distribution service, which is a multi-region, reliable service for dynamically sharding key ranges. The work distribution service offers exclusive ownership with leases, load balancing and routing information for owner discovery. Using the work distribution service, services can easily scale horizontally by sharding their workloads.

Abstract: Techniques for implementing secure GPU virtualization using sandboxing are provided. In one set of embodiments, a hypervisor of a host system can receive one or more first graphics/compute commands issued by a guest application running within a VM of the host system. The hypervisor can further communicate the one or more first graphics/compute commands to a sandboxed software process that is separate from the hypervisor. The sandboxed software process can then translate the one or more first graphics/compute commands into one or more second graphics/compute commands and issue the one or more second graphics/compute commands for execution on a physical GPU.

Abstract: Embodiments disclosed include data center infrastructure management (DCIM) systems and methods configured to collect data center compute systems, power systems, and facility systems data, trigger an action or actions based on a diagnosed or predicted condition according to the collected data, and thereby control via a compute, power, and facilities module, the compute systems, power systems and facility systems in the data center. According to an embodiment, the control via the compute, power, and facilities module comprises calibrating the compute, power, and facility systems based on an estimated compute requirement, and an associated power, cooling, and network data resource requirement. The estimated compute requirement comprises estimating compute density per real-time power wattage, and storage density per real-time power wattage.

Abstract: A computer implemented method of executing applications in a cloud server system is presented. The method comprises receiving a file identifier from a client device. The method also comprises receiving a file associated with the file identifier from a first server. Further, the method comprises accessing an application associated with the file from memory of the cloud server. Also, the method comprises executing by the cloud server the application using the file received from the first server. Finally, the method comprises streaming results from the executing the application as a video stream destined for the client device.

Abstract: A compound storage system including: a storage box having a plurality of storage devices; and a plurality of servers capable of executing one or more virtual machines. The storage box stores a logical volume. The virtual machines executable by the server include an application VM and a controller VM. When a predetermined situation occurs in which an application VM of a migration source server is migrated to a predetermined migration destination server, at least one processor of the one or more servers in the compound storage system migrates the application VM to the migration destination server, and migrates a control right of a logical volume used by the application VM to a controller VM of the migration destination server.

Abstract: A first data center includes a first virtual network that provides a communication service in cooperation with at least a part of a communication facility of a first communication operator and a first communication unit that is operable to communicate with a second data center. The second data center includes a second virtual network that provides a communication service in cooperation with at least a part of a communication facility of a second communication operator and a second communication unit that is operable to communicate with the first data center. The first communication unit is operable to transmit to the second communication unit, communication data to be transmitted from a first terminal connecting to the first virtual network via a communication facility of the first communication operator to a second terminal connecting via a communication facility of the second communication operator to the second virtual network.

Abstract: Techniques are described for communications in an L2 virtual network. In an example, the L2 virtual network includes a plurality of L2 compute instances hosted on a set of host machines and a plurality of L2 virtual network interfaces and L2 virtual switches hosted on a set of network virtualization devices. An L2 virtual network interface emulates an L2 port of the L2 virtual network. Access control list (ACL) information applicable to the L2 port is sent to a network virtualization device that hosts the L2 virtual network interface.

Abstract: A method for creating overlay networking constructs to establish network connectivity between virtual routers and remote physical gateways is provided. An orchestrator receives a mapping between tenant network identifiers for multiple tenant networks and overlay network identifiers for multiple overlay networks. The orchestrator attaches a virtual router to a parent logical port of an overlay logical switch for connectivity between a physical gateway and the multiple tenant networks. The orchestrator creates multiple child logical ports that are sub-interfaces of the parent logical port. Each child logical port is uniquely identified by a tenant network identifier. The orchestrator connects multiple child logical switches to the multiple child logical ports according to the received mapping. Each child logical switch is uniquely identified by an overlay network identifier.

Abstract: A topology-reprogrammable test environment is provided that can support the needs of CI/CD/CV in the field. The system disclosed provides a highly scalable network architecture to simplify the implementation of network slicing, TaaS and network CI/CD, and solves problems related to the complexity of cloud-native network (CNN) deployments. A Network Cell (NC), comprises or consists of a Containerized Network Function (CNF), a Containerized Digital Twin (CDT), and a Containerized Test Agent (CTA). The CDT has at least two personalities, e.g., an emulator of the CNF in the same NC or a nodal of the CNF. The choice of personality of the CDT is controlled by the CTA of the NC. A number of NCs use a 3D IP address to interconnect and form a new kind of CNN over the infrastructure of VRs.

