U.S. patent application number 13/673540 was filed with the patent office on 2014-05-15 for limiting information leakage and piracy due to virtual machine cloning.
This patent application is currently assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION. The applicant listed for this patent is INTERNATIONAL BUSINESS MACHINES CORPORATION. Invention is credited to Salman A. Baset, Ashish Kundu, Sambit Sahu.
Application Number | 20140137247 13/673540 |
Document ID | / |
Family ID | 50683099 |
Filed Date | 2014-05-15 |
United States Patent
Application |
20140137247 |
Kind Code |
A1 |
Baset; Salman A. ; et
al. |
May 15, 2014 |
Limiting Information Leakage and Piracy due to Virtual Machine
Cloning
Abstract
Techniques for detecting a cloned virtual machine instance. A
method includes transmitting an identifier associated a virtual
machine from an agent embedded in the virtual machine akin to a
malware to a detection entity in a network, determining whether the
identifier is a unique identifier or whether the identifier is a
clone of an identifier associated with a separate virtual machine
in the network, and initiating at least one remedial action with
the agent embedded in the virtual machine if the identifier is
determined to be a clone of an identifier associated with a
separate virtual machine in the network.
Inventors: |
Baset; Salman A.; (New York,
NY) ; Kundu; Ashish; (Elmsford, NY) ; Sahu;
Sambit; (Hopewell Junction, NY) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
INTERNATIONAL BUSINESS MACHINES CORPORATION |
Armonk |
NY |
US |
|
|
Assignee: |
INTERNATIONAL BUSINESS MACHINES
CORPORATION
Armonk
NY
|
Family ID: |
50683099 |
Appl. No.: |
13/673540 |
Filed: |
November 9, 2012 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
13673358 |
Nov 9, 2012 |
|
|
|
13673540 |
|
|
|
|
Current U.S.
Class: |
726/23 |
Current CPC
Class: |
G06F 21/566 20130101;
G06F 21/554 20130101 |
Class at
Publication: |
726/23 |
International
Class: |
G06F 21/00 20060101
G06F021/00 |
Claims
1. An article of manufacture comprising a computer readable storage
memory device having computer readable instructions tangibly
embodied thereon which, when implemented, cause a computer to carry
out a plurality of method steps comprising: generating a unique
identifier for each virtual machine in a network; transmitting an
identifier associated with a given virtual machine from an agent
embedded in the virtual machine akin to a malware to a detection
entity in the network; determining whether the identifier is one of
the generated unique identifiers or whether the identifier is a
clone of an identifier associated with a separate virtual machine
in the network; and initiating at least one remedial action with
the agent embedded in the virtual machine if the identifier is
determined to be a clone of an identifier associated with a
separate virtual machine in the network.
2. The article of manufacture of claim 1, wherein said transmitting
comprises transmitting at a random frequency.
3. The article of manufacture of claim 1, wherein said transmitting
comprises transmitting at a pre-specified interval.
4. The article of manufacture of claim 1, wherein said transmitting
comprises transmitting at a frequency that corresponds to mode of
the agent.
5. The article of manufacture of claim 1, wherein said determining
comprises utilizing an authenticated list of identifiers for
comparison with the transmitted identifier.
6. The article of manufacture of claim 1, wherein the method steps
comprise: embedding an agent into each virtual machine in the
network.
7. (canceled)
8. The article of manufacture of claim 1, wherein the agent
utilizes at least one malware technique, wherein said at least one
malware technique comprises at least one of dynamic-link library
linkage, random invocation upon a system, and a program call
invocation.
9. The article of manufacture of claim 1, wherein the detection
entity comprises a central server.
10. The article of manufacture of claim 1, wherein the detection
entity comprises one or more detecting peer virtual machines in a
peer-to-peer network.
11. The article of manufacture of claim 1, wherein the detection
entity comprises one or more central servers and one or more
peer-to-peer virtual machines.
12. The article of manufacture of claim 1, wherein the at least one
remedial action comprises the agent blocking all network
connections and implementing self-destruction of the virtual
machine if the agent cannot reach the network within a
pre-determined amount of time.
13. The article of manufacture of claim 1, wherein the at least one
remedial action comprises self-destruction of by the agent by
wiping out the virtual machine disk.
