Abstract: Provided are systems and methods for applying access controls to separate and contain virtual machines in a flexible, configurable manner. Access can be granted or removed to a variety of system resources—including network cards, shared folders, and external devices. Operations, such as cut and paste, between the virtual machines can be restricted or allowed. Virtual machines are run in containers. This allows more than one virtual machine to share the same access profile. Containers can be configured to allow a user to instantiate a virtual machine at run time. This allows the user to dynamically define which virtual machines run in various containers. An administrator determines which containers (if any) allow dynamic instantiation, and specifies the list of virtual machines the user can choose from. A container, and/or virtual machines within the container, can be restricted to particular users.

Abstract: The present invention provides secure inter-process communications, and applications thereof. In an embodiment, a shared memory and a message queue are used to provide a secure communication channel between a first computer process and a second computer process. The shared memory provides a path for high-bandwidth data transfer in a forward direction. The message queue provides a path for controlling the data transfer in the forward direction, while limiting data transfer in the reverse direction. A third computer process creates the message queue that is used by the first computer process and the second computer process to control the passage of data. Access to the shared memory and the message queue are enforced using a mandatory access control security policy.

Abstract: Provided are systems and methods for implementing mandatory access control in a computer, and applications thereof. An embodiment provides a security policy generator that generates security policies for one or more machines of a network based on a single set of enterprise configuration parameters. This single set of enterprise configuration parameters comprises relatively few lines of text compared to a typical security policy file. The present invention makes it possible to easily configure, change, and adapt mandatory access control security policies to enforce application-specific security goals across many networked systems to create a single, distributed, secure enterprise. With the present invention, a network administrator, for example, can set familiar network and file configuration options that automatically result in security changes without requiring extensive knowledge of the operating system kernel or how to develop a mandatory access control security policy.