(19) United States
`(12) Patent Application Publication (10) Pub. No.: US 2017/0180318 A1
`LUTAS et al.
`(43) Pub. Date:
`Jun. 22, 2017
`
`US 201701 80318A1
`
`(54) DUAL MEMORY INTROSPECTION FOR
`SECURING MULTIPLE NETWORK
`ENDPOINTS
`
`(71) Applicant: Bitclefender IPR Management Ltd.,
`Nicosia (CY)
`(72) Inventors: Dan H. LUTAS, Cluj-Napoca (RO);
`Daniel I. TICLE, Turda (RO); Radu I.
`CIOCAS, Cluj-Napoca (RO); Sandor
`LUKACS, Floresti (RO); Ionel C.
`ANICHITEI, Cluj-Napoca (RO)
`s
`(21) Appl. No.: 15/383,082
`
`(22) Filed:
`
`Dec. 19, 2016
`
`Related U.S. Application Data
`(60) Provisional application No. 62/269,952, filed on Dec.
`19, 2015.
`O
`O
`Publication Classification
`
`(51) Int. Cl.
`H04L 29/06
`G06F 9/54
`G06F 9/455
`
`(2006.01)
`(2006.01)
`(2006.01)
`
`(52) U.S. Cl.
`CPC ...... H04L 63/0254 (2013.01); G06F 9/45558
`(2013.01); G06F 9/542 (2013.01); H04L
`63/0245 (2013.01); H04L 63/0272 (2013.01);
`H04L 63/14 (2013.01); G06F 2009/45587
`(2013.01)
`
`ABSTRACT
`(57)
`Described systems and methods enable protecting multiple
`client Systems (e.g., a corporate network) from computer
`security threats Such as malicious Software and intrusion. In
`Some embodiments, each protected client operates a live
`introspection engine and an on-demand introspection
`engine. The live introspection engine detects the occurrence
`of certain events within a protected virtual machine exposed
`on the respective client system, and communicates the
`occurrence to a remote security server. In turn, the server
`may request a forensic analysis of the event from the client
`system, by indicating a forensic tool to be executed by the
`client. Forensic tools may be stored in a central repository
`accessible to the client. In response to receiving the analysis
`request, the on-demand introspection engine may retrieve
`and execute the forensic tool, and communicate a result of
`the forensic analysis to the security server. The server may
`use the information to determine whether the respective
`client is under attack by malicious Software or an intruder.
`
`
`
`
`
`
`
`
`
`50
`
`14
`
`52
`
`Analysis request
`
`
`
`54
`
`Security alert
`
`Security
`
`SeWe
`
`
`
`
`
`Mitigation indicator
`
`58
`
`WIZ, Inc. EXHIBIT - 1064
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 1 of 8
`
`US 2017/O180318A1
`
`
`
`
`
`
`
`
`
`12d
`
`Client database
`
`17
`
`Security
`Server
`
`Communication
`network
`
`
`
`
`
`Central tool
`repository
`
`FIG. 1
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 2 of 8
`
`US 2017/O180318A1
`
`16
`
`28
`
`18
`
`20
`
`24
`
`Input devices
`
`devi
`St
`Orage devices
`
`Output devices
`
`NetWOrk
`adapter(s)
`
`FIG. 2-A
`
`
`
`116
`
`128
`
`118
`
`Server processor
`
`Server Memory
`
`124
`
`Server
`storage devices
`
`Server network
`adapter(s)
`
`126
`
`Server
`controller
`hub
`
`Security server
`
`FIG. 2-B
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 3 of 8
`
`US 2017/O180318A1
`
`32
`
`
`
`
`
`
`
`Application
`
`33
`
`Security virtual machine
`42
`44
`
`On-demand
`intro-
`spection
`engine
`
`Network
`filter
`
`Event handler
`
`Live introspection engine
`
`\
`
`Client system hardware
`
`46a
`
`FIG 3-A
`
`32
`
`33
`
`Guest virtual machine
`
`
`
`12
`
`Guest OS 46b
`
`Event handler
`
`On-demand
`intro
`spection
`engine
`
`30
`
`IIypervisor
`
`40
`
`
`
`10
`
`Client system hardware
`
`FIG 3-B
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 4 of 8
`
`US 2017/O180318A1
`
`
`
`launch Hypervisor
`
`Move executing software
`to guest VM
`
`
`
`Set up security VM
`
`Set up remote administrative
`access from security server
`to security VM
`
`
`
`2O6
`
`Launch live introspection
`engine
`
`208
`
`FIG. 4
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 5 of 8
`
`US 2017/O180318A1
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Tunnel
`request
`
`Secure tunnel
`
`FIG5
`
`50
`
`Event indicator
`
`52
`
`Analysis request
`
`14
`
`Security
`Server
`
`14
`
`(O
`
`
`
`Security
`
`Server
`
`
`
`54
`
`Mitigation indicator
`
`58
`
`FIG. G
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 6 of 8
`
`US 2017/O180318A1
`
`Assist On-demand
`introspection engine
`
`
`
`
`
`Display Warning message
`tO uSer
`
`220
`
`I is ten for
`notifications
`
`Notification
`received?
