Patents by Inventor Michael Rapoport
Michael Rapoport has filed for patents to protect the following inventions. This listing includes patent applications that are pending as well as patents that have already been granted by the United States Patent and Trademark Office (USPTO).
-
Patent number: 11194639Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.Type: GrantFiled: May 19, 2019Date of Patent: December 7, 2021Assignee: International Business Machines CorporationInventors: James Bottomley, Joel Kelly Nider, Michael Rapoport
-
Patent number: 11093657Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.Type: GrantFiled: May 19, 2019Date of Patent: August 17, 2021Assignee: International Business Machines CorporationInventors: James Bottomley, Joel Kelly Nider, Michael Rapoport
-
Publication number: 20200364375Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by isolating parts of the kernel to protect them from attacks. For example, in an embodiment, a computer-implemented method implemented in a computer comprising a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: creating a namespace in an operating system kernel-space in the memory of the computer, creating an address space for the namespace that maps only kernel objects owned by the namespace, and providing access to kernel objects owned by the namespace only to the least one user process using the combined page table.Type: ApplicationFiled: May 19, 2019Publication date: November 19, 2020Inventors: James Bottomley, Joel Kelly Nider, Michael Rapoport
-
Publication number: 20200364101Abstract: Embodiments of the present systems and methods may provide additional security mechanisms inside an operating system kernel itself by executing system calls in a dedicated address space to reduce the amount of shared resources that are visible to and thus exploitable by a malicious application. For example, in an embodiment, a method implemented in a computer may comprise a processor, memory accessible by the processor, and computer program instructions stored in the memory and executable by the processor, the method may comprise: when a user process makes a system call, switching to kernel mode and using a system call page table for the user process to execute a system call handler, when the system call handler attempts to access unmapped kernel space memory, generating a page fault, and handling the page fault by determining whether the attempted access to unmapped kernel space memory is allowed.Type: ApplicationFiled: May 19, 2019Publication date: November 19, 2020Inventors: James Bottomley, Joel Kelly Nider, Michael Rapoport
-
Patent number: 10824466Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.Type: GrantFiled: September 26, 2018Date of Patent: November 3, 2020Assignee: International Business Machines CorporationInventors: Joel Kelly Nider, Michael Rapoport
-
Publication number: 20200097323Abstract: In some examples, a system for container migration can include a processor to detect a remote direct memory access (RDMA) enabled network interface controller that supports an on-demand paging feature within the system and within the target device. The processor can also detect a container to be migrated to the target device, the container comprising one or more processes being executed by the system. Additionally, the processor can implement migration procedures on the system and detect, via a kernel component of an operating system, a process identifier of each of the one or more processes to be migrated, wherein the operating system is stored in memory of the system. Furthermore, the processor can modify the system to transmit page fault data for each of the one or more processes migrated to the target device.Type: ApplicationFiled: September 26, 2018Publication date: March 26, 2020Inventors: Joel Kelly Nider, Michael Rapoport
-
Patent number: 9946870Abstract: A method and apparatus for efficiently executing guest programs in a virtualized computing environment are presented. The method includes executing a virtual machine on a computing hardware; executing a single hypervisor in a first security ring on the virtual machine; executing a single guest program on the virtual machine, wherein the single guest program includes a single kernel being executed in the first security ring and at least one application being executed in a second security ring; and executing at least an instruction issued by the at least one application without trapping the single hypervisor.Type: GrantFiled: October 26, 2015Date of Patent: April 17, 2018Assignee: Ravello Systems Ltd.Inventors: Izik Eidus, Leonid Shatz, Michael Rapoport, Alexander Fishman
-
Publication number: 20160048676Abstract: A method and apparatus for efficiently executing guest programs in a virtualized computing environment are presented. The method includes executing a virtual machine on a computing hardware; executing a single hypervisor in a first security ring on the virtual machine; executing a single guest program on the virtual machine, wherein the single guest program includes a single kernel being executed in the first security ring and at least one application being executed in a second security ring; and executing at least an instruction issued by the at least one application without trapping the single hypervisor.Type: ApplicationFiled: October 26, 2015Publication date: February 18, 2016Applicant: RAVELLO SYSTEMS LTD.Inventors: Izik EIDUS, Leonid SHATZ, Michael RAPOPORT, Alexander FISHMAN
-
Patent number: 9176763Abstract: A method for efficient execution of a guest in a virtualized computing environment is provided. The method comprises causing an execution of at least one virtual machine on a computing hardware, the virtual machine executes a hypervisor in a first security ring; and causing an execution of a single guest program on one of the at least one virtual machines, the single guest program comprises a kernel being executed in the first security ring and at least one application being executed in a second security ring.Type: GrantFiled: November 26, 2012Date of Patent: November 3, 2015Assignee: Ravello Systems Ltd.Inventors: Izik Eidus, Leonid Shatz, Michael Rapoport, Alexander Fishman
-
Publication number: 20130145363Abstract: An apparatus and method of operation in a para-virtualized environment. The method includes executing a first hypervisor on a hardware platform of a computing device; and executing a second hypervisor over the first hypervisor, the second hypervisor is configured to capture at least a privileged instruction called by an unmodified guest program executed over the second hypervisor and cause the first hypervisor to execute an instruction corresponding to the captured privileged instruction, wherein the unmodified guest program and the second hypervisor operate in a user space protection domain, e.g., Ring 3, and the at least privileged instruction should be executed in a kernel space protection domain, e.g., Ring 0.Type: ApplicationFiled: March 22, 2012Publication date: June 6, 2013Applicant: RAVELLO SYSTEMS LTD.Inventors: Izik Eidus, Leonid Shatz, Michael Rapoport, Alexander Fishman