`11111111111N°
`
`mi
`mui uiu 11111111,11J1111112114111111!111111111111111111111111111I1
`
`US 2013024.7133A1
`
`(19) United States
`(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2013/024.7133 A1
`(12) Patent Application Publication (10) Pub. No.: US 2013/0247133 Al
`Sep. 19, 2013
`Price et al.
`(43) Pub. Date:
`Sep. 19, 2013
`Price et al.
`(43) Pub. Date:
`
`(54) SECURITY ASSESSMENT OF VIRTUAL
`(54) SECURITY ASSESSMENT OF VIRTUAL
`MACHINE ENVIRONMENTS
`MACHINE ENVIRONMENTS
`
`(52) U.S. Cl.
`(52) U.S. Cl.
`USPC ................................................. 726/1; 726/25
` 726/1; 726/25
`USPC
`
`(75) Inventors: Michael Price, Las Condes (CL):
`Inventors: Michael Price, Las Condes (CL);
`(75)
`Anthony Bettini, San Francisco, CA
`Anthony Bettini, San Francisco, CA
`(US)
`(US)
`73) A
`: McAfee, Inc.
`(73) Assignee: McAfee, Inc.
`(73) Assignee
`cAfee, Inc
`(21) Appl. No.: 13/272,484
`(21) Appl. No.: 13/272,484
`
`(22) Filed:
`(22) Filed:
`
`Oct. 13, 2011
`Oct. 13, 2011
`
`Publication Classification
`Publication Classification
`
`51) Int. C
`(51) Int. Cl.
`nt. C.
`G06F2L/00
`G06F 21/00
`
`(2006.01)
`(2006.01)
`
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`Each virtual machine in a set of virtual machines managed by
`Each virtual machine in a set of virtual machines managed by
`the virtual machine manager is identified. For each virtual
`the virtual machine manager is identified. For each virtual
`machine in the set, it is determined whether the respective
`machine in the set, it is determined whether the respective
`virtual machine is online. For at least the virtual machines
`virtual machine is online. For at least the virtual machines
`determined to be offline, a machine image is collected for
`determined to be offline, a machine image is collected for
`each offline virtual machine. Security of the offline virtual
`each offline virtual machine. Security of the offline virtual
`machines is assessed from the collected images. For virtual
`machines is assessed from the collected images. For virtual
`machines identified as online, an agent is loaded on each
`machines identified as online, an agent is loaded on each
`online virtual machine in the set via the virtual machine
`online virtual machine in the set via the virtual machine
`ger. The loaded ag
`d
`ity ofth
`manager. The loaded agents are used to assess security of the
`manager. The loaded agentS are used to assess Security Of the
`online virtual machines in the set.
`online virtual machines in the set.
`
`140
`140
`
`lya,
`
`RESULT DATA
`
`127
`127
`
`
`
`REAL SYSTEM
`
`115
`115
`
`o
`
`o
`
`-
`
`O
`
`.
`
`CI
`
`-
`
` o-
`
`0
`
`.
`
`.
`
`0
`
`0
`
`0
`
`105
`
`CI
`
`.
`
`110
`110
`
`SECURITY
`SECURITY
`SERVER
`SERVER
`
`NETWORK
`NETWORK
`
`
`
`135
`135-
`
`130
`
`O
`
`.
`
`0
`VIRTUAL
`VIRTUAL
`MACHINE
`MACHINE
`MANAGER
`MANAGER
`
`SERVER POOL
`SERVERPOOL
`
`
`
`O
`
`o
`
`O
`
`.
`
`O
`
`O
`
`.
`I-
`.
`
`.
`
`-
`1-
`
`
`
`I-
`.
`
`.
`
`0
`
`0
`
`0
`
`0
`
`0
`
`0
`
`120
`120
`/
`VIRTUAL
`VIRTUAL
`MACHINES
`MACHINES
`
`125
`125
`
`WIZ, Inc. EXHIBIT - 1048
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1048
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013 Sheet 1 of 8
`
`US 2013/0247133 Al
`
`0
`
`[I 0 U g o
`li l] O
`0 U [I g
`[I 0 a [I g
`
`O
`
`O
`
`SERVER POOL
`
`C3
`CO - N,....
`
`i U I 0 U LI g
`
`cc
`0
`
`L.Li
`Z
`
`g 0 U ] O
`g 0 U [I O
`g 0 U ] O
`
`LO
`..\-
`N-
`
`REAL SYSTEM
`
`
`
` .:::„..-:::....,.,
`
`t4co
`,
`
`'t U 0 U t o h 0
`
`In _.....,-
`Co
`
`RESULT DATA
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 1 of 8
`
`US 2013/0247133 A1
`
`|
`
`|
`
`
`
`
`SANIHOVAN
`TWALYIA
`
`
`
`
` 0Zr
`
`100d YSAYNAS
`
`YADVNVA
`3NIHOVNW
`TYnLJIA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Ob}
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Sb
`
`WALSAS WAY
`
`Ov
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`T ‘Old
`
`
`
`
`
`
`
`
`
`
`
`MYOMLAN
`
`3Aud3S
`人 LINno3S
`
`
`
`
`
`
`
`
`
`
`
`
`
`L- SEL
`
`— I
`— —
`—
`—
`3).
`Vivd LINS3aY
`
`
`
`
`
`
`
`
`
`
`/Cr
`/
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ge
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`=
`
` /
`
`
`
`
`