`
`Notification
`from event
`handler?
`
`
`
`
`
`YES
`Perform light analysis
`Of event
`
`Event
`worth reporting
`tO server?
`
`230
`
`Send event indicator
`to security server
`
`Resume execution
`of guest VM
`
`Notification
`from security
`VMP
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG 7
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 7 of 8
`
`US 2017/O180318A1
`
`
`
`
`
`Listen for analysis
`requests
`
`250
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Request
`received?
`
`52
`2
`
`254
`
`Receive instruction to access
`selected forensic tools
`
`Access selected
`forensic tools
`
`Execute selected
`forensic tools
`
`Transmit forensic report
`to security server
`
`256
`
`258
`
`
`
`
`
`
`
`Discard security
`tools/resources
`
`262
`
`FIG. 8
`
`

`

`Patent Application Publication
`
`Jun. 22, 2017 Sheet 8 of 8
`
`US 2017/O180318A1
`
`280
`
`Listen for COmmunication
`from clients
`
`Communication
`received?
`
`Comm.
`comprises event
`indicator?
`
`Log trigger event
`
`Query client database
`
`Trigger
`eVent Warrants
`forensic anal
`ysis?
`
`Sclect resources and/or
`forensic tools according
`to trigger event
`
`Scind analysis request
`to client system(s)
`
`Comprises forensic
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Send mitigation indicator
`to clicnt systcm
`
`Alert administrator and/or
`client system
`
`I likelihood
`Of an attack?
`
`FIG 9
`
`

`

`US 2017/01 80318 A1
`
`Jun. 22, 2017
`
`DUAL MEMORY INTROSPECTION FOR
`SECURING MULTIPLE NETWORK
`ENDPOINTS
`
`RELATED APPLICATIONS
`
`0001. This application claims the benefit of the filing date
`of U.S. provisional patent application No. 62/269,952, filed
`on Dec. 19, 2015, entitled “Dual Memory Introspection for
`Securing Multiple Network Endpoints, the entire contents
`of which are incorporated by reference herein.
`
`BACKGROUND
`
`0002 The invention relates to computer security systems
`and methods, and in particular to systems and methods for
`protecting hardware virtualization environments from com
`puter security threats.
`0003. Malicious software, also known as malware,
`affects a great number of computer systems worldwide. In its
`many forms, such as computer viruses, worms, rootkits, and
`spyware, malware presents a serious risk to millions of
`computer users, making them vulnerable to loss of data and
`sensitive information, identity theft, and loss of productivity,
`among others.
`0004 Computer security software may be used to protect
`computer systems from malicious Software. However, in
`distributed computing systems such as corporate networks
`and cloud computing systems, conventional security soft
`ware typically does not respond well to attacks. Even when
`the security software is capable of detecting an attack,
`analysis and remediation may still require that a human
`operator be dispatched to the affected client system, for
`instance to apply a patch, recover lost data, etc. In addition,
`once a new threat is detected and analyzed, updated versions
`of the security software must be distributed promptly to all
`protected computer systems.
