An electronic apparatus adapted for a container and a software updating method for a running container system are provided. A first software installation package is installed in a host system. The first software installation package includes an executable component used by the host system and a second software installation package. The executable component provides information required by an installation operation of the first software installation package. The second software installation package is made accessible to a container system by the host system based on the executable component. The second software installation package is installed in the container system to update an application in the container system.

Methods, systems, apparatuses, and computer-readable storage mediums described herein enable executable code of a hardware security platform (HSP) circuit to communicate with a hypervisor in a separate processor. The hypervisor generates and manages virtual machines. The HSP code comprises trusted platform module (TPM) logic, that processes TPM commands received via the hypervisor, and in response to the processing, communicates security information (e.g., measurements, keys, authorization data) with the virtual machines via the hypervisor. The TPM logic receives security information related to a virtual machine from the hypervisor and stores the security information in non-volatile memory of the HSP circuit, where security information from a particular VM is distinguishable from security information from another VM in the HSP memory. The hypervisor (and VMs) communicate via a network fabric with the HSP circuit within an SOC, or the HSP may reside on a discrete chip and communicate via a secure encrypted channel.

A unique embedded system is disclosed that locally operates an application virtual machine (VM) and a system VM in isolation from each other. The application VM executes application-specific code for a given purpose of the embedded system. The system VM executes a host operating system (OS) and various security, compatibility, and updating functions independent of the application VM. Each VM is connected to its own unique hardware on the embedded system to ensure that changes to the application code or the system code do not impact the other.

A method, apparatus and computer program product for automated security policy synthesis and use in a container environment. In this approach, a binary analysis of a program associated with a container image is carried out within a binary analysis platform. During the binary analysis, the program is micro-executed directly inside the analysis platform to generate a graph that summarizes the program's expected interactions within the run-time container environment. The expected interactions are identified by analysis of one or more system calls and their arguments found during micro-executing the program. Once the graph is created, a security policy is then automatically synthesized from the graph and instantiated into the container environment. The policy embeds at least one system call argument. During run-time monitoring of an event sequence associated with the program executing in the container environment, an action is taken when the event sequence is determined to violate the security policy.

Aspects of the subject disclosure may include, for example, identifying a request to install a guest virtual machine on a physical host; identifying a UUID of the physical host; generating a virtual machine reference value; defining a modified UUID of the guest virtual machine comprising the UUID of the physical host and the virtual machine reference value; and assigning the modified UUID to the guest virtual machine, the physical host being identifiable via the modified UUID of the guest virtual machine. Other embodiments are disclosed.

Data recovery systems and methods utilize object-based storage for providing a data protection and recovery methodology with low recovery point objectives, and for enabling both full recovery and point-in-time based recovery. Data generated at a protected site (e.g., via one or more virtual machines) is intercepted during write procedures to primary storage. The intercepted data is replicated via a replication log, provided as data objects, and transmitted to an object based storage system. During recovery, data objects may be retrieved through point-in-time based recovery directly by the systems of the protected site, and/or data objects may be provided via full recovery, for example, within a runtime environment of a recovery site, with minimal data loss and operation interruption by rehydrating data objects within the runtime environment via low-latency data transfer and rehydration systems.

In one embodiment, a system for managing a virtualization environment includes a set of host machines, each of which includes a hypervisor, virtual machines, and a virtual machine controller, and a data migration system configured to identify one or more existing storage items stored at one or more existing File Server Virtual Machines (FSVMs) of an existing virtualized file server (VFS). For each of the existing storage items, the data migration system is configured to identify a new FSVMs of a new VFS based on the existing FSVM, send a representation of the storage item from the existing FSVM to the new FSVM, such that representations of storage items are sent between different pairs of FSVMs in parallel, and store a new storage item at the new FSVM, such that the new storage item is based on the representation of the existing storage item received by the new FSVM.

In one embodiment, a processor includes a memory hierarchy and a core coupled to the memory hierarchy. The memory hierarchy stores encrypted data, and the core includes circuitry to access the encrypted data stored in the memory hierarchy, decrypt the encrypted data to yield decrypted data, perform an entropy test on the decrypted data, and update a processor state based on a result of the entropy test. The entropy test may include determining a number of data entities in the decrypted data whose values are equal to one another, determining a number of adjacent data entities in the decrypted data whose values are equal to one another, determining a number of data entities in the decrypted data whose values are equal to at least one special value from a set of special values, or determining a sum of n highest data entity value frequencies.

The present disclosure describes a technique for honoring virtual machine placement constraints established on a first host implemented on a virtualized computing environment by receiving a request to migrate one or more virtual machines from the first host to a second host and without violating the virtual machine placement constraints, identifying an architecture of the first host, provisioning a second host with an architecture compatible with that of the first host, adding the second host to the cluster of hosts, and migrating the one or more virtual machines from the first host to the second host.

Example methods are provided for virtual machine introspection in which a guest monitoring mode (GMM) module monitors the execution of guest calls by an agent that resides in a virtual machine (VM). The GMM module sets a bit in bit mask that corresponds to a guest call that the agent needs to execute, and inserts an invisible breakpoint in the code of the guest call. If the GMM module detects that despite the setting of the bit in the bit mask, the agent does not complete the execution of the code (due to the invisible breakpoint not being triggered), then the GMM module considers this condition as a potential hijack of the VM by malicious code.