`

`Patent Application Publication
`
`8 Jo Z WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`200
`
`.205
`
`1
`
`SECURITY TOOL
`
`VIRTUAL MACHINE
`MANAGER
`245
`
`PROCESSOR
`270
`
`API
`275
`
`MEMORY
`272
`
`VIRTUAL MACHINE
`SECURITY
`225
`
`VMM
`ACCESS ENGINE
`280
`
`MACHINE
`IMAGE READER
`282
`
`AGENT
`MANAGER
`285
`
`PROCESSOR
`
`MEMORY
`
`210
`
`215
`
`REAL MACHINE
`SECURITY
`
`220
`
`TASK MANAGER
`
`REPORTING
`ENGINE
`
`230
`
`235
`
`L
`
`J
`
`240i_
`
`FIG. 2
`
`r
`
`VIRTUAL MACHINE I
`288
`
`IMAGE
`
`1250
`
`-1
`255
`
`VIRTUAL MACHINE 2
`290
`
`IMAGE
`
`VIRTUAL MACHINE 3
`
`260 -1
`
`292
`
`IMAGE
`
`VIRTUAL MACHINE 4
`
`265 1
`
`295
`
`IMAGE
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 2 of 8
`
`US 2013/0247133 A1
`
`REAL MACHINE
`SECURITY
`
`[220
`
`
`
`
`
`TASK MANAGER 卜 _ 230
`
`
`
`REPORTING
`ENGINE
`
`235
`
`
`
`
`
`
`
`200
`
`205
`a
`
`SECURITY TOOL
`
`VIRTUAL MACHINE 1
`
`288 ~]
`IMAGE
`
`
`
`
`
`
`
`VIRTUAL MACHINE
`MANAGER
`245
`
`VIRTUAL MACHINE
`SECURITY
`225
`
`
`
`
`
`
`
`VIRTUAL MACHINE 2
`
`IMAGE
`
`
`
`
`290 ~]
`
`
`
`PROCESSOR
`270
`
`VMM
`ACCESS ENGINE
`280
`
`
`
`
`
`
`
`PROCESSOR 一 210
`
`
`
`
`
`MEMORY
`
`一 “19
`
`
`
`
`
`
`
`
`
`
`
`
`
`API
`275
`
`VIRTUAL MACHINE 3
`
`292 才 IMAGE
`
`
`
`
`
`
`
`IMAGE
`295 一 |
`
`
`
`
`
`
`
`
`MEMORY
`2//
`
`
`
`MACHINE
`IMAGE READER
`
`282
`
`
`
`AGENT
`MANAGER
`285
`
`
`
`
`
`
` VIRTUAL MACHINE 4
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`8 JO £ WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`.305
`
`FIG. 3A
`
`- - - OFFLINE
`ONLINE
`
`310 -NI VIRTUAL
`MACHINE 1
`
`315 --Nir VIRTUAL 1
`H
`L MACHLNE2 j
`
`3201 VIRTUAL
`
`MACHINE 3
`
`E - - - - 1
`i VIRTUAL
`H
`325-1_ MACHINE 4
`
`300a
`
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`
`345
`
`O
`1O"
`
`-
`
`1O"
`
`3301 1O"
`O
`VIRTUAL
`MACHINE MANAGER
`
`340
`
`VIRTUAL
`MACHINE
`DATA
`1
`L _ _c _
`l
`335
`
`1
`
`O
`
`-
`
`1O" i
`
`m
`-
`
`1O"
`0
`o
`o=
` -
`o
`SECURITY
`SERVER
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 3 of 8
`
`US 2013/0247133 A1
`
`FIG. 3A
`
`
`
`一 一 一 OFFLINE
`
`—— ONLINE
`
`
`
`
`
`300a
`
`310]
`
`
`VIRTUAL
`MACHINE 1
`
`
`
`
`
`
`
`315~
`
`VIRTUAL |
`| MACHINE 2 |
`
`
`
`VIRTUAL
`320 一 | MACHINE 3
`
`
`
`
`7 VIRTUAL |
`MACHINE 4 |
`
`325-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`!
`
`
`
`
`
`2
`
` 一 一
`
`
`
`
`
`
`
`VIRTUAL
`|
`|\305
`[oe
`|
`| MACHINE
`」 SECURITY
`LOA
`SERVER
`\
`335
`
`3307
`VIRTUAL
`MACHINE MANAGER
`
`340
`
`—“—
`
`
`

