Abstract: A computer implemented method for efficiently allocating resources for an enterprise server system through a proportional integral derivative scheme is provided. The method includes defining a set point parameter for a resource being allocated and defining a proportional gain parameter, a proportional integral (PI) gain parameter and a proportional integral derivative (PID) gain parameter in terms of the proportional gain parameter. The method further includes calculating an initial maximum allocation for the resource based on a product of the proportional gain parameter with a difference of an initial operating parameter and the set point parameter and adjusting the initial operating parameter to the initial maximum allocation. A next allocation of the resource is calculated based on a product of the proportional gain parameter with the difference of an initial operating parameter and the set point parameter and a difference of the set point with a current operating parameter.

Abstract: One embodiment of the present invention is a method for a virtual machine to access data from a virtual device, the method including: (a) attaching the virtual device to the virtual machine with a backing store that is a virtual image of a file system conforming to a predetermined file system format, wherein: (i) file system data is stored in one or more files, (ii) the virtual image includes metadata stored apart from the file system data, which metadata corresponds to the predetermined file system format, (iii) the metadata includes one or more directory records, and (iv) the one or more directory records include information that points directly or indirectly to the file system data; (b) issuing a read request for a block of data from the file system as if stored in the predetermined file system format; (c) accessing the metadata and determining the location of the requested block of data in the file system data; and (d) retrieving the requested block of data from the file system data.

Abstract: A resource pool aggregator is disclosed. The resource pool aggregator facilitates a faster data communication between resource pools. The resource pool aggregator includes a plurality of network interfaces to receive and send data packets. A packet collector module couple of the plurality of network interfaces is included to process and route the data packets. A data store coupled to the packet collector module is provided to store IP addresses of computers in the resource pools.

Abstract: The invention virtualizes a computer that includes a host computer system, which comprises a processor, memory, and physical system devices. A conventional operating system (referred to below as the “host operating system” or “HOS”) is installed on the hardware. A computer program product that is executable within the host computer system comprises computer-executable code for implementing an interface software layer, preferably a virtual machine monitor, between the host system and a virtual machine; for reading in and storing state information of the processor associated with the HOS; and for logically decoupling the HOS from the processor with respect to pre-determined functions of the interface software layer and the virtual machine by setting the processor state information to settings associated with the interface software layer.

Abstract: Virtual machines are managed in centralized manner. Files that are shared by multiple virtual machines are stored in a central storage unit and a management program is executed on one or more of these files on a per file basis. The management program is executed on a file if an 10 operation is issued for that file. A namespace map is used to provide a mapping of filenames used by the different virtual machines to filenames used by the central storage unit.

Abstract: A filter driver that is loaded during an initial part of the boot process enable operating systems that are not capable of booting from central storage to be booted from central storage. According to this technique, an initial set of operating system files is loaded into system memory from a local storage volume. The initial set of files includes a small subset of all of the operating system files and includes a boot loader, a kernel, boot time drivers, a file system driver, and a filter driver. The filter driver takes control over the loading of the remainder of the operating system files, so that these files are loaded from central storage instead of the local storage volume.

Abstract: Memory space is managed to release storage area occupied by pages similar to stored reference pages. The memory is examined to find two similar pages, and a transformation is obtained. The transformation enables reconstructing one page from the other. The transformation is then stored and one of the pages is discarded to release its memory space. When the discarded page is needed, the remaining page is fetched, and the transformation is applied to the page to regenerate the discarded page.

Abstract: In a virtualized computer system, a network frame is transmitted from a virtual machine using a network interface device, possibly through a virtual switch, by copying only a part of the network frame to the transmit buffers that have pre-translated mappings from guest physical addresses to hypervisor virtual addresses and to machine addresses. The length of the part of the network frame that is copied to the transmit buffers may be variable.

Abstract: A method for customizing the response for network based intrusion prevention comprising of: 1) virtual proxying the application data to enable custom response 2) enhancing transport layer (TCP/IP) to enable selective processing and selective modification of the stream for intrusion prevention. The invention also discloses a method for customizing the processing for both network or host based intrusion prevention comprising of: 1) loading externally defined processing procedures for the detection and prevention of intrusions 2) combining multiple of these processing procedures to form a unified processing engine that can be used for intrusion detection and prevention 3) unloading processing procedures that are not needed any more 4) loading new processing procedures that improve the intrusion detection and prevention.

