Some embodiments of the present invention include a method comprising: accessing units of network storage that encode state data of respective virtual machines, wherein the state data for respective ones of the virtual machines are stored in distinct ones of the network storage units such that the state data for more than one virtual machine are not commingled in any one of the network storage units.

An example method of secure attestation of a workload deployed in a virtualized computing system is described. The virtualized computing system includes a host cluster and a virtualization management server, the host cluster having hosts and a virtualization layer executing on hardware platforms of the hosts. The method includes: launching, in cooperation with a security module of a host, a guest as a virtual machine (VM) managed by the virtualization layer, the security module generating an attestation report from at least a portion of the VM loaded into memory of the host; sending the attestation report from the security module to a trust authority; receiving, in response to verification of the attestation report by the trust authority, a secret from the trust authority at the security module; and providing the secret from the security module to the guest.

The generation, actuation, and enforcement of policies within a distributed computing system is provided. The policies are employed to manage the resources of the system. The resources include virtualized resources, such as virtual machines (VMs) and virtual storage disks (VSDs). A policy includes a rule and scope. Enforcing a policy includes applying the rule to resources that are within the policy's scope. Policies are employed to constrain the leasing period and reclaim leased resources, as well constrain the access of certain users to specific operations on the leased resources. Policies may be created via a UI that automatically generates a policy encoding. The policy is registered and accessed via a policy store. When multiple policies target a common resource, merging strategies are applied to the multiple policies. The multiple policies are ranked, merged, filtered, and any remaining conflicts are resolved to generate an effective policy that is consistent with the multiple policies and is enforced on the common resource.

A method for de-duplicating updates in virtual machines (VMs) is provided that may be executed on a host computer using a hypervisor. Client VMs are derived from a base image, and the method includes: creating a temporary virtual machine, updating the temporary virtual machine, identifying modified blocks of the updated temporary virtual machine, and identifying files associated with the modified blocks. Moreover, the method includes determining block identifiers of matching files of a VM corresponding to identified files of the updated temporary VM, moving block content of blocks relating to the determined block identifiers from its initial location to a free location within the client VM if the block content and the matching files are not identical in the client virtual machine and the temporary VM, and de-duplicating content within the client VM, generating a complete bootable image, and replacing the base image by the temporary VM.

A network device or system can operate to enable a security pass-through with a user equipment (UE) and further define various virtual functions between a physical access point (pAP) and a virtual AP (vAP) based on one or more communication link parameters (e.g., latency). The security pass-through can be an interface connection that passes through a computer premise equipment (CPE) or wireless residential gateway (GW) without the CPE or GW modifying or affecting the data traffic such as by authentication or security protocol. The SP network device can receive traffic data from a UE through or via the security pass-through from a UE of a community Wi-Fi network at a home, residence, or entity network.

The disclosure provides an approach for pre-filtering traffic in a logical network. One method includes receiving, by a hypervisor, a packet from a virtual computing instance (VCI) and determining a service path for the packet based on a service table. The method further includes setting, by the hypervisor, a pre-filter component as a next hop for the packet based on the service path. The method further includes receiving, by the pre-filter component, the packet. The method further includes making a determination, by the pre-filter component, of whether the packet requires processing by the security component. The method further includes performing, by the pre-filter component, based on the determination, one of: forwarding the packet to its destination and bypassing the security component; or forwarding the packet to the security component.

Embodiments described herein are directed to configuring managed computing devices utilizing containerized applications. For instance, a mobile device manager may provide configuration settings to a computing device via, for example, an enterprise network. A host operating system (OS) executing on the computing device determines and applies the settings that are applicable to the host OS. The configuration settings are stored for configuring containerized applications executing on the computing device. For instance, as new containerized applications are launched by the host OS, the containerized applications retrieve the configuration settings and determine and apply the settings that are applicable to the containerized applications. Results of applying the configuration settings to the host OS and the containerized applications are merged and sent to the mobile device manager. The host OS and the containerized application may, for example, implement the settings in order to be compliant with an enterprise's policy.

Systems, apparatuses, and methods related to a virtual machine register in a computer processor are described. For example, a memory coupled to the computer processor can store instructions of routines of predefined, non-hierarchical domains. The computer processor can store, in the virtual machine register, an identifier of a virtual machine for which the processor is currently executing instructions in a current domain in the set of domains. For example, the processor can implement resource restriction/mapping and/or perform address translation for the virtual machine based on the identifier stored in the virtual machine register.

Systems and methods for ensuring that data received from a virtual device is random are provided. A processing device may be used to generate, by a virtual device executing on a hypervisor, data intended for a virtual machine (VM) having a guest memory that includes one or more encrypted pages and one or more unencrypted pages. Data written to an encrypted page of the guest memory by the VM is encrypted using an encryption key assigned to the VM and information read from the encrypted page by the VM is decrypted using the encryption key. The hypervisor may write the data to the encrypted page, wherein the data is not encrypted by the encryption key assigned to the VM because it is written by the hypervisor. The VM reads the data from the encrypted page as randomized data because it cannot be properly decrypted by the encryption key.

Examples of the present disclosure describe systems and methods for a behavioral threat detection engine. In examples, the behavioral threat detection engine manages execution of one or more virtual machines, wherein each virtual machine processes a rule in relation to a context. The behavioral threat detection engine uses any of a variety of techniques to identify when events occur. Accordingly, the behavioral threat detection engine provides event indications, in the form of event packets, to one or more virtual machines, such that corresponding rules are able to process the events accordingly. Eventually, a rule may make a determination as to the presence or absence of a behavior. As a result, execution of the associated virtual machine may be halted, thereby indicating to the behavioral threat detection engine that a determination has been made. Thus a behavioral threat detection engine employs a behavior-based approach to detecting malicious or potentially malicious behaviors.