Field
The innovations herein pertain to computer virtualization, computer security and/or data isolation.
Description of Related Information
Separation kernels/hypervisors have been used to provide secure isolation between multiple instances of guest operating systems running within a single computer system. Memory and CPU usage are strictly isolated, and mechanisms exist for sharing storage devices. However, sharing of the keyboard, mouse, and especially the video display has been a problem. Assigning separate physical devices to separate guests is impractical in many instances, for example, laptop computer systems have only a single display and keyboard. Previous approaches to the problem have used networked display protocols such as Remote Desktop Protocol or VNC connected via virtual network interfaces to a separate guest OS instance that contains the server for the remote display protocol and actually owns the mouse, keyboard, and video. These approaches do not provide isolation of display data, since all data is displayed by a single application in the remote server.
Consistent with certain aspects of the present disclosure, systems and methods herein may include innovations such as aspects wherein the memory used for display data is part of the virtual machine itself and is therefore isolated from access by other virtual machines by the hardware protection mechanisms of the computer system and the information flow control policies implemented in the Separation Kernel Hypervisor.