Abstract: A solution for rapid evaluation of numerically large complex rules governing network and application transactions includes, at a network device, receiving network transaction record comprising a plurality of elements that characterize a network transaction, creating a hash of a result of concatenating the plurality of elements, and if the hash is found in a hash table comprising, for each network transaction rule, a hash of the plurality of elements comprising the rule, blocking the network transaction or alerting a network user that a prohibited transaction has occurred.

Abstract: One or more embodiments provides a shadow page table used by a virtualization software wherein at least a portion of the shadow page table shares computer memory with a guest page table used by a guest operating system (OS) and wherein the virtualization software provides a mapping of guest OS physical pages to machine pages.

Abstract: One or more embodiments of the invention display alerts provided by applications of a guest environment in a notification bar controlled by a host operating system (OS) in a host environment of a mobile device, wherein the guest environment is running in a virtual machine supported by a hypervisor running within the host environment. A hypervisor-aware service in the virtual machine registers with a guest OS to be notified when applications request presentation of alerts in a notification bar controlled by the guest OS. Upon receipt of a notification by the guest OS of an application requesting presentation of an alert in the notification bar controlled by the guest OS, the hypervisor-aware service forwards the notification to the hypervisor and the hypervisor transmits a corresponding request to a notification management component of the host OS to present the alert on the notification bar controlled by the host OS.

Abstract: A distributed event system for a relational database is disclosed. An event data model operatively describes a target database. For a subject entity in the target database, the event data model declares and defines triggering events and respective corresponding operations. An event engine monitors database queries and events involving the subject entity and determines from the event data model corresponding operations. Execution of the determined corresponding operations is distributed to network-based agents. Agents may be filtered based on skills and/or credentials injected at runtime. Code binaries of the operations are downloaded to the agents for execution.

Abstract: One or more embodiments of the invention provide access to a work environment in a mobile device from a lock screen presented by a personal environment of the mobile device, wherein the work environment is running in a virtual machine supported by a hypervisor running within the personal environment and wherein the personal environment is a host operating system (OS) of the mobile device. The host OS receives an authentication credential from a user in response to a presentation of the lock screen on a user interface (UI) of the mobile device and then determines whether the authentication credential is valid for the personal environment or the work environment. If the authentication credential is valid for the personal environment, access is enabled only to the personal environment. If the authentication credential is valid for the work environment, access is enabled to both the personal environment and the work environment.

Abstract: Machine memory fragmentation in a computer system having a host operating system and virtual machine running on a hypervisor hosted by the host operating system is reduced by having the hypervisor identify and release those machine memory pages that are more likely than others to reduce the fragmented state of the host machine memory.

Abstract: A resource scheduler for managing a distribution of host physical memory (HPM) among a plurality of virtual machines (VMs) monitors usage by each of the VMs of respective guest physical memories (GPM) to determine how much of the HPM should be allocated to each of the VMs. On determining that an amount of HPM allocated to a source VM should be reallocated to a target VM, the scheduler sends allocation parameters to a balloon application executing in the source VM causing it to reserve and write a value to a guest virtual memory (GVM) location in the source VM. The scheduler identifies the HPM location that corresponds to the reserved GVM and allocates it to the target VM by mapping a guest physical memory location of the target VM to the HPM location.

Abstract: One or more embodiments of the invention facilitate switching between a host environment of a mobile device and a guest environment of the mobile device. One method comprises configuring the host environment to launch a user interface (UI) proxy application upon receiving an indication by a user on a user interface (UI) of the mobile device of a desire to switch from the host environment to the guest environment. Upon a launch of the UI proxy application as a result of receiving the indication, the UI proxy application initiates a request to wake-up the guest environment and facilitates access by a hardware framebuffer of the mobile device to contents of a memory buffer that is updated with display data for the guest environment as a result of a waking-up of the guest environment.

Abstract: Computer code from an application program comprising a plurality of modules that each comprise a separately loadable file is code cached in a shared and persistent caching system. A shared code caching engine receives native code comprising at least a portion of a single module of the application program, and stores runtime data corresponding to the native code in a cache data file in the non-volatile memory. The engine then converts cache data file into a code cache file and enables the code cache file to be pre-loaded as a runtime code cache. These steps are repeated to store a plurality of separate code cache files at different locations in non-volatile memory.

Abstract: One or more embodiments of the invention facilitate displaying application icons of a guest environment in a host environment of a mobile device, wherein the guest environment is running in a virtual machine supported by a hypervisor running within the host environment. One method comprises forwarding, by a hypervisor-aware service running in the virtual machine to the hypervisor, a list of applications installed in a guest operating system (OS) of the virtual machine. For each of the installed applications, the hypervisor provides metadata to a host OS running in the host environment, wherein the metadata comprises an application icon and an instruction to launch a proxy application installed in the host environment. Upon a launch of the proxy application when a user selects the application icon, the proxy application requests the hypervisor to communicate with the hypervisor-aware service to launch the installed application in the guest environment.