`0005. An alternative computer security system may
`execute on a central server computer, receiving relevant data
`from Security clients over a communication network. The
`server may determine according to the received data whether
`the respective client is infected with malware, and may
`communicate a verdict to the respective client. While such
`configurations are better equipped to deal with emerging
`threats, they require Substantial server-side computational
`power.
`0006 Computer security operations were further compli
`cated by the advent of hardware virtualization. As more and
`more goods and services are traded online, and as work
`becomes progressively de-localized, infrastructure as a ser
`vice (IAAS) has become a viable alternative to owning
`computer hardware. A substantial proportion of computing
`activities are currently conducted using virtual machines. In
`typical applications, such as server farms and cloud com
`puting, hundreds of virtual machines may execute concur
`rently on a single hardware platform. All Such virtual
`machines may require malware protection.
`0007 Adapting to the ever-changing nature of malicious
`software and to the challenges of a mobile workforce
`requires the development of innovative computer security
`systems and protocols, and especially of systems and meth
`ods enabling an efficient management of computer security
`operations across multiple distributed clients.
`
`SUMMARY
`0008 According to one aspect, a client computer system
`comprises a hardware processor configured to execute a
`hypervisor, a live introspection engine, and an on-demand
`introspection engine. The hypervisor is configured to expose
`a guest virtual machine (VM) and a security VM distinct
`from the guest VM, wherein the on-demand introspection
`engine executes within the security VM, and wherein the
`live introspection engine executes outside of the guest and
`security VMS. The live introspection engine is configured, in
`response to detecting an occurrence of an event within the
`guest VM, to transmit an indicator of the event to a remote
`server computer system over a communication network. The
`on-demand introspection engine is configured, in response
`to the live introspection engine transmitting the indicator of
`the event to the remote server computer system, to receive
`an analysis request from the remote server computer system,
`the analysis request indicating a security tool residing in a
`remote tool repository configured to distribute security tools
`to a plurality of clients including the client computer system,
`the security tool comprising Software configured to analyze
`the occurrence of the event, the security tool selected by the
`remote server computer system according to an event type of
`the event. The on-demand introspection engine is further
`configured, in response to receiving the analysis request, to
`identify the security tool according to the analysis request,
`and in response, to selectively retrieve the security tool from
`the tool repository, wherein retrieving the security tool
`comprises connecting to the central tool repository over the
`communication network. The on-demand introspection
`engine is further configured, in response to selectively
`retrieving the security tool, to execute the security tool and
`to transmit a result of executing the security tool to the
`remote server computer system.
`0009. According to another aspect, a server computer is
`configured to perform computer security transactions with a
`plurality of client systems. The server computer system
`comprises a hardware processor configured, in response to
`receiving an event indicator from a client system of the
`plurality of client systems, the event indicator indicative of
`an occurrence of an event within a guest VM executing on
`the client system, to select a security tool residing in a
`remote tool repository configured to distribute security tools
`to the plurality of client systems, the security tool compris
`ing software configured to analyze the occurrence of the
`event, wherein selecting the security tool is performed
`according to an event type of the event. The hardware
`processor is further configured, in response to selecting the
`security tool, to transmit an analysis request to the client
`system over a communication network, the analysis request
`comprising an identifier of the security tool; and in response,
`to receive from the client system a result of executing the
`security tool on the client system. The client system is
`configured to execute a hypervisor, a live introspection
`engine, and an on-demand introspection engine. Tthe hyper
`visor is configured to expose the guest VM and a security
`VM distinct from the guest VM, wherein the on-demand
`introspection engine executes within the security VM, and
`wherein the live introspection engine executes outside of the
`guest and security VMS. The live introspection engine is
`configured, in response to detecting the occurrence of the
`event, to transmit the event indicator to the server computer
`system. The on-demand introspection engine is configured,
`in response to receiving the analysis request, to identify the
`
`

`

`US 2017/01 80318 A1
`
`Jun. 22, 2017
`
`security tool according to the analysis request. The on
`demand introspection engine is further configured, in
`response to identifying the security tool, to selectively
`retrieve the security tool from the tool repository, wherein
`retrieving the security tool comprises the client system
`connecting to the remote tool repository over the commu
`nication network. The on-demand introspection engine is
`further configured, in response to retrieving the security tool,
`to execute the security tool to produce the result.
