Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

Abstract: Latency reduction for direct memory access operations involving address translation is disclosed. Example methods disclosed herein to perform direct memory access (DMA) operations include initializing a ring of descriptors, the descriptors to index respective buffers for storing received data in a first memory. Such example methods also include causing prefetching of a first address translation associated with a second descriptor in the ring of descriptors to be performed after a first DMA operation is performed to store first received data in a first buffer indexed by a first descriptor in the ring of descriptors and before second received data to be stored in the first memory is received, the first address translation being associated with a second DMA operation for storing the second received data in the first memory.

Abstract: A system, method, and computer program product are provided for managing hierarchy and optimization in network function virtualization based networks. In use, a first hardware unit of a plurality of hardware units associated with a network function virtualization (NFV) based communication network is identified, the first hardware unit being identified based on a first load characteristic associated with the first hardware unit. Further, a first virtual network function (VNF) instance associated with the first hardware unit is identified, the first VNF instance being associated with usage of at least one service. Additionally, at least one traffic route associated with the first VNF instance is identified, the at least one traffic route being associated with usage of the at least one service.

Abstract: Mechanisms are provided for automatically expanding a virtual storage of a virtual machine. The virtual machine monitors a usage of the virtual storage of the virtual machine. The virtual machine determines, based on the monitoring of the usage of the virtual storage, whether to expand the virtual storage of the virtual machine. In response to the virtual machine determining to expand the virtual storage of the virtual machine, a virtual machine manager executes one or more operations to expand the virtual storage. The monitoring and determining may be performed by a virtual storage management agent executing within the virtual machine and which may send an expansion request to an authorization engine to request expansion of the virtual storage.

Abstract: Systems, methods, apparatuses, and software for data storage systems are provided herein. In one example, a data storage assembly is provided. The data storage assembly includes a plurality of storage drives each comprising a PCIe host interface and solid state storage media, with each of the storage drives configured to store and retrieve data responsive to storage operations received over an associated PCIe host interface. The data storage assembly includes a PCIe switch circuit coupled to the PCIe host interfaces of the storage drives and configured to receive the storage operations issued by a plurality of host systems over a shared PCIe interface and transfer the storage operations for delivery to the storage drives over selected ones of the PCIe host interfaces. The data storage assembly includes holdup circuitry configured to provide power to at least the storage drives after input power is lost to the data storage assembly.

Abstract: A keyword spotting system includes a decoder having a storage device and a decoding circuit. The storage device is used to store a log-likelihood table and a plurality of dynamic programming (DP) tables generated for recognition of a designated keyword. The decoding circuit is used to refer to features in one frame of an acoustic data input to calculate the log-likelihood table and refer to at least the log-likelihood table to adjust each of the DP tables when recognition of the designated keyword is not accepted yet, where the DP tables are reset by the decoding circuit at different frames of the acoustic data input, respectively.

Abstract: Techniques are described for performing an offline domain join and login on behalf of a computing device in order to enable the device to access corporate resources without local access to the domain controller. A slave service is described that can start a virtual machine on a local network of the enterprise, perform an offline domain join of the virtual machine, perform a first login to the virtual machine using credentials of a remote user and then capture the changes made on the virtual machine and deliver those changes to the remote user's device. These changes can then be applied on the user's device to add the credentials and configuration changes necessary for the user to access the private enterprise resources remotely.

Abstract: A computer system transitions a virtual machine from a host computer to a target computer having a security key. The host computer transfers a security phrase to the target computer. The target computer applies the security key to the security phrase to generate a security response. That target computer transfers the security response to the host computer. The host computer determines whether the target computer can support the virtual machine based on the security response from the target computer. If the target computer is capable of supporting the virtual machine, then the host computer initiates a transition of the virtual machine from the host computer to the target computer. The determination of whether the target computer can support the virtual machine may be further based on resource availability, time-slice availability, and the other virtual machines executing on the target computer.

