Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM's memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: System trains machine learning model to determine content data, metadata, and context data for support ticket communications, in response to receiving support ticket communications. Machine learning model receives communication associated with support ticket, and determines content data, metadata, and context data for communication. System converts content data, metadata, and context data for communication into first impulse for first channel and second impulse for second channel. System determines first channel value based on first type of conversion of first impulse and any impulses for first channel that are converted from data that is determined for support ticket event. System determines second channel value based on second type of conversion of second impulse and any impulses for second channel that are converted from data that is determined for support ticket event. System uses first channel value and second channel value to generate priority associated with support ticket, and outputs priority.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: Techniques for implicit coscheduling of CPUs to improve corun performance of scheduled contexts are described. One technique minimizes skew by implementing corun migrations, and another technique minimizes skew by implementing a corun bonus mechanism. Skew between schedulable contexts may be calculated based on guest progress, where guest progress represents time spent executing guest operating system and guest application code. A non-linear skew catch-up algorithm is described that adjusts the progress of a context when the progress falls far behind its sibling contexts.

Abstract: In a virtualized computer system, guest memory pages are mapped to disk blocks that contain identical contents and the mapping is used to improve management processes performed on virtual machines, such as live migration and snapshots. These processes are performed with less data being transferred because the mapping data of those guest memory pages that have identical content stored on disk are transmitted instead of the their contents. As a result, live migration and snapshots can be carried out more quickly. The mapping of the guest memory pages to disk blocks can also be used to optimize other tasks, such as page swaps and memory error corrections.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: A thread scheduling mechanism is provided that flexibly enforces performance isolation of multiple threads to alleviate the effect of anti-cooperative execution behavior with respect to a shared resource, for example, hoarding a cache or pipeline, using the hardware capabilities of simultaneous multi-threaded (SMT) or multi-core processors. Given a plurality of threads running on at least two processors in at least one functional processor group, the occurrence of a rescheduling condition indicating anti-cooperative execution behavior is sensed, and, if present, at least one of the threads is rescheduled such that the first and second threads no longer execute in the same functional processor group at the same time.

Abstract: Virtualization software establishes multiple execution environments within a virtual machine, wherein software modules executing in one environment cannot access private memory of another environment. A separate set of shadow memory address mappings is maintained for each execution environment. For example, a separate shadow page table may be maintained for each execution environment. The virtualization software ensures that the shadow address mappings for one execution environment do not map to the physical memory pages that contain the private code or data of another execution environment. When execution switches from one execution environment to another, the virtualization software activates the shadow address mappings for the new execution environment. A similar approach, using separate mappings, may also be used to prevent software modules in one execution environment from accessing the private disk space or other secondary storage of another execution environment.

Abstract: A virtual-machine-based system that identifies an application or process in a virtual machine in order to locate resources associated with the identified application. Access to the located resources is then controlled based on a context of the identified application. Those applications without the necessary context will have a different view of the resource.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.

Abstract: Contention for a resource in a computer system resource is managed by measuring a resource performance metric and, for each of a selected plurality of clients (for example, virtual machines), a client performance metric. For each of the selected clients, a relationship measure, such as correlation, is determined as a function of the resource performance metric and the respective client performance metric. A degree of resource contention effect is determined for each of the selected clients as a function of the respective relationship measure, and a resource-related action is taken according to the respective relationship measures. Clients may include virtualized components contending for storage. Example metrics include functions of I/O operation counts, latency or throughput measurements, pending I/O request counts, I/O throughput relative to I/O latency, a degree of change of the respective clients' I/O behavior, etc.

Abstract: A virtual-machine-based system that identifies an application or process in a virtual machine in order to locate resources associated with the identified application. Access to the located resources is then controlled based on a context of the identified application. Those applications without the necessary context will have a different view of the resource.

Abstract: A processor cache is logically partitioned into a main partition, located in the cache itself, and an enclave partition, located within an enclave, that is, a hardware-enforced protected region of an address space of a memory. This extends the secure address space usable by and for an application such as a software cryptoprocessor that is to execute only in secure regions of cache or memory.

Abstract: A processor cache is logically partitioned into a main partition, located in the cache itself, and an enclave partition, located within an enclave, that is, a hardware-enforced protected region of an address space of a memory. This extends the secure address space usable by and for an application such as a software cryptoprocessor that is to execute only in secure regions of cache or memory.

Abstract: A system and method of operation exploit the limited associativity of a single cache set to force observable cache evictions and discover conflicts. Loads are issued to input memory addresses, one at a time, until a cache eviction is detected. After observing a cache eviction on a load from an address, that address is added to a data structure representing the current conflict set. The cache is then flushed, and loads are issued to all addresses in the current conflict set, so that all known conflicting addresses are accessed first, ensuring that the next cache miss will occur on a different conflicting address. The process is repeated, issuing loads from all input memory addresses, incrementally finding conflicting addresses, one by one. Memory addresses that conflict in the cache belong to the same partition, whereas memory addresses belonging to different partitions do not conflict.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: An application such as a virtual machine are executed securely using a software-based, full-system emulator within a hardware-protected enclave, such as an SGX enclave. The emulator may thereby be secure even against a malicious underlying host operating system. In some cases, paging is used to allow even a large application may run within a small enclave using paging. Where the application itself uses enclaves, these guest enclaves may themselves be emulated within an emulator enclave such that the guest enclave(s) are nested as sibling enclaves by the emulator.

Abstract: A method and tangible medium embodying code for allocating resource units of an allocatable resource among a plurality of clients in a computer is described. In the method, resource units are initially distributed among the clients by assigning to each of the clients a nominal share of the allocatable resource. For each client, a current allocation of resource units is determined. A metric is evaluated for each client, the metric being a function both of the nominal share and a usage-based factor, the usage-based factor being a function of a measure of resource units that the client is actively using and a measure of resource units that the client is not actively using. A resource unit can be reclaimed from a client when the metric for that client meets a predetermined criterion.

Abstract: To generate a checkpoint for a virtual machine (VM), first, while the VM is still running, a copy-on-write (COW) disk file is created pointing to a parent disk file that the VM is using. Next, the VM is stopped, the VM's memory is marked COW, the device state of the VM is saved to memory, the VM is switched to use the COW disk file, and the VM begins running again for substantially the remainder of the checkpoint generation. Next, the device state that was stored in memory and the unmodified VM memory pages are saved to a checkpoint file. Also, a copy may be made of the parent disk file for retention as part of the checkpoint, or the original parent disk file may be retained as part of the checkpoint. If a copy of the parent disk file was made, then the COW disk file may be committed to the original parent disk file.

Abstract: A virtual-machine-based system that may protect the privacy and integrity of application data, even in the event of a total operating system compromise. An application is presented with a normal view of its resources, but the operating system is presented with an encrypted view. This allows the operating system to carry out the complex task of managing an application's resources, without allowing it to read or modify them. Different views of “physical” memory are presented, depending on a context performing the access. An additional dimension of protection beyond the hierarchical protection domains implemented by traditional operating systems and processors is provided.