`

`Patent Application Publication
`
`8 Jo 17 WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`305
`?
`
`-
`
`O
`
`Om
`O
`Om
`
`-
`
`SECURITY
`SERVER
`
`FIG. 3B
`- - - OFFLINE
`ONLINE
`
`315
`
`VIRTUAL MACHINE 2 7
`L
`-I 350
`310-i VIRTUAL MACHINE 1
`
`320y -I VIRTUAL MACHINE 3
`i 355
`
`I- VIRTUAL MACHINE 4
`325 -zl-
`
`AGENT
`
`AGENT
`
`
`
`
`
`I
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`1
`I
`I
`1
`1
`1
`I
`I
`I
`
`I
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`1
`I
`I
`1
`1
`1
`I
`I
`I
`
`I
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`I
`
`I
`I
`I
`i
`I
`I
`
`i
`i
`I
`I
`I
`
`I
`I
`I
`I
`
`I
`I
`I
`
`I
`I
`I
`
`345
`
`37b
`
`.-„rw..-.
`
`330
`
`f 1
`
`-
`
`O
`
`1O"
`O
`
`-
`
`o
`VIRTUAL
`
`MACHINE MANAGER
`
`340
`
`

`

`Patent Application Publication
`
`8 Jo S WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`315
`
`320
`
`FIG. 3C
`
`- - - OFFLINE
`ONLINE
`
`VIRTUAL MACHINE 21
`
`VIRTUAL MACHINE 3
`355 _,I AGENT
`
`350 HAGENT
`
`y lVIRTUAL MACHINE 1
`
`
`310
`
`EVIRTUAL MACHINE 41
`
`J
`
`325
`
`300c
`
`330
`
`1=1 -
`
`365
`
`T
`w RESULT DATA
`
`0
`VIRTUAL
`MACHINE MANAGER
`
`RESULT DATA
`
`340
`
`360
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`345
`
`305
`
`1=1 -
`CF
`
`.
`
`1=1`'
`
`1=1 -
`1=Im
`0
`SECURITY
`SERVER
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 5 of 8
`
`US 2013/0247133 A1
`
`FIG. 3C
`
`
`
`
`
` —— ONLINE
`
`300c
`
`
`
`
`
`
`
`
`
`
`
`330
`
`365
`
`VIRTUAL MACHINE 3
`
`
`355 -一
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`—
` =|
`
`
`3
`VIRTUAL
`MACHINE MANAGER
`
`(
`(
`
`
`
`
`
`
`
`—
`
`
`
`[ER
`RESULT DATA
`1
`)
`Ve RESULT DATA 1
`AN
`360
`
`
`
`
`
`pp |—
`
`
`
`
`
`
`340
`
`SECURITY
`SERVER
`
`
`
`
`
`350 ™
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`VIRTUAL MACHINE 1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`8 Jo 9 WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`330
`
`-
`
`"
`-
`
`O
`
`1O"
`C
`O
`i_
`
`VIRTUAL
`MACHINE MANAGER
`
`405
`
`.-...rwil-MACHINE IMAGE
`
`/
`
`40
`
`I MACHINE IMAGE
`_I
`L _
`
`410
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`
`1
`1
`1
`1
`1
`1
`1
`
`1
`1
`
`345
`
`305
`?
`
`O
`1O"
`
`-
`
`Om
`O
`Om
`
`-
`
`SECURITY
`SERVER
`
`FIG. 4
`- - - OFFLINE
`ONLINE
`
`3101
`VIRTUAL MACHINE 1
`315 -- _
`
`VIRTUAL MACHINE 21L 1 _
`I- VIRTUAL MACHINE 41 _
`
`_I_
`
`
`
`325
`
`j
`
`320
`
`VIRTUAL MACHINE 3
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 6 of 8
`
`US 2013/0247133 A1
`
`305
`7
`
`
`
`
`
`
`
`
`
`
`
`He
`
`
`
`>
`
`SECURITY
`SERVER
`
`
`
`
`
`三 百
`(~~ | MACHINE IMAGE |
`ES
`一
`315
`=
`uo
`|
`LT +—
`
`
`
`
`
`
`
`
`
`
`=
`?
`=|
`| VIRTUAL MACHINE 4「
`vk
`
`FIG. 4
`
`
`
`一 一 一 OFFLINE
`一 一 ONLINE
`
`400
`
`
`
`
`
`VIRTUAL MACHINE 1
`
`
`
`
`
`L [LI
`
`TI
`J
`LT
`
`
`
`330
`
`405
`
`[ 一 一 /
`
`— 7
`
`
`
`一 二 二 二 上 二 二
`
`
`
`
`
`
`
`
`
`
`
`
`二
`
`
`
`
`
`
`
`
`
`
`I
`
`\
`
`VIRTUAL MACHINE 3
`
`
`
`
`
`oo
`
`
`oot
`
`VIRTUAL
`MACHINE MANAGER
`
`La wT 下
`
`
`
`