`0010. According to another aspect, a non-transitory com
`puter-readable medium comprises a set of instructions
`which, when executed on a hardware processor of a client
`computer system, causes the client computer system to form
`a hypervisor, a live introspection engine, and an on-demand
`introspection engine. The hypervisor is configured to expose
`a guest virtual machine (VM) and a security VM distinct
`from the guest VM, wherein the on-demand introspection
`engine executes within the security VM, and wherein the
`live introspection engine executes outside of the guest and
`security VMS. The live introspection engine is configured, in
`response to detecting an occurrence of an event within the
`guest VM, to transmit an indicator of the event to a remote
`server computer system over a communication network. The
`on-demand introspection engine is configured, in response
`to the live introspection engine transmitting the indicator of
`the event to the remote server computer system, to receive
`an analysis request from the remote server computer system,
`the analysis request indicating a security tool residing in a
`remote tool repository configured to distribute security tools
`to a plurality of clients including the client computer system,
`the security tool comprising Software configured to analyze
`the occurrence of the event, the security tool selected by the
`remote server computer system according to an event type of
`the event. The on-demand introspection engine is further
`configured, in response to receiving the analysis request, to
`identify the security tool according to the analysis request,
`and in response, to selectively retrieve the security tool from
`the tool repository, wherein retrieving the security tool
`comprises connecting to the central tool repository over the
`communication network. The on-demand introspection
`engine is further configured, in response to selectively
`retrieving the security tool, to execute the security tool and
`to transmit a result of executing the security tool to the
`remote server computer system.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`0.011 The foregoing aspects and advantages of the pres
`ent invention will become better understood upon reading
`the following detailed description and upon reference to the
`drawings where:
`0012 FIG. 1 illustrates an exemplary configuration
`wherein multiple client systems are protected against com
`puter security threats according to some embodiments of the
`present invention.
`0013 FIG. 2-A illustrates an exemplary hardware con
`figuration of a client system according to some embodiments
`of the present invention.
`0014 FIG. 2-B shows an exemplary hardware configu
`ration of a security server computer system according to
`Some embodiments of the present invention.
`0015 FIG. 3-A shows an exemplary set of virtual
`machines exposed by a hypervisor executing on a protected
`
`client system, and an exemplary pair of introspection
`engines according to Some embodiments of the present
`invention.
`0016 FIG. 3-B shows an alternative configuration of
`security components according to Some embodiments of the
`present invention.
`0017 FIG. 4 shows an exemplary sequence of steps
`carried out by an installer application to set up computer
`security on a client system according to some embodiments
`of the present invention.
`0018 FIG. 5 shows configuring a virtual private network
`(VPN) secure connection between a client system and the
`security server according to Some embodiments of the
`present invention.
`0019 FIG. 6 shows an exemplary data exchange between
`a client system and the security server, the exchange occur
`ring during malware detection according to some embodi
`ments of the present invention.
`0020 FIG. 7 shows an exemplary sequence of steps
`performed by the live introspection engine according to
`Some embodiments of the present invention.
`0021
`FIG. 8 shows an exemplary sequence of steps
`performed by the on-demand introspection engine according
`to Some embodiments of the present invention.
`0022 FIG. 9 illustrates an exemplary sequence of steps
`performed by the security server according to Some embodi
`ments of the present invention.
`
`DETAILED DESCRIPTION OF PREFERRED
`EMBODIMENTS
`0023. In the following description, it is understood that
`all recited connections between structures can be direct
`operative connections or indirect operative connections
`through intermediary structures. A set of elements includes
`one or more elements. Any recitation of an element is
`understood to refer to at least one element. A plurality of
`elements includes at least two elements. Unless otherwise
`required, any described method steps need not be necessar
`ily performed in a particular illustrated order. A first element
`(e.g. data) derived from a second element encompasses a
`first element equal to the second element, as well as a first
`element generated by processing the second element and
`optionally other data. Making a determination or decision
`according to a parameter encompasses making the determi
`nation or decision according to the parameter and optionally
`according to other data. Unless otherwise specified, an
`indicator of some quantity/data may be the quantity/data
`itself, or an indicator different from the quantity/data itself.
