Computing clouds are increasingly used to provide computing services to client devices. A computing cloud could be used by an organization to provide computing services to internal users of that organization and/or to external users and organizations. In a conventional computing cloud, multiple computing nodes are connected together in a network, and each computing node can execute a “hypervisor.” A hypervisor is software and/or hardware that is used to create and manage virtual machines. Each hypervisor supports a virtualization layer, and one or more virtual machines can be executed within the virtualization layer by each computing node. A virtual machine could include an operating system (referred to as a “guest” operating system) and one or more additional software applications that provide desired functionality. It is possible for a single computing node in a computing cloud to execute one or more virtual machines, including multiple virtual machines associated with different guest operating systems.
As is typical with computing clouds, specific virtual machines are not usually bound to particular computing nodes. Rather, each time a client device requests execution of a specific virtual machine, a computing node with adequate resources within the computing cloud could be selected to execute that specific virtual machine.
Security is a constant concern in cloud computing environments. For example, a malicious actor that gains the ability to execute code in a conventional hypervisor or management software of a computing node could obtain a complete image of a virtual machine. The malicious actor could then deploy the copied image of the virtual machine to another environment and reverse-engineer applications or exploit data in the virtual machine as the virtual machine is executing in the other environment.
In one conventional non-cloud-based approach, a software protection program is used in conjunction with an encrypted software application installed on a computing device. The software protection program performs cryptographic operations using data associated with the hardware, software, and physical environment of the computing device to generate a cryptographic key. The cryptographic key is then used to decrypt the software application as the software application is loaded into the memory of the computing device. While effective, this approach is highly restrictive since it binds the software application to a specific machine and prevents execution of the software application on a different machine. This approach is impractical in a cloud computing environment where the computing node that executes a specific virtual machine routinely changes.