1. Field of the Invention
The present invention is related to virtualization technology, and more particularly, to implementing a security domain in Virtual Environment.
2. Description of the Related Art
The industry trend of virtualization and isolation of computer system resources presents two major challenges—virtualization at software level and virtualization at hardware level. A Virtual Machine (VM) is a type of an isolated Virtual Environment where multiple VMs can run on the same physical machine simultaneously. Each VM instance has a set of its own software components and uses hardware modules of the physical machine where the VM resides.
Typically, there are multiple VMs created on a host operating system. In such system, some resources of the host operating system can be isolated and allocated for running each of the VMs. An example of this type of system is a computing environment provided by VMware™. The VMware™ solution provides standardized isolated secured computing environments. This product is typically used as an enterprise-level solution, where a number of VMware™ Virtual Machines are distributed throughout the computer system. However, the VMware™ solution does not provide adequate support for using system hardware for support and acceleration of the VMs.
Virtualization allows running a number of VMs on the same physical machine. Examples of conventional virtualization solutions are virtual systems by VMWARE, Parallels Software International, Inc., MICROSOFT VIRTUAL SERVER, MICROSOFT TERMINAL SERVER, CITRIX, VIRTUOZZO by PARALLELS, XEN systems by XENSOURCE, SOLARIS Zones, etc. All of these systems, however, provide only limited support for a low level (i.e., hardware) virtualization.
With Virtual Machine (VM) technology, a user can create and run multiple virtual environments on a physical server at the same time. Each virtual environment (such as VM), requires its own operating system (OS) and can run applications independently. The VM software provides a layer between the computing, storage, and networking hardware and the software that runs on it.
When an application is executed inside the Virtual Environment (such as VM or container) it is not clear whether the application is secure and is not going to cause any damage to the Host OS. A trusted boot can be used for tracking security in the Virtual Environment. However, this requires loading of special modules into the Guest system that takes a long time for these modules to detect some potentially dangerous activity. Meanwhile, a user cannot be assured that a Host and/or Guest system is not compromised.
Therefore, it is desirable to have a security domain of objects in a Virtual Environment that can be verified to be clean and temporarily protected for the existence of the security domain.