`

`Patent Application Publication
`
`8 Jo L WIN £i0Z `6I *daS
`
`IV ££1LlZ0/£i0Z SR
`
`Reports: Vulnerabilities By IP Report
`i _,)
`, i__
`
`
`File Edit View Favorites Tools Help
`Reports: Vulnerabilities By IP Report
`
`'23. 3
`
`1
`
`1 0
`
`Vulnerabilities By IP
`Page 1 of 1
`
`«
`
`<
`
`1
`
`io
`
`
`-'"[ -']
`
`2
`
`I
`
`COL
` PI 1
`
`7
`
` el
`
`•
`
`27
`
`•-
`v
`505
`>--1
`
`»
`
`Page • 4Tools •
`• >>
`(29 CI
`Rows: I 1 N
`
`Criticality: None
`
`©
`MEDIUM
`
`_az-500
`
`DNS Name:[Unknown] 1123.456.7.8 1 [[Unknown]]
`510-- Nix) (MS 10-066) Vulnerability In Remote Procedure Call
`Could Allow Remote Code Execution (982802)
`Description:
`An unauthenticated remote code execution vulnerability exists in Microsoft Windows.
`Response From System:
`[ha-
`datacenter/datastore1]
`Microsoft Windows XP
`SP3 x86 00/Microsoft
`Windows XP SP3 x86
`00.vmx
`[ha-
`datacenter/datastore1]
`Microsoft Windows XP
`SP3 x86/Microsoft
`Windows XP SP3
`X86.vmx
`Recommendation:
`The vendor has released an update to address this issue http://www.microsoft.com/technet/security/bulletin/ms10-066.
`
`515
`
`520
`
`-
`
`....
`
`525
`
`
`
`Microsoft
`Windows
`Server
`2003
`
`Microsoft
`Windows
`XP
`
`not_set
`
`CAWINDOWS1system32
`\rpert4.dll
`
`5.2.432.1
`
`5.2A32.123
`
`Service
`Pack 3
`
`CAWINDOWS\system32
`1rpert4.dll
`
`5.1.567.8
`
`5.1.567.123
`
`FIG. 5
`
`0
`
`Patent Application Publication
`
`Sep. 19, 2013
`
`Sheet 7 of 8
`
`US 2013/0247133 A1
`
`
`
`Reports: Vulnerabilities By IP Report
`
`
`
`
`v | file:///C:/Program%20Files/Reports/VixFsi6
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Vulnerabilities By IP
`
`|
`Lr] [) [e)
` File
`Edit
`View
`Favorites
`Tools
`Help
`vy
`|). @' A? Gy By Pager C} Toolsy
` WW
`Reports: Vulnerabilities By IP Report
`1
`国 日
`1 [+]
`
`
`
`Page 1of 1
`
`<<
`
`<
`
`1
`
`>
`
`>>
`
`Rows:[
`
`
`
`
`DNS Name:[Unknown] | 123.456.7.8 | [[Unknown]]
`
`Criticality: None
`
`
`
`510~L (VIX) (MS 10-066) Vulnerability In Remote Procedure Call
`Could Allow Remote Code Execution (982802)
`
`
`
`©
`MEDIUM
`
`
`
`
`
`Description:
` 515 一 上 An unauthenticated remote code execution vulnerability exists in Microsoft Windows.
`
`Response From System:
`
`
`
`
`
`
`520~_|
`
`[ha-
`datacenter/datastore1]
`Microsoft Windows XP
`SP3 x86 00/Microsoft
`Windows XP SP3 x86
`00.vmx
`
`Microsoft
`Windows
`Server
`2003
`
`not_set
`
`C:\WINDOWS\system32
`\rpert4 dll
`
`5.2.432.1
`
`5.2.432.123
`
`
`
`
` 回 FIG. 5
`
`
`
` [ha-
`
`datacenter/datastore1]
`Microsoft Windows XP
`SP3 x86/Micresoft
`Windows XP SP3
`X86.vmx
`
`Service
`Microsoft
`Windows — pack
`xP
`ack
`
`3
`
`C:\WINDOWS\system32
`\rpert4 dll
`
`5.1.567.8
`
`5.1.567.123
`
`
`
`
`Recommendation:
`
`
`525-7 The vendor has released an update to address this issue http:/Avww.microsoft.com/echnet/security/bulletin/ms10-066.
`
`
`
`