`Computer security encompasses protecting users and equip
`ment against unintended or unauthorized access to data
`and/or hardware, unintended or unauthorized modification
`of data and/or hardware, and destruction of data and/or
`hardware. A computer program is a sequence of processor
`instructions carrying out a task. Computer programs
`described in some embodiments of the present invention
`may be stand-alone software entities or Sub-entities (e.g.,
`Subroutines, libraries) of other computer programs. Unless
`otherwise specified, guest Software executes within a virtual
`machine. A program is said to execute within a virtual
`machine when it executes on a virtual processor of the
`respective virtual machine. Unless otherwise specified, a
`page represents the Smallest unit of virtual memory that can
`be individually mapped to a physical memory of a host
`system. Unless otherwise specified, a Snapshot of a client
`
`

`

`US 2017/01 80318 A1
`
`Jun. 22, 2017
`
`system comprises a copy of a content of a section of memory
`used by the respective client system. Computer readable
`media encompass non-transitory media Such as magnetic,
`optic, and semiconductor storage media (e.g. hard drives,
`optical disks, flash memory, DRAM), as well as communi
`cation links such as conductive cables and fiber optic links.
`According to some embodiments, the present invention
`provides, interalia, computer systems comprising hardware
`(e.g. one or more microprocessors) programmed to perform
`the methods described herein, as well as computer-readable
`media encoding instructions to perform the methods
`described herein.
`0024. The following description illustrates embodiments
`of the invention by way of example and not necessarily by
`way of limitation.
`0025 FIG. 1 shows an exemplary configuration for pro
`tecting a plurality of client systems 12a-d against computer
`security threats according to some embodiments of the
`present invention. Exemplary client systems 12a-d include
`personal computer systems, mobile computing platforms
`(laptop computers, tablets, mobile telephones), entertain
`ment devices (TVs, game consoles), wearable devices
`(Smartwatches, fitness bands), household appliances, and
`any other electronic device comprising a processor and a
`memory and capable of operating a hardware virtualization
`platform. Another exemplary category of client systems
`includes datacenter servers and hardware virtualization plat
`forms running cloud-based applications such as webservers
`and/or virtual desktop infrastructure.
`0026 Client systems 12a-dare interconnected via a com
`munication network 11, Such as a home network, corporate
`network, the Internet, etc. Network 11 includes at least one
`switch and/or router. Parts of network 11 may include a local
`area network (LAN) and/or a telecommunication network
`(e.g., 4G mobile telephony network, wireless LAN).
`0027. In some embodiments, a security server 14 is
`communicatively coupled to client systems 12a-d Via net
`work 11 and collaborates with client systems 12a-d to ward
`off computer security threats as described in detail below.
`Server 14 generically describes a set of interconnected
`computing systems, which may or may not be in physical
`proximity to each other. In some embodiments, server 14 is
`configured to receive event notifications from client systems
`12a-d, and in response, to select according to a type of event
`a type of forensic analysis, a threat mitigation protocol,
`and/or a clean-up tool to be used by the respective client
`system. Exemplary forensic analyses include, for instance,
`obtaining specific data about a cause and/or a context of the
`respective event. Threat mitigation protocols may be
`selected according to a type of malicious Software indicated
`by the respective event, and may include downloading
`and/or executing specific clean-up and/or damage control
`code on the respective client.
`0028. In some embodiments, security server 14 is further
`configured to interface with a client to database 17. In an
`exemplary client database 17, each entry is associated with
`a protected client system 12a-d and/or with a virtual
`machine executing on the respective protected client system,
`and may include a log of trigger events and/or forensic
`reports (see below) reported by the respective client system/
`virtual machine. An exemplary entry of database 17 may
`further comprise system profile data (e.g., including OS
`version, installed applications, various settings, owner, con
`tact information, etc.) for the respective client system/virtual
`
`machine. Another exemplary entry of client database 17 may
`comprise a set of parameter values representing a client
`specific security policy associated with the respective client
`system. Such settings may be specified by a human operator,
`or may be set automatically according to a set of rules. In
`Some embodiments of the present invention, client-specific
`policies and/or security setting vary dynamically in response
`to events occurring on the respective client, or on other
`protected clients.
