Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

Abstract: A computing device that has a network interface that performs a subset of possible networking functions while the computing device is in a sleep mode. The subset of functions may be simply implemented on the network interface, yet to substantially reduce the frequency with which the computing device has to wake up to perform networking functions. The subset of functions may be selected to maintain a network presence of the computing device while the device is in sleep mode, and may include responding to requests for MAC information, sending keep-alive messages or exchanging security information that, in accordance with network protocols, has a limited lifetime that would otherwise expire while the computing device is in sleep mode.

Abstract: A computer with an extensible framework for facilitating communication between a software component installed on the computer and a device driver that executes functions in response to vendor-specific command objects (e.g., OIDs). The framework defines data structures and a standardized format for defining and implementing private interfaces. After selecting a private interface that is commonly supported by a software component and a driver, a private communication path may be established by an operating system component to facilitate the transfer of command information from the software component to the driver. The private communication path allows commands packaged as OIDs to be routed from software components to intended drivers. By defining private interfaces which route commands from software components to intended drivers, the extensible framework mitigates potential incompatibilities that may arise when drivers created by different vendors include OIDs with the same OID value.

Abstract: Techniques are disclosed for the non-disruptive and reliable live migration of a virtual machine (VM) from a source host to a target host, where network data is placed directly into the VM's memory. When a live migration begins, a network interface card (NIC) of the source stops placing newly received packets into the VM's memory. A virtual server driver (VSP) on the source stores the packets being processed and forces a return of the memory where the packets are stored to the NIC. When the VM has been migrated to the target, and the source VSP has transferred the stored packets to the target host, the VM resumes processing the packets, and when the VM sends messages to the target NIC that the memory associated with a processed packet is free, a VSP on the target intercepts that message, blocking the target NIC from receiving it.

Abstract: Techniques are disclosed for the non-disruptive and reliable live migration of a virtual machine (VM) from a source host to a target host, where network data is placed directly into the VM's memory. When a live migration begins, a network interface card (NIC) of the source stops placing newly received packets into the VM's memory. A virtual server driver (VSP) on the source stores the packets being processed and forces a return of the memory where the packets are stored to the NIC. When the VM has been migrated to the target, and the source VSP has transferred the stored packets to the target host, the VM resumes processing the packets, and when the VM sends messages to the target NIC that the memory associated with a processed packet is free, a VSP on the target intercepts that message, blocking the target NIC from receiving it.

Abstract: A computer-readable medium bearing computer-executable instructions which, when executed on a computer, carry out a method for handling a request for an operating system service is presented. The method comprises receiving a request for execution of an operating system service. The corresponding operating system service is then identified. A unique service identifier that corresponds to the requested operating system service is obtained. A service thread is generated, the thread being associated with an executing process. Storage associated with the service thread is initialized with the unique service identifier. Thereafter, the execution of the service thread is initiated.

Abstract: A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.

Abstract: Pairing service technologies is described. In embodiment(s), peripheral devices can be discovered, such as by a computer device, and a peripheral device can be configured with multiple services that each correspond to one or more data communication protocols. The multiple services of the peripheral device can be determined, and a pairing sequence can be prioritized for the multiple services. The data communication protocol(s) can then be paired according to the pairing sequence to configure the multiple services of the peripheral device.

Abstract: A computing device that has a network interface that performs a subset of possible networking functions while the computing device is in a sleep mode. The subset of functions may be simply implemented on the network interface, yet to substantially reduce the frequency with which the computing device has to wake up to perform networking functions. The subset of functions may be selected to maintain a network presence of the computing device while the device is in sleep mode, and may include responding to requests for MAC information, sending keep-alive messages or exchanging security information that, in accordance with network protocols, has a limited lifetime that would otherwise expire while the computing device is in sleep mode.

Abstract: Pairing service technologies is described. In embodiment(s), peripheral devices can be discovered, such as by a computer device, and a peripheral device can be configured with multiple services that each correspond to one or more data communication protocols. The multiple services of the peripheral device can be determined, and a pairing sequence can be prioritized for the multiple services. The data communication protocol(s) can then be paired according to the pairing sequence to configure the multiple services of the peripheral device.

Abstract: Described is a technology by which an engine parses data based upon modules arranged in a tree-like model structure. Only those modules that meet a condition with respect to the data are invoked for processing the data. Each child module specifies a parent module and specifies a condition for when the parent is to invoke the child module. As a module processes the data, if a child module's specified condition is met, it invokes the corresponding child module, (which in turn may invoke a lower child if its condition is met, and so on). When the data corresponds to protocols, the model facilitates protocol layering. A top level parent may represent one protocol (e.g., TCP), a child beneath may represent a lower-layer protocol (e.g., HTTP), whose children may handle certain types of HTTP commands, or correspond to a signature that the child module is programmed to detect.

Abstract: A computer with an extensible framework for facilitating communication between a software component installed on the computer and a device driver that executes functions in response to vendor-specific command objects (e.g., OIDs). The framework defines data structures and a standardized format for defining and implementing private interfaces. After selecting a private interface that is commonly supported by a software component and a driver, a private communication path may be established by an operating system component to facilitate the transfer of command information from the software component to the driver. The private communication path allows commands packaged as OIDs to be routed from software components to intended drivers. By defining private interfaces which route commands from software components to intended drivers, the extensible framework mitigates potential incompatibilities that may arise when drivers created by different vendors include OIDs with the same OID value.

Abstract: A computer system having secured network services is presented. The computer system comprises a processor, a memory, and a network action processing module. The network action processing module processes network actions from one or more network services executing on the computer system. The computer system is further configured to execute at least network service performing network actions in conjunction with the network action processing module. Upon receiving a network action from a network service, the network action processing module determines whether the network action is a valid network action according to a network action control list. If the network action is determined to not be a valid network action, the network action is blocked. Alternatively, if the network action is determined to be a valid network action, the network action is permitted to be completed.

Abstract: A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.

Abstract: A method and system for distributing and enforcing security policies is provided. A firewall agent executing at a host computer system that is to be protected receives security policies for the enforcement engines responsible for enforcing the security policies on the host computer system. A security policy has rules that each provide a condition and action to be performed when the condition is satisfied. A rule also has a rule type that is used by the distribution system to identify the security components that are responsible for enforcing the rules. To distribute the security policies that have been received at a host computer system, the firewall agent identifies to which enforcement engine a rule applies based in part on rule type. The firewall agent then distributes the rule to the identified enforcement engine, which then enforces the rule.

Abstract: A facility is provided for conditionally reserving resources in an operating system. In various embodiments, the facility receives an indication of a conditional reservation declarator that identifies at least a resource, an action, a condition, and a principal. The conditional reservation declarator can specify a directive that corresponds to the identified resource, action, condition, and principal. The facility configures itself to apply the specified directive in relation to the identified action and resource when the principal attempts to perform the identified action in relation to the identified resource and the condition is met. The facility can apply the specified directive when it determines that the principal is attempting to perform the identified action on the identified resource when the condition is met.