`

`Patent Application Publication
`
`Sep. 19, 2013 Sheet 8 of 8
`
`US 2013/0247133 Al
`
`7 0
`
`605-N_
`
`IDENTIFY A VIRTUAL MACHINE
`MANAGER MANAGING A PARTICULAR
`SET OF VIRTUAL MACHINES IN A
`PLURALITY OF VIRTUAL MACHINES
`
`610-
`
`IDENTIFY EACH VIRTUAL
`MACHINE IN THE PARTICULAR
`SET OF VIRTUAL MACHINES
`
`615
`
`FOR
`EACH VIRTUAL MACHINE IN
`SET, IS VIRTUAL MACHINE
`ONLINE?
`
`YES
`
`NO
`
`COLLECT MACHINE IMAGE DATA
`OF VIRTUAL MACHINE VIA THE
`VIRTUAL MACHINE MANAGER
`
`V
`LOAD AGENT ONTO VIRTUAL
`MACHINE VIA VIRTUAL
`MACHINE MANAGER API
`
`ASSESS VIRTUAL MACHINE
`SECURITY USING
`COLLECTED MACHINE IMAGE
`
`PERFORM SECURITY
`ASSESSMENT ON VIRTUAL
`MACHINE USING AGENT
`
`620
`
`625
`
`COLLECT RESULT DATA
`FROM SECURITY ASSESSMENT
`
`COLLECT RESULT DATA FROM
`SECURITY ASSESSMENT
`
`l'--630
`
`635
`
`640
`
`645
`
`FIG. 6
`
`