Abstract: A user interface (UI) is accessible on a display to depict and control a plurality of smart racks in a data center is disclosed. The UI includes first, second and third graphical displays. The first graphical display depicts smart racks in the data center so as to mimic a physical arrangement of the smart racks. The second graphical display depicts a plurality of blade hosts in a smart rack in the plurality of smart racks, so as to mimic a physical arrangement of the plurality of blade hosts. The first and second graphical display may include visual indicators to depict error and warning conditions. The third graphical display depicts blade information about a blade host in the plurality of blade hosts. The blade information includes system information, a list of virtual machines hosted on the blade host, and a physical location of the blade host in the data center.

Abstract: A method for managing an amount of IO requests transmitted from a host computer to a storage system is described. A current latency value of an IO request most recently removed from an issue queue maintained by the host computer in order to transmit IO requests from the host computer to the storage system is periodically determined. An average latency value is the calculated based on the current latency value and a size limit of the issue queue is adjusted based in part on the average latency value. Upon receiving an IO request from one of a plurality of client applications running on the host computer, it can then be determined whether a number of pending IO requests in the issue queue has reached the size limit and the IO request can be transmitted to the issue queue if the number of pending IO request falls within the size limit.

Abstract: A computer method, system and apparatus control access to secured data in a plurality of databases. A repository is coupled to the databases and has a security runtime subsystem. The repository intercepts a user query of a subject database in the plurality. The security runtime subsystem determines from the intercepted query a user and corresponding user role. Based on user role, the security runtime subsystem automatically modifies the user query to filter out secure data for which the identified user is unauthorized to access but are part of the user query.

Abstract: A system for identifying an exiting process and removing traces and shadow page table pages corresponding to the process' page table pages. An accessed minimum virtual address is maintained corresponding to an address space. In one embodiment, whenever a page table entry corresponding to the accessed minimum virtual address changes from present to not present, the process is determined to be exiting and removal of corresponding trace and shadow page table pages is begun. In a second embodiment, consecutive present to not-present PTE transitions are tracked for guest page tables on a per address space basis. When at least two guest page tables each has at least four consecutive present to not-present PTE transitions, a next present to not-present PTE transition event in the address space leads to the corresponding guest page table trace being dropped and the shadow page table page being removed.

Abstract: In one approach, a method is described of generating an interface for an operating system kernel. The method calls for creating an input file, where the input file includes a node structure for the interface. A kernel component of the interface is generated from the input file. A user space component of the interface is also generated from the input file.

Abstract: The latency of virtual interrupt delivery in virtual machines is reduced by normalizing and exposing the virtual interrupt routing information of each VM to a privileged domain such as the VMkernel in an organized manner to enable virtual interrupt delivery that minimizes the number of VCPU hops. A computer implemented method of processing the virtual I/O request comprises receiving the virtual I/O request, responsive to completing a physical I/O corresponding to the virtual I/O request, referring to a virtual CPU set including information on a destination virtual CPU designated by the guest operating system for handling a virtual interrupt corresponding to the virtual I/O request, and generating the virtual interrupt corresponding to the virtual I/O request to the destination virtual CPU determined by referring to the virtual CPU set.

Abstract: A virtual business mobile device can be provisioned on a personal mobile device, by binding a mobile application for provisioning the business mobile device to a privileged component of a host operating system of the personal mobile device, wherein the binding enables a hypervisor component and a management service component of the mobile application to execute in a privileged mode. The mobile application is then able to download a virtual phone image for the business mobile device and security-related policy settings relating to use of the business mobile device from a mobile management server, wherein the hypervisor component is able to launch a virtual machine for the business mobile device based on the virtual phone image. Once the virtual phone image has been downloaded, the management service component initiates a periodic attempt to establish a connection with the mobile management server to comply with the downloaded security-related policy settings.

Abstract: A graphical user interface to provision business environments on mobile devices presents a navigation panel that displays a virtual phone template menu item and a policy setting menu item. Upon selection of the virtual phone template menu item, a template user interface is presented that enables an administrator to customize virtual phone image templates for users to be delivered to mobile devices that are configured to run the virtual phone image templates as virtual machines on the mobile devices in order to provide a business environment. Upon selection of the policy setting menu item, a policy user interface is presented that enables the administrator to set security policies, wherein each of the security policies specifies a time interval within which a mobile device running a virtual machine corresponding to one of the virtual phone image templates should communicate with an enterprise server to comply with the security policy.

Abstract: One embodiment of the present invention provide a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application.

Abstract: A business environment on a mobile device can be controlled by an enterprise server by receiving identifying information transmitted from a mobile device, wherein the identifying information identifies a user of the mobile device to the enterprise server. A virtual phone template is transmitted to the mobile device, wherein the virtual phone template (i) corresponds to the identifying information, and (ii) is configured to provide the business environment on the mobile device as a virtual machine running on a hypervisor installed on top of a host operating system of the mobile device. The enterprise server then receives a periodic transmission from the mobile device to indicate that the mobile device remains in periodic communication with the enterprise server.