Abstract: Information Technology Risk to an organization is associated with a plurality of virtual machines (VMs) each running on a plurality of hosts, each host being a computer system connected to a network and in communication with a risk orchestrator, which receives threat indication messages (TIMs) from threat indicators. Each TIM indicates a status of a threat to which a hosts is vulnerable. Downtime probability (DTP) resulting from the threat and an overall host DTP for each host are calculated. For each VM, a risk value associated with the VM is calculated as a function of the host DTP for and an impact for the VM, the impact being a value reflecting a relative importance of the VM to the organization. Each VM requiring risk mitigation is identified and prioritized in accordance with a policy, and a configured mitigation control action may be carried out for each VM requiring risk mitigation.

Abstract: A method is provided to control the flow of packets within a system that includes one or more computer networks comprising: policy rules are provided that set forth attribute dependent conditions for communications among machines on the one or more networks; machine attributes and corresponding machine identifiers are obtained for respective machines on the networks; and policy rules are transformed to firewall rules that include machine identifiers of machines having attributes from among the obtained machine attributes that satisfy the attribute dependent policy rules.

Abstract: One embodiment is a method of preventing malware attacks in a virtualized mobile device including virtualization software that supports one or more virtual machines, the method including: (a) collecting information related to the status of physical device drivers; and (b) sending the information to virus protection software; wherein the virus protection software includes a set of rules that trigger one or more actions based on the information it receives concerning the physical device drivers.

Abstract: One embodiment is a method of controlling usage in a virtualized mobile device including virtualization software that supports one or more virtual machines, the method including: (a) receiving control information at the virtualized mobile device that includes one or more limits pertaining to one or more uses of the virtualized mobile device; (b) collecting usage information relating to the one or more uses; (c) determining whether usage information corresponding to one of the one or more uses exceeds a corresponding one of the one or more limits; and if so; (d) carrying out a predetermined action relating to the one of the one or more uses.

Abstract: One embodiment of the present invention is a method of migrating functionality to a target virtualized mobile device including virtualization software that supports one or more virtual machines, the method including: (a) embodying the functionality in a virtual machine; and (b) migrating the virtual machine to the target virtualized mobile device.

Abstract: One embodiment is a method of providing security in a virtualized mobile device including virtualization software that supports one or more virtual machines, the method including: (a) receiving a security policy at the virtualized mobile device, which security policy includes one or more location or location-time scenarios for the virtualized mobile device, which scenarios identify applications to be curtailed, and how they are to be curtailed and applications that are to be enabled, and how they are to be enabled; (b) collecting one or more of mobile device location information or information related to time spent at the location; identifying a scenario that pertaining to the one or more of the location and time information; and (c) curtailing or enabling applications in accordance with the identified scenario.

Abstract: A Windows™ process loader is emulated for dynamic TLS data allocation during respective application runtime. A total required TLS data block size is initially calculated and corresponding data block duplicates are created preferably after initializing of the application. An event notification system such as a hooking system intercepts DLL loading and freeing activity as well as thread creation and exiting and provides event notifications for dynamic allocation of corresponding TLS data block duplicates.

Abstract: Consistent replicas of a data object are created using a replication protocol that includes an opportunistic replication phase followed by a consistent replication phase. During the opportunistic replication phase, dirty regions are selected from the data object included in a primary computer and copied to a data object replica included in a secondary computer according to a selection heuristic. During the consistent replication phase, an immutable image of the data object is created by the primary computer and the remaining dirty regions are copied from the immutable image of the data object to the data object replica to create a consistent replica of the data object.

Abstract: The translation lookaside buffer (TLB) of a processor is kept in synchronization with a guest page table by use of an indicator referred to as a “T” bit. The T bit of the NPT/EPT entries mapping the guest page table are set when a page walk is performed on the NPT/EPT. When modifications are made to pages mapped by NPT/EPT entries with their T bit set, changes to the TLB are made so that the TLB remains in synchronization with the guest page table. Accordingly, record/replay of virtual machines of virtualized computer systems may be performed reliably with no non-determinism introduced by stale TLBs that fall out of synchronization with the guest page table.

Abstract: In a computer system running a primary virtual machine (VM) on virtualization software on a primary virtualized computer system (VCS) and running a secondary VM on virtualization software on a secondary VCS, a method for the secondary VM to provide quasi-lockstep fault tolerance for the primary VM includes: as the primary VM is executing a workload, virtualization software in the primary VCS is: (a) causing predetermined events to be recorded in an event log, (b) keeping output associated with the predetermined events pending, and (c) sending the log entries to the virtualization software in the secondary VCS; as the secondary VM is replaying the workload, virtualization software in the secondary VCS is: (a) sending acknowledgements indicating that log entries have been received; (b) when the virtualization software encounters one of the predetermined events, searching the log entries to determine whether a log entry corresponding to the same event was received from the primary VCS, and if so, comparing data

Abstract: Completion interrupts corresponding to I/O requests issued by a virtual machine guest, which runs on a host platform, are virtualized in such a way that I/O completion interrupts to the requesting guest are delivered no faster than it can stably handle them, but, when possible, faster than the nominal speed of a virtual device to which a virtual machine addresses the I/O request. In general, completion events received from the host platform in response to guest I/O requests are examined with respect to time. If enough time has passed that the virtual device would normally have completed the I/O request, then the completion interrupt is delivered to the guest. If the nominal time has not elapsed, however, the invention enqueues and time-stamps the event and delivers it at the earliest of a) the normal maturity time, or b) at a safepoint.