`

`US 2013/0247133 Al
`
`1
`
`Sep. 19, 2013
`
`SECURITY ASSESSMENT OF VIRTUAL
`MACHINE ENVIRONMENTS
`
`TECHNICAL FIELD
`
`[0001] This disclosure relates in general to the field of
`computer security and, more particularly, to performing secu-
`rity tasks on virtual machines.
`
`[0009] FIG. 6 is a simplified flowchart illustrating example
`operations associated with at least some embodiments of the
`system.
`[0010] Like reference numbers and designations in the
`various drawings indicate like elements.
`
`DETAILED DESCRIPTION OF EXAMPLE
`EMBODIMENTS
`
`BACKGROUND
`
`Overview
`
`[0002] The Internet has enabled interconnection of differ-
`ent computer networks all over the world. The ability to
`effectively protect and maintain stable computers and sys-
`tems, however, presents a significant obstacle for component
`manufacturers, system designers, and network operators.
`This obstacle is made even more complicated due to the
`continually-evolving array of tactics exploited by malicious
`software authors. Malicious software authors create mali-
`cious software ("malware") to disrupt or stop computer
`operations, steal information, gain unauthorized access to
`system resources, and conduct other unauthorized abusive,
`hostile, intrusive, or annoying activities. Malware continues
`to evolve with new malware objects being developed poten-
`tially exposing computers and systems every day.
`[0003] System administrators and security product provid-
`ers have developed a number of malware detection, security
`assessment, firewalls, security policy enforcement tools, and
`other security products for monitoring, scanning, and protect-
`ing computing systems against malware, viruses, and other
`threats. As security products mature to more satisfactorily
`meet the challenges present in more traditional personal com-
`puting and enterprise computing environments, accessing
`and using computing assets evolve introducing new chal-
`lenges for security administrators, product and service pro-
`viders. For instance, cloud computing has emerged as a popu-
`lar alternative to maintaining a dedicated set of hard
`computing assets, allowing individuals and enterprises to
`access supplemental and scalable computing assets tempo-
`rarily and on-demand. The use of virtual environments real-
`ized using cloud computing infrastructure are also expanding,
`including the use of virtual machines in cloud and server pool
`environments that can be selectively turned "on" as needed in
`connection with the temporary scaling up of a particular
`computer system or a user's computing needs.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`[0004] FIG. 1 is a simplified schematic diagram of a system
`including a plurality of virtual resources and a virtual
`machine manager in accordance with one embodiment;
`[0005] FIG. 2 is a simplified block diagram of an example
`system including an example security tool for performing one
`or more security tasks relating to virtual resources in accor-
`dance with one embodiment;
`[0006] FIGS. 3A-3C illustrate examples of performing
`example security tasks on virtual resources in accordance
`with at least some embodiments;
`[0007] FIG. 4 illustrates other examples of performing
`example security tasks on virtual resources in accordance
`with at least some embodiments
`[0008] FIG. 5 illustrates an example screenshot of an
`example security tool used in performing one or more secu-
`rity tasks relating to virtual resources in accordance with one
`embodiment; and
`
`In general, one aspect of the subject matter
`[0011]
`described in this specification can be embodied in methods
`that include the actions of identifying each virtual machine in
`a set of virtual machines managed by a virtual machine man-
`ager. It can be determined, for each virtual machine in the set,
`whether the respective virtual machine is online. A machine
`image can be collected for each virtual machine in the set via
`the virtual machine manager. Security of the offline virtual
`machines can be assessed from the collected images.
`[0012]
`In another general aspect of the subject matter
`described in this specification, a system can include a
`memory element storing data, a processor operable to execute
`instructions associated with the stored data, and a security
`assessment module. The security assessment module can be
`configured to identify each virtual machine in a set of virtual
`machines managed by a particular virtual machine manager,
`determine, for each virtual machine in the set of virtual
`machines, whether the respective virtual machine is online,
`load, via an API of the virtual machine manager, an agent on
`each virtual machine in the set of virtual machines deter-
`mined to be online, and use the agent to assess security of the
`at least one online virtual machine.
`[0013] These and other embodiments can each optionally
`include one or more of the following features. A query can be
`sent to the virtual machine manager for information for the set
`of virtual machines. Identification data can be received from
`the virtual machine manager identifying each virtual machine
`in the set of virtual machines in response to the query. The
`identification data can include identification, for each virtual
`machine in the set of virtual machines, of whether the virtual
`machine is online. At least one of the query or identification
`data can be communicated over an API of the virtual machine
`manager. The machine images of offline virtual machines in
`the set can be sent via an API of the virtual machine manager.
`An agent can be loaded, via an API of the virtual machine
`manager, on at least one online virtual machine in the set. The
`agent can be used to assess security of the at least one online
`virtual machine. Result data can be collected that reports
`results of the security assessment of the at least one online
`virtual machine, and the result data can be collected from the
`agent over the API of the virtual machine manager. The agent
`can be removed automatically at conclusion of the security
`assessment of the at least one online virtual machine. The set
`can be a subset of the plurality of virtual machines managed
`by the virtual machine manager and the set can include less
`than all of the plurality of virtual machines.
`[0014] Further, these and other embodiments can each
`optionally include one or more of the following features.
`Result data can be collected from the security assessment of
`the offline virtual machines. The offline virtual machines can
`include a plurality of offline virtual machines and the result
`data can describe virtual-machine-specific security condi-
`tions for each of the plurality of offline virtual machines. A
`virtual-machine-specific report can be generated for each of
`
`