Abstract: A method of executing workflows in virtual machines that have been deployed to implement virtual network functions of a network service, wherein the virtual machines are running in a plurality of data centers each having a cloud management server running a cloud computing management software to provision virtual infrastructure resources thereof for a plurality of tenants, includes upon receiving a request to execute a workflow along with a plurality of parameters including first and second parameters at a data center, identifying a virtual machine deployed in the data center, in which the workflow is to be executed based on the first parameter, designating one of a plurality of methods by which the workflow is to be executed in the virtual machine according to the second parameter, and issuing a command to the virtual machine to execute the workflow according to the designated method.

Abstract: The detection of utilized virtual machines through usage pattern analysis is described. In one example, a computing device can collect utilization metrics from a virtual machine over time. The utilization metrics can be related to one or more processing usage, disk usage, network usage, and memory usage metrics, among others. The utilization metrics can be used to determine a number of clusters, and the clusters can be used to organize the utilization metrics into groups. Depending upon the number or overall percentage of the utilization metrics assigned to individual ones of the plurality of clusters, it is possible to determine whether or not the virtual machine is a utilized or an idle virtual machine. Once identified, utilized virtual machines can be migrated in some cases. Idle virtual machines can be shut down to conserve processing resources and costs in some cases.

Abstract: Disclosed are systems and methods that provide a computerized device management framework that adaptively determines and applies security and configuration parameters to a device on a first network, and enables the adaptive application of such parameters as the device disconnects and connects to other networks. The disclosed framework enables the automatic detection of different networks being relied upon by the device for access to the Internet, upon which, management control policies of the device's activities can be controlled and managed in a unified manner. Accordingly, the disclosed framework can enable security and configuration mechanisms applied on a first network, upon which they are associated, to be seamlessly applied on another disparate network via a virtual private network connection enabled via proprietary mechanisms implemented on the device.

Abstract: Effectively allocating computing resources to end-users is provided. A system can identify mapping groups comprising a first mapping group that maps first users to corresponding first machines having a first hardware configuration, and a second mapping group that maps second users to corresponding second machines having a second hardware configuration. The system can determine a first metric indicating computing resource utilization of a first machine of the first machines when executing one or more sessions of a first user in the first mapping group, and a second metric indicating computing capacity of the second machines. The system can re-map the first user from the first mapping group to the second mapping group to cause sessions of the first user to execute on a second machine of the second machines.

Abstract: In certain embodiments, multi-modal-based generation of settlement instructions may be facilitated. In some embodiments, a portfolio of a live environment may be emulated in a projected environment. A target portfolio may be generated in the projected environment based on the emulated portfolio. Partial synchronization between the target portfolio of the projected environment and the portfolio of the live environment may be performed such that a first subset of changes to the portfolio of the live environment are reflected in the target portfolio of the projected environment. Subsequent to the partial synchronization, the target portfolio of the projected environment may be updated such that the update of the target portfolio accounts for the first subset of changes. Subsequent to the update of the target portfolio, settlement instructions may be generated based on differences between the target portfolio of the projected environment and the portfolio of the live environment.

Abstract: A method of managing a virtual machine environment is described. According to the method, a cloud application that is used for management of a plurality of virtual machines may receive, from a first virtual machine, an indication of one or more configuration parameters associated with the first virtual machine. The cloud application may generate an executable package based on metadata associated with the first virtual machine. The executable package may be configured to be executable by a set of default drivers on a second virtual machine upon bootup of the second virtual machine to configure the second virtual machine in accordance with the one or more configuration parameters. The cloud application may transmit, to the second virtual machine, the executable package for configuring the second virtual machine in accordance with the one or more configuration parameters.

Abstract: According to examples, an apparatus may include a processor that may access an assignment of a capability to a hardware port such as a Universal Serial Bus (“USB”) port. The apparatus may virtualize a USB port, assign capabilities to the virtual USB port, and provide electrical communication via the USB port subject to the assigned capabilities. The electrical communication may include power delivered via the USB port, or data communicated via the USB port.

Abstract: Apparatuses, systems, and techniques to allocate portions of a virtual address space to allow virtual machines to share data. In at least one embodiment, at least a portion of a virtual memory address space is made accessible to multiple virtual machines and is mapped to memory addresses of different physical devices using, at least in part, a cache-coherent protocol.