`0029. In some embodiments, client systems 12a-d are
`further connected to a central tool repository 15 via network
`11. Tool repository 15 may comprise a computer-readable
`medium or physical machine storing security tools and
`resources in the form of code (computer programs) and/or
`data. Client systems 12a-d may connect to repository 15 to
`selectively retrieve tools and data according to instructions
`received from security server 14, as shown in detail below.
`Tool repository 15 is available to multiple clients, so in a
`preferred embodiment of the present invention, repository
`15 does not reside on any particular client system. Connect
`ing to repository 15 therefore comprises transmitting and/or
`receiving communications to/from repository 15 via a net
`work adapter of the respective client system. Such commu
`nications may traverse a network Switch or router on the
`way.
`0030 Security tools stored in repository 15 may include
`forensic, anti-malware, and/or threat mitigation tools.
`Repository data may further comprise parameter values for
`configuring or tuning the respective tools according to a type
`of event under investigation, or according to local hardware/
`Software configurations. Anti-malware tools enable detec
`tion of malicious Software executing on the client systems
`12a-d, and may include an encoding of a set of heuristic
`rules and/or a database of malware-identifying signatures.
`Threat mitigation tools may include clean-up tools pro
`grammed to remove or otherwise incapacitate a malicious
`Software agent executing on a client system. Other exem
`plary threat mitigation tools are programmed to prevent an
`infected client system from transmitting malicious software
`to another client system, for instance by controlling the
`manner in which the infected client system uses its network
`adapter.
`0031. Forensic tools enable the analysis of security
`related events occurring on client systems 12a-d. Some
`examples of forensic tools include Snapshot-generating
`tools, programmed to obtain a memory Snapshot of a client
`system or of a virtual machine executing on the respective
`client system. The Snapshot may include memory data
`associated with an operating system (OS) or with another
`application currently executing on the respective client
`system. A Snapshot of an OS kernel may include, among
`others, a copy of the kernel’s code and data sections, various
`in-memory kernel drivers (code and/or data sections), in
`memory kernel threads and their corresponding stacks, the
`OS's kernel data structures—such as the list of loaded
`modules, the list of processes, etc. An exemplary Snapshot of
`an application comprises a copy of a memory image of the
`application, including its code and data sections, the in
`memory stacks used by the applications threads, the heap
`memory pages of the respective application, etc.
`0032. In some embodiments, taking a memory Snapshot
`comprises Suspending execution of guest VM 32 to allow
`copying the content of the respective memory sections. An
`alternative embodiment performs “live' memory forensics
`
`

`

`US 2017/01 80318 A1
`
`Jun. 22, 2017
`
`without taking Snapshots. In Such embodiments, hypervisor
`30 may map a set of physical memory pages used by guest
`VM 32 to virtual memory pages used by security VM 33.
`Security VM 33 may then inspect the content of the respec
`tive memory pages, for instance in response to a particular
`event, without having to suspend execution of guest VM32
`or to copy and transfer the respective content. One example
`of a “live' memory forensic tool is the Volatility(R) frame
`work from the Volatility Foundation.
`0033. Another example of a forensic tool is an applica
`tion inventory tool configured to enumerate software entities
`currently installed and/or executing on a client system. Yet
`another example of forensic tool is a configuration grabber
`programmed to obtain a set of configuration settings (e.g.,
`current values of various OS parameters, hardware settings,
`security settings, firewall settings, etc.). Other exemplary
`forensic tools are programmed to gather system and/or
`application event logs, or system crash data (e.g. WindowSR
`crash minidumps).
`0034 FIG. 2-A shows an exemplary hardware configu
`ration of a client system 12. Such as Systems 12a-d in FIG.