Abstract: In virtualized computer system in which a guest operating system runs on a virtual machine of a virtualized computer system and has direct access to a hardware device coupled to the virtualized computer system via a communication interface, a computer-implemented method of handling interrupts from the hardware device to the guest operating system includes: (a) receiving a physical interrupt from the hardware device on a shared interrupt line of an interrupt controller; (b) masking the shared interrupt line of the interrupt controller; (c) generating a virtual interrupt corresponding to the physical interrupt to the guest operating system; and (d) the guest operating system executing an interrupt service routine.

Abstract: Multiple computers are connected to a data storage unit that includes a file system, which further includes multiple data entities, including files, directories and the file system itself. The file system also includes, for each data entity, an owner field for indicating which computer, if any, has exclusive or shared access to the data entity, along with a time field for indicating when a lease of the data entity began. When a computer wants to lease a data entity, the computer uses a disk reservation capability to temporarily lock the data storage unit, and, if the data entity is not currently leased, the computer writes its own identification value into the owner field and a current time into the time field for the data entity, to claim the data entity for a renewable lease period. If a prior lease of a data entity has expired, another computer may break the lease and claim ownership for itself.

Abstract: A tangible medium embodying instructions usable by a computer system to protect a plurality of guest virtual machines (VMs), which execute via virtualization software on a common host platform, from malicious code is described. A scan engine is configured to scan data for malicious code and determine a result of the scanning, wherein the result indicates whether malicious code is present in the data. A driver portion is configured for installation in an operating system of a target VM, which is one of the guest VMs. The driver portion intercepts an access request to a file, that originates within the target VM. The driver portion communicates information identifying a location of the data to be scanned by the scan engine without sending a copy of the data to the scan engine. The scan engine executes within the virtualization layer outside a context of the target VM.

Abstract: A software module capable of simultaneously supporting multiple services provides log message throttling for each service with a separate “per service” log message buffer. When the software module is a device driver, for example, each device controlled by the device driver is allocated a message buffer to store descriptive log messages. Upon generation of a warning log message, descriptive log messages in the message buffer are flushed to a log file for review by an administrator. Furthermore, log message throttling may be implemented by only flushing the message buffer upon certain occurrences of warning log messages, such as in accordance with an exponential back-off algorithm.

Abstract: A method and computer program product for logging non-deterministic events of a virtual machine executing a sequence guest instructions, the method including tracking an execution point in the sequence of executing guest instructions, the tracking of the execution point including determining a branch count of executed branch instructions; and detecting an occurrence of a non-deterministic event directed to the virtual machine during execution of the sequence of guest instructions, and recording information which includes an identifier of a current execution point, wherein the identifier includes the branch count.

Abstract: Read requests to a commonly accessed storage volume are conditionally issued, depending on whether or not a requested data block is already stored in memory from a prior access or to be stored in memory upon completion of a pending request. A data structure is maintained in memory to track physical memory pages and to indicate for each physical memory page the corresponding location in the storage volume from which the contents of the physical memory were read and the number of virtual memory pages that are mapped thereto.

Abstract: One embodiment of the present invention is a method of interposing operations in a computational system that includes a virtualization system executable on an underlying hardware processor that natively supports one or more instructions that transition between host and guest execution modes.

Abstract: A method and software is described for recreating on a target datastore a set of hierarchical files that are present on a source datastore. A content identifier (ID) is maintained for each component of the set of hierarchical files. The content ID of a component is updated when its contents are modified. The child component is copied from the source datastore to the target datastore. The content ID corresponding to the parent component on the source datastore is compared with content IDs corresponding to files present on the target datastore. When a matching content ID is discovered, it infers a copy of the parent component. The matching file on the target datastore is associated with the copied child component so that the matching file becomes a new parent component to the copied child component, thereby recreating the set of hierarchical files on the target.

Abstract: In a virtualization computer system, a method and system that does not exclusively allocate I/O devices, for example, storage and networking devices, to a commodity operating system (COS) when mainly used for booting the virtualization system. Those I/O devices needed by the COS are accessed via virtual machine kernel drivers, thereby giving the COS the benefits of operation derived from features in the virtual machine kernel that is provided for these I/O devices.