As more and more computing applications are implemented in distributed environments, where a variety of diverse platforms at which application components run may be accessed via the Internet or other networks, security and resource footprint size are increasingly important concerns. These concerns may be particularly significant in various types of virtualized computing environments, and also in environments in which lightweight or portable devices (e.g., devices which form the “Internet of things”) with small memory capacities and/or limited computational capacities are employed.
The advent of virtualization technologies for commodity hardware has provided benefits with respect to managing large-scale computing resources for many customers with diverse needs, allowing various computing resources to be efficiently and securely shared by multiple customers. For example, virtualization technologies may allow a single physical virtualization host to be shared among multiple users by providing each user with one or more “guest” virtual machines hosted by the single virtualization host. Each such virtual machine may represent a software simulation acting as a distinct logical computing system that provides users with the illusion that they are the sole operators of a given hardware computing resource. Instantiating several different virtual machines on the same host may also help increase the overall hardware utilization levels at a data center, leading to higher returns on investment.
A respective virtualization manager, which may for example include an administrative virtual machine instance and/or a hypervisor, may be installed on each virtualization host in various virtualization environments. The virtualization manager may be responsible, among other tasks, for starting/stopping guest virtual machines on the hosts on behalf of customers, acting as the intermediary between the guest virtual machines and various hardware components of the host and the network, collecting metrics pertaining to the guest virtual machines, and enforcing security rules. From the perspective of the operator of the virtualization environment, the resources consumed by the virtualization manager (e.g., host CPU cycles, host memory, etc.) may tend to limit the number of guest virtual machines that can be instantiated on a host, and thereby reduce the operator's monetization level for the host hardware and associated infrastructure. In addition, in at least some cases administrative operations performed by the virtualization manager to support the guest virtual machines may have a tendency to interfere with the performance of time-sensitive customer applications. For obvious reasons, the operator of a virtualized computing service may need to ensure that the opportunities for intruders (or malicious software introduced into guest virtual machines) to compromise the applications of legitimate users of virtualization hosts is minimized. As such, designing a virtualization manager that efficiently meets the security and functional requirements of modern virtualization environments may represent a nontrivial challenge. Similar security and resource usage limitation requirements may also apply to various other computing devices and environments, including wearable computing devices, smart phones, environmental sensors and the like.
While embodiments are described herein by way of example for several embodiments and illustrative drawings, those skilled in the art will recognize that embodiments are not limited to the embodiments or drawings described. It should be understood, that the drawings and detailed description thereto are not intended to limit embodiments to the particular form disclosed, but on the contrary, the intention is to cover all modifications, equivalents and alternatives falling within the spirit and scope as defined by the appended claims. The headings used herein are for organizational purposes only and are not meant to be used to limit the scope of the description or the claims. As used throughout this application, the word “may” is used in a permissive sense (i.e., meaning having the potential to), rather than the mandatory sense (i.e., meaning must). Similarly, the words “include,” “including,” and “includes” mean including, but not limited to. When used in the claims, the term “or” is used as an inclusive or and not as an exclusive or. For example, the phrase “at least one of x, y, or z” means any one of x, y, and z, as well as any combination thereof.