Virtual machines enable a host computer to run multiple application environments or operating systems on the same computer simultaneously. The host computer allots a certain amount of the host's resources to each of the virtual machines. Each virtual machine is then able to use the allotted resources to execute applications, including operating systems. The virtual machine virtualizes the underlying hardware of the host computer or emulates hardware devices, making the use of the virtual machine transparent to the operating system or the user of the computer.
In the virtual PC environment, PC hardware is shared amongst multiple partitions or virtual machines. In such an execution environment, the primary O/S (i.e., the O/S hosting each of the virtual machines) typically owns the graphics hardware, and accordingly, the desktop buffer composition process. The desktop buffer composition process determines what virtual machine output is displayed on the screen at any one time. Because each virtual machine believes that it has complete control over the host machine, each virtual machine may output to its own virtual desktop buffer. In order to bring pixels produced by the virtual machines to the graphics subsystem, the primary O/S is provided access to these virtual desktop buffers. Providing the primary O/S access to the virtual desktop buffers introduces a security challenge to the confidentiality of the video data generated by other partitions. This is particularly undesirable if one of these partitions is running a secure O/S.
For example, a malicious user may desire to record the video output of one or more virtual machines executing on a host. Because access to the virtual machine desktop buffer is provided to the desktop compositing process of the primary O/S to composite the final image to put on the display, the malicious user can modify the compositing process to access sensitive information rendered onto the virtual desktop buffer that belongs to another partition. The malicious user could then generate a movie comprising the displayed activity of any given virtual machine, or even modify screen content to mislead users to make incorrect decisions.