Abstract: A system for designing Network-on-Chip interconnect arrangements includes a Network-on-Chip backbone with a plurality of backbone ports and a set of functional clusters of aggregated IPs providing respective sets of System-on-Chip functions. The functional clusters include respective sub-networks attachable to any of the backbone ports and to any other functional cluster in the set of functional clusters independently of the source map of the Network-on-Chip backbone.

Abstract: A remote memory swapping method, an apparatus, and a system, that relate to the communications field and can improve a running speed of a system and reduce power consumption. The method, executed by a local node, includes obtaining a base address of a memory page that needs to be dumped; querying, according to the base address, a routing table to obtain routing information of the memory page; sending the routing information and dumping signaling to a cloud controller, so that the cloud controller forwards the routing information and the dumping signaling to a remote node in which the memory page is located; further, the remote node dumps, according to the dumping signaling and the routing information, from memory of the remote node into a hard disk of the remote node or the backward, data in the memory page.

Abstract: A computing environment includes a computing system, where the computing system includes a plurality of logical partitions, a hypervisor supporting the plurality of logical partitions, a plurality of SR-IOV adapters, where at least one of the logical partitions is mapped to a virtual function on a first SR-IOV adapter of the plurality of adapters, and where migrating an SR-IOV adapter configuration in the computing environment includes: cloning, on a second SR-IOV adapter, a configuration of the first SR-IOV adapter; placing the second SR-IOV adapter and the virtual function in an error state; remapping the virtual function from the first SR-IOV adapter to the second SR-IOV adapter; and placing the second SR-IOV adapter and the virtual function in an error recovery state.

Abstract: A method for setting a compression ratio for utilizing a compressed memory pool (which is backed by pinned memory) by a virtual memory manager (VMM). Compression of pages of corresponding segments can be tracked as part of a VMM paging algorithm that compresses pages to store in a compressed memory pool. A segment having pages with an average compression ratio below a threshold is identified. The identified segment pages are prevented from utilizing the compressed memory pool resulting in optimizing the use of the compressed memory pool.

Abstract: Systems, methods, and computer program products to perform an operation comprising creating, by a kernel, a temporary effective address associated with a virtual segment identifier (VSID), wherein the VSID is received by a processor in an asynchronous interrupt generated by a coherent accelerator in response to a page fault generated by the coherent accelerator in executing an instruction, accessing the temporary effective address by the processor to recreate the page fault on the processor, and resolving the page fault by an operating system executing on the processor.

Abstract: Techniques are described for migrating virtual machines (VMs) across virtual switches. To migrate a VM, a destination distributed virtual switch module may, prior to migration, instantiate a distributed virtual port on a destination VM host and reserve the distributed virtual port for each virtual network adapter of the VM. Further, a configuration file for the VM specifying the distributed virtual ports reserved for the virtual network adapters may be copied from a source VM host to the destination VM host or created in the destination VM host. As part of the migration, network state data of the distributed virtual ports used by the VM at the source VM host is copied and applied to the appropriate reserved distributed virtual ports on the destination host. Then, when the migrated VM is powered on at the destination host, the VM configuration specifying the reserved distributed virtual ports is used to attach the virtual network adapters of the VM to the reserved distributed virtual ports.

Abstract: The invention relates to a data processing system including at least two disk emulators operating in parallel. Each of the at least two disk emulators emulates a disk subsystem and is associated with a respective file in a file system for any data stored on a physical disk. The data processing system further includes a de-duplicator for de-duplicating the data stored in the respective files associated with the at least two disk emulators. The de-duplicator operates in parallel to the disk emulators and is associated with an additional disk emulator emulating an additional disk subsystem. The additional disk emulator is associated with an additional file in a file system configured to store data shared between the respective disk subsystems emulated by the at least two disk emulators.