Abstract: A swap space is provided for a host computer system, where the swap space includes a plurality of swap files with each individual swap file for swapping data only for a single corresponding virtual machine (VM). The per-VM swap space is used solely by the single, corresponding VM, such that only that particular VM's memory is allowed to be swapped out to the swap file.

Abstract: A method of creating a new virtual machine in a hypervisor server using a virtual machine setup profile is disclosed. A virtual machine setup profile method is selected from a plurality of virtual machine setup profiles. Then, system information is retrieved from the hypervisor server. The system information includes available computing resources in the hypervisor server. Thereafter a number of virtual machines that can be hosted in the hypervisor server based on the available computing resources is calculated and a number of new virtual machines are created in the hypervisor server.

Abstract: A method of acquiring a lock by a node, on a shared resource in a system of a plurality of interconnected nodes, is disclosed. Each node that competes for a lock on the shared resource maintains a list of locks currently owned by the node. A lock metadata is maintained on a shared storage that is accessible to all nodes that may compete for locks on shared resources. A heartbeat region is maintained on a shared resource corresponding to each node so nodes can register their liveness. A lock state is maintained in the lock metadata in the shared storage. A lock state may indicate lock held exclusively, lock free or lock in managed mode. If the lock is held in the managed mode, the ownership of the lock can be transferred to another node without a use of a mutual exclusion primitive such as the SCSI reservation.

Abstract: Hijacking of an application is prevented by securing execution of a computer program on a computing system. Prior to execution of the computer program, the computer program is analyzed to identify permitted targets of all indirect transfers. An application-specific policy based on the permitted targets is created. When the program is executed on the computing system, the application-specific policy is enforced such that the program is prohibited from executing indirect transfer instructions that do not target one of the permitted targets.

Abstract: A method for synchronizing the handling of events in a computer using the Advanced Configuration and Power Interface (ACPI) standard is presented, wherein an ACPI Notification Queue (ANQ) is provided to store events, such that such events can be handled in first-in-first-out order.

Abstract: The output of a non-deterministic instruction is handled during record and replay in a virtual machine. An output of a non-deterministic instruction is stored to a buffer during record mode and retrieved from a buffer during replay mode without exiting to the hypervisor. At least part of the contents of the buffer can be stored to a log when the buffer is full during record mode, and the buffer can be replenished from a log when the buffer is empty during replay mode.

Abstract: Replay-time-only functionalities in a computer program are executed only during replay in a virtual machine and are skipped outside of replay. If a replay-time-only functionality is detected during the replay of a program execution in a virtual machine, the replay may be paused and the virtual machine state may be saved. The replay-time-only core functionality is executed. When this execution is complete, a prior state of the virtual machine may be restored and the replay may be resumed.

Abstract: A virtualization system supports secure, controlled execution of application programs within virtual machines. The virtual machine encapsulates a virtual hardware platform and guest operating system executable with respect to the virtual hardware platform to provide a program execution space within the virtual machine. An application program, requiring license control data to enable execution of the application program, is provided within the program execution space for execution within the virtual machine. A data store providing storage of encrypted policy control information and the license control data is provided external to the virtual machine. The data store is accessed through a virtualization system including a policy controller that is selectively responsive to a request received from the virtual machine to retrieve the license control data dependent on an evaluation of the encrypted policy control information.

Abstract: Dynamic program analysis is decoupled from execution in virtual computer environments so that program analysis can be performed on a running computer program without affecting or perturbing the workload of the system on which the program is executing. Decoupled dynamic program analysis is enabled by separating execution and analysis into two tasks: (1) recording, where system execution is recorded with minimal interference, and (2) analysis, where the execution is replayed and analyzed. Recording and analysis are carried out on heterogeneous systems so that they can be separately optimized.

Abstract: A virtual machine system decouples dynamic program analysis from program execution. Program analysis is decoupled from program execution through the use of a virtual machine to record program execution and an analysis platform to replay and analyze the program execution. Optimization techniques are applied to prevent the analysis platform from falling too far behind the program execution platform during replay.

Abstract: Dynamic program analysis is decoupled from execution in virtual computer environments so that program analysis can be performed on a running computer program without affecting or perturbing the workload of the system on which the program is executing. Decoupled dynamic program analysis is enabled by separating execution and analysis into two tasks: (1) recording, where system execution is recorded with minimal interference, and (2) analysis, where the execution is replayed and analyzed.