`1. For simplicity, the illustrated client system is a computer
`system; the hardware configuration of other client systems
`Such as mobile telephones, watches, etc., may differ some
`what from the illustrated configuration. Client system 12
`comprises a set of physical devices, including a hardware
`processor 16 and a memory unit 18. In some embodiments,
`processor 12 comprises a physical device (e.g. a micropro
`cessor, a multi-core integrated circuit formed on a semicon
`ductor Substrate, etc.) configured to execute computational
`and/or logical operations with a set of signals and/or data. In
`Some embodiments, such operations are delivered to pro
`cessor 12 in the form of a sequence of processor instructions
`(e.g. machine code or other type of encoding). Memory unit
`18 may comprise Volatile computer-readable media (e.g.
`DRAM, SRAM) storing instructions and/or data accessed or
`generated by processor 16.
`0035 Depending on the type and performance of the
`device, client system 12 may further comprise a set of input
`devices 20, such as a keyboard, mouse, touchscreen, etc.,
`enabling a user to input data and/or instructions to client
`system 12. A set of output devices 22. Such as a monitor or
`liquid crystal display, may convey information to the user,
`e.g., via a graphical user interface. Storage devices 24
`include computer-readable media enabling the non-volatile
`storage, reading, and writing of processor instructions and/or
`data. Exemplary storage devices 24 include magnetic and
`optical disks and flash memory devices, as well as remov
`able media such as CD and/or DVD disks and drives. The set
`of network adapters 26 enables client system 12 to connect
`to communication network 11 and/or to other devices/
`computer systems. Controller hub 28 generically represents
`the plurality of system, peripheral, and/or chipset buses,
`and/or all other circuitry enabling the communication
`between processor 16 and devices 18, 20, 22, 24 and 26. For
`instance, controller hub 28 may include a memory manage
`ment unit (MMU), an input/output (I/O) controller, and an
`interrupt controller, among others. In another example,
`controller hub 28 may comprise a northbridge connecting
`processor 16 to memory 18 and/or a Southbridge connecting
`processor 16 to devices 20, 22, 24, and 26. In some embodi
`ments, controller hub 28 may be integrated, in part or
`entirely, with processor 16, e.g., the MMU may share a
`common semiconductor Substrate with processor 16.
`
`0036 FIG. 2-B shows an exemplary hardware configu
`ration of security server 14. Server 14 comprises a hardware
`processor 116, a server memory 118, a set of server storage
`devices 124, and a set of network adapters 126, all connected
`by a server controller hub 128. The operation of devices 116,
`118, 124, and 126 may mirror that of devices 16, 18, 24, and
`26 described above. For instance, server processor 116 may
`comprise an integrated circuit configured to execute com
`putational and/or logical operations with a set of signals
`and/or data. Server memory 118 may comprise non-transi
`tory computer-readable media (e.g. RAM) storing data/
`signals accessed or generated by processor 116 while per
`forming computations. Network adapters 126 enable
`security server 14 to connect to communication network 11.
`0037. In some embodiments, client system 12 is config
`ured to expose a set of virtual machines, for instance as
`illustrated in FIGS. 3-A-B. A virtual machine (VM) emu
`lates an actual physical machine? computer system, using any
`of a variety of techniques known in the art of hardware
`virtualization. In some exemplary configurations, a hyper
`visor 30 executes on client system 12, hypervisor 30 con
`figured to create or enable a plurality of virtualized devices,
`Such as a virtual processor and a virtual memory manage
`ment unit, and to present Such virtualized devices to soft
`ware, to mimic the real, physical devices of client system 12.
`Such operations are commonly known in the art as exposing
`a virtual machine. Hypervisor 30 may further enable mul
`tiple virtual machines to share the hardware resources of
`host system 12, so that each VM may operate independently
`and be unaware of other VMs executing concurrently
`executing on client system 12. Examples of popular hyper
`visors include the VMware R vSphere(R) from VMware Inc.
`and the open-source XenR hypervisor, among others.
`0038. In the exemplary configurations illustrated in
`FIGS. 3-A-B, a guest VM 32 executes a guest operating
`system 34 and an application 36. Although FIGS. 3-A-B
`show only one guest VM, in applications such as virtual
`desktop infrastructure (VDI) and server farming, client
`system 12 may execute multiple such VMs (e.g., hundreds)
`concurrently. Each guest VM includes at least one virtual
`ized processor, and may further include other virtualized
`devices such virtualized input, output, storage, and network
`devices, as well as virtualized controller, amon