Abstract: A processor-implemented method for copying a source file to a destination file using a virtual memory manager (VMM) of a computer operating system is provided. The method includes receiving, by the VMM, a request to copy the source file to a destination file. The method further provides that based on the status of the virtual page, performing at least one of moving the virtual page to the destination file, copying the virtual page to the destination file, reading the virtual page into memory, and ignoring the virtual page.

Abstract: A resource management system and method for automatically creating affinity-type rules for resource management in a distributed computer system uses association inference information for at least one resource to determine resource association between resources, which is used to automatically create an affinity-type rule for the resources. The affinity-type rule is considered when executing a resource management operation.

Abstract: A computer implemented method includes monitoring activity on the virtual machine. A plurality of activities being performed at the virtual machine is identified. Each of the activities includes an activity source, an activity target, and an association between the activity source and the activity target. The activity information is stored in the memory. The one or more of the activity sources, activity targets, and associations are transmitted to prevent future attacks.

Abstract: A method and apparatus for optimizing resource utilization within a cluster and facilitating high availability for an application is described. In one embodiment, the method for optimizing resource utilization within a cluster and facilitating high availability for an application includes accessing configuration information regarding virtual machine nodes within the cluster to identify an active node and at least one passive node that are associated with the application and configuring the at least one passive node to be in a suspended state, wherein a passive node of the at least one passive node is to be in a running state and the active node is to be in a suspended state upon migration of the application to the passive node of the at least one passive node.

Abstract: Techniques are described for allocating computing storage capacity to customers of a provider network. Storage capacity that is allocated to a customer is backed up with a replica of the allocated storage capacity. A request is received for a copy of contents of the allocated storage capacity. Responsive to the indication, the requested copy is provided and is configured to reference the replica when the requested copy is accessed.

Abstract: A system and methods for migrating a virtual machine (VM). In one embodiment, a hypervisor receives a request to migrate the contents of a memory of a source VM in a first physical memory area to a destination VM in a second physical memory area, where the first and second physical memory areas are disjoint. The hypervisor executes the destination VM in response to the request, and detects an access of a page of memory of the destination VM. The hypervisor determines, in view of a data structure maintained by a guest operating system executing in the destination VM, that a first page of a memory of the source VM in the first physical memory area is currently in use by the destination VM.

Abstract: In a virtual computing environment, a system configured to switch between isolated virtual contexts. A system includes a physical processor. The physical processor includes an instruction set architecture. The instruction set architecture includes an instruction included in the instruction set architecture for the physical processor that when invoked indicates that a virtual processor implemented using the physical processor should switch directly from a first virtual machine context to a second virtual machine context. The first and second virtual machine contexts are isolated from each other.

Abstract: A plurality of virtual machines (VMs) is migrated from a source group to a destination group in such as way as to achieve consistency and either availability or group preservation. Execution of VMs in the source group is selectively delayed during state migration so that memory transfer of all the VMs in the group will converge roughly at the same time. After VM state transfer to the destination group, execution switch-over is coordinated using different handshake and acknowledgement messages, passed either through a “leader” VM in each group, or directly between source-destination VM pairs.

Abstract: Techniques for tracking, by a host system, virtual machine (VM) memory modified by a physical input/output (I/O) device that supports I/O virtualization are provided. In one embodiment, a hypervisor of the host system can receive a hardware interrupt from the physical I/O device, where the hardware interrupt indicates that a virtual function (VF) of the physical I/O device has completed a direct memory access (DMA) write to a guest memory space of a VM running on the host system. In response to the hardware interrupt, the hypervisor can invoke a function implemented by a physical function (PF) driver of the physical I/O device, where the function is configured to inspect the VF's state in order to identify memory portions modified by the DMA write. The hypervisor can then mark, in a hypervisor-level page table, one or more memory pages corresponding to the identified memory portions as dirty pages.