`

`US 2013/0247133 Al
`
`Sep. 19, 2013
`
`2
`
`the plurality of offline virtual machines based at least in part
`on collected result data. Assessing security of the offline
`virtual machines from the collected images can include read-
`ing each image file to identify security characteristics of each
`virtual machine in the offline virtual machines. Assessing
`security of the offline virtual machines from the collected
`images can include simulating operation of each offline vir-
`tual machine based on data in the corresponding image of the
`respective virtual machine. The plurality of virtual machines
`can be firewalled. A security assessment toll can be authen-
`ticated at the virtual machine manager. The security assess-
`ment of the offline virtual machines can include remedying at
`least one of a security vulnerability or policy violation
`detected for a particular one of the offline virtual machines
`before the particular virtual machine resumes online opera-
`tion. The security assessment module can collect, for each
`virtual machine in the set determined to be offline, a machine
`image of the virtual machine via the particular virtual
`machine manager, and assess security of the offline virtual
`machines from the collected machine images.
`[0015] Some or all of the features may be computer-imple-
`mented methods or further included in respective systems or
`other devices for performing this described functionality. The
`details of these and other features, aspects, and implementa-
`tions of the present disclosure are set forth in the accompa-
`nying drawings and the description below. Other features,
`objects, and advantages of the disclosure will be apparent
`from the description and drawings, and from the claims.
`
`Example Embodiments
`
`[0016] FIG. 1 is a simplified block diagram illustrating an
`example embodiment of a computing system 100 including
`one or more security tools 105 adapted to perform one or
`more computer security tasks on computing assets and appli-
`ances, including scans in connection with policy compliance,
`vulnerability assessment, malware protection, and other
`security services. In some instances, security tasks can be
`performed using security tool 105 on remote assets and appli-
`ances over one or more networks 110, including "real" (i.e.,
`non-virtual) system assets and appliances (e.g., at 115) and
`virtual assets and appliances, such as virtual machines 120
`hosted by servers in a server pool 125, such as a cloud com-
`puting system. One or more virtual machine managers (e.g.,
`130) can be provided in connection with hosts of virtual assets
`and appliances and can provide administrators and customers
`with interfaces for deploying, maintaining, and otherwise
`managing virtual machines hosted within the server pool or
`cloud environment. Additionally, one or more client comput-
`ing devices (e.g., 135) can be provided and adapted to com-
`municate with other devices in the system 100, for instance,
`over network 120.
`[0017] Security server 105 can perform one or more com-
`puter security tasks on one or more local and/or remote com-
`puting devices and systems to assist in securing customer
`computing devices from threats and enforcing security poli-
`cies. For instance, security server 105 can serve or otherwise
`provide one or more software-based security tools including
`vulnerability assessment tools, malware detection tools, mal-
`ware removal tools, firewall management tools, policy com-
`pliance tools, policy enforcement tools, among other
`examples. Result data 140 can be generated from security
`tasks performed using security server 105 and related tools.
`Such result data 140 can provide detailed information
`describing conditions and context for various issues, alerts,
`
`scans, and other results generated during one or more security
`tasks to assist administrator users in understanding security
`conditions of their machines and systems.
`[0018] Security server 105 can perform one or more com-
`puter security tasks on local computing assets, including
`computer devices, software, and peripherals. Indeed, in some
`instances, security server 105 can comprise a software-based
`security tool installed on one or more computing devices,
`including personal computing devices. In other instances,
`security server 105 can perform computer security tasks on
`remote computing devices and assets. In some instances,
`security server 105 can include multiple server devices pro-
`viding computer security services to multiple customers and
`computing devices. Security tasks can be performed on real
`computing systems and assets (e.g., assets of system 115),
`including computing assets including real hardware and
`accompanying software executed using the hardware. In
`addition to performing tasks on real computing infrastructure
`and assets, security server 105 can also be used to perform
`security tasks on virtual computing infrastructure, such as
`virtual appliances (e.g., 120) hosted on one or more local
`and/or remote computing devices, such as computing devices
`in a cloud computing environment or on-demand server pool
`(e.g., system 125).
`[0019]
`In some instances, virtual computing infrastructure
`can be provided or hosted by for example in cloud computing
`environments, including by cloud computing providers such
`as Amazon Web Services, Citrix Xen systems, or the Google
`App Engine, among many others. Alternatively, such virtual
`infrastructure can also (or alternatively) be hosted within an
`entity's direct or extended premises and computing pools
`using solutions such as VMware's ESX, Microsoft's Hyper-
`V, Citrix's Xen, among many others. Computing applica-
`tions, software systems and other assets, including enterprise
`applications and software systems are increasingly being
`moved to virtual infrastructure, mostly for economic reasons.
`Virtual infrastructure and virtual appliances can be imple-
`mented as virtual machines. Virtual machines can include
`software implementations or virtualizations of a physical
`machine (i.e., computing device) executing particular oper-
`ating systems (i.e., guest operating systems) and applications
`as if it were a real, physical computer. Virtual machines can be
`isolated software containers, operating independent of other
`virtual machines. Such isolation can assist in realizing vir-
`tual-machine-based virtual environments that can execute
`applications and provide services with availability, flexibility,
`and security, in some cases, surpassing those on traditional,
`non-virtualized systems. Virtual machines can encapsulate a
`complete set of virtual hardware resources, including an oper-
`ating system and all its applications, inside a software pack-
`age. Encapsulation can make virtual machines quite portable
`and manageable. Indeed, virtual machines can be hardware-
`independent, and can be portably provisioned and deployed
`on one of multiple different computing devices, operating
`systems, and environments. Indeed, depending on the avail-
`ability of computing devices within a cloud environment
`(e.g., 125) a particular virtual machine 120 can be provi-
`sioned on any one (or multiple) of the devices included in
`cloud environment 125.
`[0020]
`In some instances, a virtual machine manager 130
`can be provided in connection with a cloud computing system
`(e.g., 125) (or other system hosting virtual infrastructure).
`Virtual machine managers 130, or hypervisors, can be imple-
`mented as software- and/or hardware-based tools used in the
`
`

