1. Field of the Invention
The present invention relates to a computer readable storage medium, computer apparatus, and method for securely managing the execution of screen rendering instructions in a host operating system and virtual machine to improve the state of security of a virtualized environment.
2. Description of the Related Art
Recently, the use of a virtualized environment on a personal computer (PC) has become more common. Virtualization applications are provided for PCs and operating systems (OSs) with a virtualized environment installed. It is expected that opportunities for end users to use a virtualized environment on a PC will increase expand in the future. Here, the outline of virtualization in a PC will be given below.
FIG. 10 shows a PC 200 (real machine) in which a host based virtualized environment is constructed. The PC 200 (real machine) is provided with hardware 202 and a host OS 204 installed on the hardware 202, and various applications are installed on the host OS 204. A virtual machine 400 can be referred to as one application operating on the host OS 204. The virtual machine 400 is provided with a common platform 401 and a virtual hardware area 402. The virtual hardware area 402 is a functional part which emulates hardware (such as a CPU, a hard disk, BIOS, NIC, a keyboard and a mouse) of the real machine, and a user can install an OS (guest OS 404) different from the host OS 204 onto the virtual hardware area 402.
FIG. 11 shows a state in which a window screen 2000 of the virtual machine 400 is displayed on an upper layer of a host OS screen 1000 of the real machine 200. An OS screen of the guest OS 404 installed on the virtual machine 400 is displayed on the window screen 2000 of the virtual machine 400. The user can use two different OS environments at the same time, switching the two OS screens displayed on one display.
One purpose of a virtual machine is to allow an application which operates with only on an old-version OS to operate on the latest host OS. For example, when the host OS 204 of the real machine does not support the operation of applications D and E, the user can use the applications D and E by installing them on the guest OS 404 (old-version OS) of the virtual machine 400. In response to an instruction issued from the application D or E, the guest OS 404 attempts to control the virtual hardware area 402 as real hardware. The virtual machine 400 interprets a hardware control instruction issued from the guest OS 404 into a format which the real machine is compatible with and communicates it to the host OS 204. As a result, it becomes possible for the applications D and E which are not compatible with the host OS 204 on the real machine to control the hardware 202 of the real machine. Undoubtedly, the technique of virtualization in a PC improves convenience for users as described above. On the other hand, however, the virtualization technique causes complications for administrators for the following reasons.
A lot of companies require PCs used by employees to have a security application resident thereon in order to make the employees observe a security policy. With regard to this point, Japanese Patent Laid-Open No. 2007-287078 (JP2007-287078A), also published as U.S. Pat. No. 7,624,427, discloses a program which judges the need for personal information management for data outputted from an application in real time, and, on the basis of a result of the judgment, continues, discontinues or modifies processing by the application. Such a security application controls file access and network access by an application operating on an OS in accordance with a security policy. However, when the security application is applied to a virtualized environment, a problem described below with respect to FIG. 12, occurs.
FIG. 12 shows a state in which a security agent 500, which is a conventional-type security application, has been introduced into the host OS of a real machine provided with a virtual machine environment. The security agent 500 is configured such that it includes an access control section 502 monitoring accesses related to a predetermined process or object on the basis of a security policy, a log monitoring section 504 recording a monitoring log, and the like. The access control section 502 is a function part which controls file access and network access by an application on the basis of an access control list defined in accordance with the security policy. If it is defined in the security policy that the use of “Application A” is prohibited, an API hooking means provided for the access control section 502 hooks file access or the like from “Application A” operating on the host OS 204 and returns an error thereto.
On the other hand, if the use of the virtual machine 400 is permitted by the security policy, the access control list of the access control section 502 is defined so that file access and the like from the virtual machine 400 is permitted. Here, a problem occurs when “Application A” is installed on the guest OS 404 of the virtual machine 400. In this case, file access from “Application A”, which originally should be prohibited, goes through the access control section 502. This happens because the access control section 502 cannot distinguish between file access from “Application A” operating on the guest OS 404 and file access from “Application D” or “Application E”, and, by recognizing both of them as file accesses from the virtual machine 400 (as one of applications operating on the host OS 404), permits the access on the basis of the access control list.
Of course, this problem is solved once by installing the same security agent 500 installed on the host OS 204, onto the guest OS 404 also. Unfortunately, the problem is not so simple. Because, even if an administrator compulsorily installs the security agent 500 on the guest OS 404 side, a user can easily uninstall it under his own authority, and the administrator who does not have authority on a virtual machine environment cannot know the fact that the security agent 500 has been uninstalled from the virtual machine. Therefore, in the present situation, all that the administrator can do is to request the user to introduce the security agent, leaving what to do to the user's conscience. That is, in the present situation, a virtual machine environment is a black box which an administrator cannot control, which increases security risks.