Abstract: Techniques for dynamic selection and generation of detonation location of suspicious content with a honey network are disclosed. In some embodiments, a system for dynamic selection and generation of detonation location of suspicious content with a honey network includes a virtual machine (VM) instance manager that manages a plurality of virtual clones executed in an instrumented VM environment, in which the plurality of virtual clones executed in the instrumented VM environment correspond to the honey network that emulates a plurality of devices in an enterprise network; and an intelligent malware detonator that detonates a malware sample in at least one of the plurality of virtual clones executed in the instrumented VM environment.

Abstract: A hypervisor provides a guest operating system with a plurality of protection domains, including a root protection domain and one or more secure protection domains, and mechanisms for controlling the transitions between the protection domains. The guest physical memory region of a secure protection domain, which is mapped to host physical memory by secure nested page tables, stores secure guest code and data, and guest page tables for the secure guest code. When executing secure guest code, the guest page tables stored in the secure protection domain region are used for guest virtual to guest physical address translations, and the secure nested page tables are used for guest physical to host physical address translations.

Abstract: In a computer system, joint operation of multiple hypervisors is coordinated. A persistent hypervisor and a non-persistent hypervisor are executed. The non-persistent hypervisor is executed in the supervisor mode according to an operating regime controlled by a scheduler engine, and the persistent hypervisor is executed in the hypervisor mode under the control of a handler engine. The handler engine monitors, and responds, to an attempted mode transition of the processor between the hypervisor and supervisor modes, and coordinates the suspension and resumption, as appropriate, of the persistent hypervisor.

Abstract: In an embodiment, a processor includes logic to provide a first virtual address of first data stored in a memory at a first physical address. The memory includes pages of a memory allocation unit page size. The processor also includes translation logic to access the first data via a first virtual to physical address translation that includes a first hierarchy of page translation tables to map to a first page having a first page size that is smaller than the memory allocation unit size. Other embodiments are described and claimed.

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract: A hypervisor of a host detects a request by a guest or a hypervisor administrator to expose a device associated with the host to the guest. The hypervisor locates free space in a configuration space of the device. The hypervisor assigns a configuration space associated with the hypervisor to the located free space. The hypervisor notifies the guest of the configuration space associated with the hypervisor and a range of addresses associated with the free space. The hypervisor exposes the device to the guest. The configuration space associated with the hypervisor may be a message-signaled capability associated with the hypervisor.

Abstract: A mechanism is provided for managing memory of a runtime environment executing on a virtual machine. The mechanism includes an elastic cache made of objects within heap memory of the runtime environment. When the runtime environment and virtual machine are not experiencing memory pressure from a hypervisor, the objects of the elastic cache may be used to temporarily store application-level cache data from applications running within the runtime environment. When memory pressure from the hypervisor is exerted, the objects of the elastic cache are re-purposed to inflate a memory balloon within heap memory of the runtime environment.

Abstract: Technologies are described herein for reducing network traffic when replicating memory data across hosts. The memory data stored in a main memory of the host computer is replicated to a main memory of a second host computer. Memory data from the local data storage of the second host computer that is a duplicate of memory data from the main memory is identified. Instead of sending the memory data from the main memory that is duplicated, the duplicated memory is copied from the local storage to the main memory of the second host computer.

Abstract: A method for migrating memory data of a virtual machine, and a related apparatus, and a cluster system are provided. The method includes: obtaining a data sending request for sending memory data of a first virtual machine, where the request includes an identity of the first virtual machine and a PFN of the memory data that is requested to be sent; querying a correspondence information base according to the identity of the first virtual machine to obtain a correspondence of the first virtual machine; querying the correspondence of the first virtual machine according to the PFN of the memory data that is requested to be sent, so as to obtain a physical memory page address of the memory data; and sending, to a destination physical host by using an RDMA network adapter, memory data stored at the physical memory page address of the memory data.