`

`US 2013/0247133 Al
`
`Sep. 19, 2013
`
`3
`
`virtualization of hardware assets (i.e., as virtual machines
`120) on one or more host computing devices (e.g., system
`125). A virtual machine manager 130 can be used to run
`multiple virtual machines (e.g., 120), including virtual
`machines with different guest operating systems, on one or
`more host computers (e.g., 125). The virtual machine man-
`ager 120 can provide a shared virtual operating platform for
`multiple virtual appliances and guest operating systems and
`enable a plurality of different virtual machines (and guest
`operating systems) to be instantiated and run on computing
`devices and hardware hosting virtual infrastructure. Further,
`virtual machine managers 130, in some instances can be run
`natively, or as "bare metal," directly on host computing
`devices' hardware to control the hardware and to manage
`virtual machines provisioned on the host devices. In other
`instances, "hosted" virtual machine managers 130 can be
`provided that are run within the operating system of another
`host machine, including conventional operating system envi-
`ronments.
`[0021] Virtual machine managers 130 can also provide
`multiple interfaces, including interfaces for providing cloud
`computing (or infrastructure virtualization) as a service (e.g.,
`IaaS). Virtual machine manager 130 interfaces can include
`interfaces and application programming interfaces (APIs)
`that can provide operations and accessing including guest
`management, offline registry access, virtual disk access, and
`other features of virtual machines that maybe running or
`accessible through a particular virtualization host environ-
`ment. As an example, a virtual machine manager associated
`with VMwareTM virtualization tools can include such inter-
`faces as the VIX API and VDDK API, among others. Further,
`virtual machine manager-provided interfaces can be lever-
`aged, in some instances, in connection with the performance
`of computer security tasks on virtual machines and guest
`operating services hosted on computing devices in a corre-
`sponding virtualization environment (e.g., 125), to allow out-
`side security tools (e.g., 105) access to firewalled and other
`protected virtualized appliances and resources.
`[0022]
`In general, "servers," "clients," "computers," and
`"computing devices" (e.g., 105, 115, 125, 130, 135) can com-
`prise electronic computing devices operable to receive, trans-
`mit, process, store, or manage data and information associ-
`ated with the software system 100. As used in this document,
`the term "computer," "computing device," "processor," or
`"processing device" is intended to encompass any suitable
`processing device. For example, the system 100 may be
`implemented using computers other than servers, including
`server pools. Further, any, all, or some of the computing
`devices may be adapted to execute any operating system,
`including Linux, UNIX, Windows Server, etc., as well as
`virtual machines adapted to virtualize execution of a particu-
`lar operating system, including customized and proprietary
`operating systems.
`[0023] Servers, clients, and computing devices (e.g., 105,
`115, 125, 130, 135) can each include one or more processors,
`computer-readable memory, and one or more interfaces.
`Servers can include any suitable software component or mod-
`ule, or computing device(s) capable of hosting and/or serving
`software applications and other programs, including distrib-
`uted, enterprise, or cloud-based software applications. For
`instance, application servers can be configured to host, serve,
`or otherwise manage web services or applications, such as
`SOA-based or enterprise web services, or applications inter-
`facing, coordinating with, or dependent on other applications
`
`or services, including security-focused applications. In some
`instances, some combination of servers can be hosted on a
`common computing system, server, or server pool, and share
`computing resources, including shared memory, processors,
`and interfaces, such as in an enterprise software system serv-
`ing services to a plurality of distinct clients and customers.
`[0024] Computing devices (e.g., 105, 115, 125, 130, 135) in
`system 100 can also include devices implemented as one or
`more local and/or remote client or endpoint devices, such as
`personal computers, laptops, smartphones, tablet computers,
`personal digital assistants, media clients, web-enabled tele-
`visions, telepresence systems, and other devices. A client or
`endpoint devices (e.g., 135) can include any computing
`device operable to connect or communicate at least with
`servers, other endpoint devices, network 120, and/or other
`devices using a wireline or wireless connection. Each end-
`point device can include at least one graphical display device
`and user interfaces, allowing a user to view and interact with
`graphical user interfaces of computer security tools and other
`software. In general, endpoint devices can include any elec-
`tronic computing device operable to receive, transmit, pro-
`cess, and store any appropriate data associated with the soft-
`ware environment of FIG. 1. It wi