Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: The disclosure provides a method for securing, by a hypervisor of a host, a first persistent volume used to maintain data for one or more first containers on the host. The method generally includes receiving a request to retain the first persistent volume when the one or more first containers are removed from the host, receiving a first container image associated with one of the one or more first containers, generating a first key for reserving the first persistent volume, the key based, at least in part, on the first container image, and reserving the first persistent volume for exclusive access by the hypervisor using the first key.

Abstract: A domain-name-based network-connection attestation system provides for more user friendly and less error prone (compared to IP-address-based attestation systems) updating of a whitelist used to determine whether or not to allow a requested network connection. A guest agent extracts from a DNS reply a domain name, and an IP address mapped to a domain name. The agent enters these values in an agent DNS cache. When a process requests a connection to an IP address, the agent uses the IP address to determine the domain name from the agent DNS cache. The agent then determines whether the IP address is mapped to the process identity in a domain-name-based whitelist. If it is, the connection is attested to and allowed; if it is not, a secondary IP address whitelist can be checked.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: A system may include a host computer, a VCI running on the host computer, a virtualization layer executing in the host computer to support the VCI, and an in-guest agent executing in the VCI. The virtualization layer receives a message including metadata about a first memory region to be copied and an indication of loading of an upgraded version of the in-guest agent. Further, the virtualization layer copies data from the first memory region to a second memory region. Furthermore, the virtualization layer receives information about an entry point of the upgraded version from the in-guest agent. Also, the virtualization layer receives a request to register the entry point from the upgraded version and verifies the request based on the information about the entry point. Upon verifying the request, the virtualization layer enables the upgraded version to copy the data from the second memory region.

Abstract: An example method of providing a transient cache in system memory of a host for swap space on storage accessible by the host, the method including: identifying, by transient cache drivers executing in virtual machines (VMs) supported by a hypervisor executing on the host, unused space in code pages of a plurality of processes executing in the VMs; sending, from the transient cache drivers to a transient cache manager of the hypervisor, unused space metadata describing the unused space; creating, by the transient cache manager based on the unused space metadata, the transient cache in the system memory by aggregating the unused space; and providing, to a first transient cache driver of the transient cache drivers executing in a first VM of the VMs, information for accessing the transient cache.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: Example methods are provided to identify unused memory regions in pages that are allocated for storing executable code. One or more of the unused memory regions are usable as a secure location to store confidential information shared between a hypervisor on the host and a guest (such as a guest virtual computing instance) that runs on the host. The one or more unused memory regions may also be used to store executable code (such as valid executable code of antivirus software or other security program) that has been prevented/delayed in its execution by malicious code that has occupied the pages, thereby providing the executable code with sufficient memory resources to enable the executable code to at least partially complete execution.

Abstract: The disclosure provides an approach for implementing a deduplicated (DD) assisted caching policy for a content based read cache (CBRC). Embodiments include receiving a first input/output (I/O) to write first data in storage as associated with a first logical block address (LBA); when the first data is located in a CBRC or in a DD cache located in memory, incrementing a first deduplication counter associated with the first data; when the first data is located in neither the CBRC nor the DD cache, creating the first deduplication counter; when the first deduplication counter meets a threshold after incrementing, and the first data is not located in the DD cache, adding the first data to the DD cache; and writing the first data to the storage as associated with the first LBA.

Abstract: Disclosed herein is a system and method for checking and maintaining consistency of blocks stored in a virtual disk with a content based read cache (CBRC). When blocks are written to the cache and virtual disk, a hash is computed for the block and stored in a digest file on the virtual disk. In the background, each block is obtained from the virtual disk, its hash is recomputed, and the hash is compared to the stored hash in the digest file. If the comparison indicates a mismatch, then an error is reported.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.

Abstract: Disclosed herein is a system and method for checking and maintaining consistency of blocks stored in a virtual disk with a content based read cache (CBRC). When blocks are written to the cache and virtual disk, a hash is computed for the block and stored in a digest file on the virtual disk. In the background, each block is obtained from the virtual disk, its hash is recomputed, and the hash is compared to the stored hash in the digest file. If the comparison indicates a mismatch, then an error is reported.

Abstract: Virtual memory space may be saved in a clone environment by leveraging the similarity of the data signatures in swap files when a chain of virtual machines (VMs) includes clones spawned from a common parent and executing common applications. Deduplication is performed across the chain, rather than merely within each VM. Examples include generating a common deduplication identifier (ID) for the chain; generating a logical addressing table linked to the deduplication ID, for each of the VMs in the chain; and generating a hash table for the chain. Examples further include, based at least on a swap out request, generating a hash value for a block of memory to be written to a storage medium; and based at least on finding the hash value within the hash table, updating the logical addressing table to indicate a location of a prior-existing duplicate of the block on the storage medium.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.

Abstract: A method is provided for a kernel driver in an operating system to detect loading of images into memory and unloading of the images from memory. The method includes registering a callback routine for load-image notifications, receiving a load-image notification for an image and recording loading of the image, storing original code at or about an entry point of the image, and patching redirect stub code over the original code at or about the entry point. The method also includes receiving, from the redirect stub code, a redirected call to or about the entry point to execute a routine in the image. The redirected call identifies a driver object representing the image. The method further includes, based on the driver object, providing a mechanism to intercept unloading of the image and recording the unloading of the image.

Abstract: A system and method of communicating between a hypervisor and virtual machines using object agents within the hypervisor and the virtual machines. Further, the hypervisor and virtual machines include similar datastore mappings that allow the hypervisor and virtual machines to communicate with each other. The object agent of a virtual machine communicates information corresponding to a first object to the object agent of the hypervisor, and the object agent of the hypervisor updates a datastore mapping of the hypervisor. The hypervisor then communicates the information corresponding to the first object to an object agent of another virtual machine.

Abstract: A domain-name-based network-connection attestation system provides for more user friendly and less error prone (compared to IP-address-based attestation systems) updating of a whitelist used to determine whether or not to allow a requested network connection. A guest agent extracts from a DNS reply a domain name, and an IP address mapped to a domain name. The agent enters these values in an agent DNS cache. When a process requests a connection to an IP address, the agent uses the IP address to determine the domain name from the agent DNS cache. The agent then determines whether the IP address is mapped to the process identity in a domain-name-based whitelist. If it is, the connection is attested to and allowed; if it is not, a secondary IP address whitelist can be checked.

Abstract: Methods and apparatus to validate and restore machine configurations are disclosed herein. An example apparatus includes a context identifier to obtain first context information for a first set of configuration update events occurring on a computing device, a guest agent interface to transmit the first set of configuration update events to a security manager for generation of a policy, the policy including allowable configuration update events and responses to unallowable configuration update events, an event comparator to compare second context information of a subsequent configuration update event obtained by the context identifier to the policy received from the security manager, and an event handler to determine, when the subsequent configuration update event is not included in the policy, that the subsequent configuration update event is to be transmitted to the security manager for generation of an updated policy.

Abstract: Example methods are provided for locating an operating system (OS) data structure on a host according to a hypervisor-assisted approach. The method may comprise a virtualized computing instance identifying a guest virtual memory address range in which the OS data structure is stored; and configuring the hypervisor to perform a safe read on the guest virtual memory address range to access data stored within the guest virtual memory address range. The method may further comprise the virtualized computing instance performing attribute matching by comparing the data stored within the guest virtual memory address range with attribute data associated with the OS data structure; and determining a location associated with the OS data structure based on the attribute matching.