Abstract: The subject matter of this specification can be implemented in, among other things, a method including receiving a request to create a live snapshot of a state of a virtual machine including a memory and an original disk file. The method further includes copying, by a hypervisor, data from the memory to a storage device to form a memory snapshot. The method further includes pausing the virtual machine and creating a new disk file at a reference point-in-time. The original disk file is a backing file of the new disk file. The method further includes resuming the virtual machine. The virtual machine is to perform disk operations using the new disk file after the reference point-in-time. The method further includes copying the original disk file to a disk snapshot file. The method further includes providing the live snapshot including the disk snapshot file and the memory snapshot.

Abstract: An example method of providing deduplication support for one or more memory pages includes setting, by a memory manager, an initial memory page to a write protection mode. The initial memory page is located in an address space allocated to a memory consumer. The method also includes detecting, by the memory manager, an attempted write to the initial memory page. The method further includes creating, by the memory manager, a copy of the initial memory page in response to detecting the attempted write. The method also includes discarding, based on a determination of whether to discard the initial memory page or the copy of the initial memory page, the initial memory page or the copy of the initial memory page to provide protection for memory deduplication.

Abstract: Systems and methods for guest page table validation by virtual machine (VM) functions. An example method comprises: storing a first VM function invocation instruction in a first memory page executable from a default memory view of a VM, wherein executing the first VM function invocation instruction switches a page table pointer to a trampoline memory view of the VM; configuring a write access permission, from the trampoline memory view, to a page table comprised by a VM page table hierarchy; storing a second VM function invocation instruction in a second memory page executable from the trampoline memory view, wherein executing the second VM function invocation instruction switches the page table pointer to an alternative memory view of the VM; storing, in the second memory page, validation instructions to validate the VM page table hierarchy; and storing protected instructions within a third memory page executable from the alternative memory view.

Abstract: A virtual disk conversion system determines location ranges for data on a storage device that are found in files representing a virtual disk in a source format. An intermediate virtual disk data structure containing the location ranges for the data is generated, and the intermediate virtual disk data structure is used to associate data at the location ranges with a new file on the storage device that represents a virtual disk in a destination format.

Abstract: Techniques are described for enabling a virtual machine to be presented with an amount of available guest memory, where a hypervisor or other privileged component manages the mapping of the guest memory to either volatile memory (e.g., RAM) or to secondary storage (e.g., SSD). This enables volatile memory to be effectively oversubscribed to on host computing devices that have a limited amount of total available volatile memory but which are running multiple virtual machines. For example, each virtual machine on the device can be presented as having access to the total amount of available RAM that is available on the device. The hypervisor or other virtualization component then monitors the usage of the memory by each virtual machine and shapes which portions of the guest memory for that virtual machine are mapped to RAM and which portions are mapped to secondary storage, such as SSD.

Abstract: A system and method for ballooning with assigned devices includes inflating a memory balloon, determining whether a first memory page is locked based on information associated with the first memory page, when the first memory page is locked unlocking the first memory page and removing first memory addresses associated with the first memory page from management by an input/output memory management unit (IOMMU), and reallocating the first memory page. The first memory page is associated with a first assigned device.

Abstract: A method of migrating applications from an enterprise-based network to a multi-tenant network of a compute service provider may include receiving a request to migrate an application running on a first virtual machine instance within the enterprise-based network. Dependencies of the application may be determined by identifying at least a second virtual machine instance within the enterprise-based network, where the at least second virtual machine instance associated with the application. Resource monitoring metrics associated with hardware resources used by the first virtual machine instance and the at least second virtual machine instance may be received. The first and at least second virtual machine instances may be migrated from the enterprise-based network to at least one virtual machine at a server within the multi-tenant network based on the monitoring metrics, thereby migrating the application from the enterprise-based network to the multi-tenant network.

Abstract: A processing core comprising instruction execution logic circuitry and register space. The register space to be loaded from a VMCS, commensurate with a VM entry, with information indicating whether a service provided by the processing core on behalf of the VMM is enabled. The instruction execution logic to, in response to guest software invoking an instruction: refer to the register space to confirm that the service has been enabled, and, refer to second register space or memory space to fetch input parameters for said service written by said guest software.

Abstract: A processing core comprising instruction execution logic circuitry and register space. The register space to be loaded from a VMCS, commensurate with a VM entry, with information indicating whether a service provided by the processing core on behalf of the VMM is enabled. The instruction execution logic to, in response to guest software invoking an instruction: refer to the register space to confirm that the service has been enabled, and, refer to second register space or memory space to fetch input parameters for said service written by said guest software.

Abstract: Techniques are presented for obfuscating programs of virtual machines. On a virtual machine hosted by a physical device, a program is run that is configured to execute one or more operations. At a virtual machine manager hosted by the physical device and configured to manage the virtual machine, execution of the program is monitored to detect a trapping event that causes the virtual machine manager to take over operation of the program. Upon detecting the trapping event, a specific operation of the program is performed that differs from an operation implied by static analysis of the program.

Abstract: A failover manager may be configured to determine a plurality of tenants executable on a server of a plurality of servers, each tenant being a virtual machine executable on the server in communication with at least one corresponding user. The failover manager may include a replicated tenant placement selector configured to dispatch a first replicated tenant for a first tenant of the plurality of tenants to a first standby server of the plurality of servers, and configured to dispatch a second replicated tenant for a second tenant of the plurality of tenants to a second standby server of the plurality of servers. The failover manager also may include a replicated tenant loader configured to activate, based on a failure of the server, the first replicated tenant on the first standby server to replace the first tenant, and the second replicated tenant on the second standby server to replace the second tenant.

Abstract: A selection of a document that includes a command and a parameter is received, and a user is caused to be associated with a policy that grants permission to execute the document. A request is received, from a requestor, to execute the document, the request including a parameter value, and the requestor is determined to be the user associated with the policy. The user is validated to have access to a resource indicated by the parameter value, and the command is caused to be executed against the resource.

Abstract: Various techniques of managing storage devices in a computing system are described in this application. In one embodiment, a method includes receiving an input containing consumption data representing consumption of a storage device in one of the processing units and determining if the storage device in one of the processing units is consumed excessively. In response to determining that the storage device is consumed excessively, an indicator may be generated to indicate a potential program migration from the one of the processing units to another one of the processing units in the computing system.

Abstract: A method of writing data to persistent storage includes (a) for each data block of a set of data blocks, storing data of that data block at an offset within a log segment of the persistent storage in conjunction with a logical block address (LBA) of that data block on the persistent storage, a size of the log segment being larger than a size of each data block, (b) identifying a particular log segment of the persistent storage that has become filled with data blocks, and (c) upon identifying the particular log segment as having become filled, inserting pointers to respective data blocks stored within the particular log segment into respective locations defined by the respective LBA of each respective data block within a map tree.

Abstract: Aspects of the present invention include hypervisor based security using a hypervisor to monitor a VM. In embodiments of the present invention, the information gathered by the hypervisor in the monitoring is compared against a reference image to determine if there are possible rootkits present on the VM. If there are potential rootkits, the VM can be quarantined.

Abstract: Certain aspects direct to systems and methods for performing virtual machine (VM) management to provide efficient user login and minimize resource usage. The system includes a virtual machine server storing a hypervisor and multiple VMs, and a virtual desktop controller. The virtual desktop controller is configured to control the virtual machine server to execute the hypervisor, and to execute at least (M+S) instances of the VMs on the executed hypervisor. When the virtual desktop controller detects a current number X of the executed VMs on the executed hypervisor, the virtual desktop controller determines whether X is greater than M. If X is greater than M, the virtual desktop controller controls the virtual machine server to execute some instances unexecuted VMs as the spare VMs on the hypervisor, such that S instances of the spare VMs are available to provide efficient user login.

Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.