14. The article of manufacture of claim 1, wherein the at least one
remedial action comprises automatic or manual shutdown of the
virtual machine associated with the cloned identifier.
15. The article of manufacture of claim 1, wherein the at least one
remedial action comprises providing a notification to a system
administrator of a provider to block the virtual machine associated
with the cloned identifier.
16. The article of manufacture of claim 1, wherein the at least one
remedial action comprises providing a notification to a user to
block the virtual machine associated with the cloned
identifier.
17. The article of manufacture of claim 1, wherein the detection
entity comprises a central server and a peer-to-peer network.
18. A system for detecting a cloned virtual machine instance,
comprising: at least one distinct software module, each distinct
software module being embodied on a tangible computer-readable
medium; a memory; and at least one processor coupled to the memory
and operative for: generating a unique identifier for each virtual
machine in a network; transmitting an identifier associated with a
given virtual machine from an agent embedded in the virtual machine
akin to a malware to a detection entity in the network; determining
whether the identifier is one of the generated unique identifiers
or whether the identifier is a clone of an identifier associated
with a separate virtual machine in the network; and initiating at
least one remedial action with the agent embedded in the virtual
machine if the identifier is determined to be a clone of an
identifier associated with a separate virtual machine in the
network.
Description
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This application is a continuation of U.S. patent
application Ser. No. 13/673,358, filed Nov. 9, 2012, and
incorporated by reference herein.
FIELD OF THE INVENTION
[0002] Embodiments of the invention generally relate to information
technology, and, more particularly, to virtual machine (VM)
management.
BACKGROUND
[0003] Virtual machines (VMs) running in a cloud can be cloned or
copied. By way of example, the cloning may be performed by a system
administrator, the cloning may be accidentally performed by a
customer or user of VMs, or the cloning may be performed
maliciously by an attacker. A customer or user will often aim to
protect its VMs against any unauthorized VM cloning because such
cloning can result in information leakage, or even privacy and/or
confidentiality breaches. Consequently, a need exists to limit
information leakage as a result of unauthorized VM cloning.
SUMMARY
[0004] In one aspect of the present invention, techniques for
limiting information leakage and piracy due to virtual machine
cloning are provided. An exemplary computer-implemented method for
detecting a cloned virtual machine instance can include steps of
transmitting an identifier associated a virtual machine from an
agent embedded in the virtual machine akin to a malware to a
detection entity in a network, determining whether the identifier
is a unique identifier or whether the identifier is a clone of an
identifier associated with a separate virtual machine in the
network, and initiating at least one remedial action with the agent
embedded in the virtual machine if the identifier is determined to
be a clone of an identifier associated with a separate virtual
machine in the network. As described herein in accordance with at
least one embodiment of the invention, the agent in a virtual
machine is run akin a malware, making its detection difficult by an
entity attempting an unauthorized cloning of VM images.
[0005] Another aspect of the invention or elements thereof can be
implemented in the form of an article of manufacture tangibly
embodying computer readable instructions which, when implemented,
cause a computer to carry out a plurality of method steps, as
described herein. Furthermore, another aspect of the invention or
elements thereof can be implemented in the form of an apparatus
including a memory and at least one processor that is coupled to
the memory and operative to perform noted method steps. Yet
further, another aspect of the invention or elements thereof can be
implemented in the form of means for carrying out the method steps
described herein, or elements thereof; the means can include
hardware module(s) or a combination of hardware and software
modules, wherein the software modules are stored in a tangible
computer-readable storage medium (or multiple such media).
[0006] These and other objects, features and advantages of the
present invention will become apparent from the following detailed
description of illustrative embodiments thereof, which is to be
read in connection with the accompanying drawings.
BRIEF DESCRIPTION OF THE DRAWINGS
[0007] FIG. 1 is a block diagram illustrating an example
embodiment, according to an aspect of the invention;
[0008] FIG. 2 is a flow diagram illustrating techniques for
detecting a cloned virtual machine instance, according to an
embodiment of the invention; and
[0009] FIG. 3 is a system diagram of an exemplary computer system
on which at least one embodiment of the invention can be
implemented.
DETAILED DESCRIPTION
[0010] As described herein, an aspect of the present invention
includes protecting information leakage and piracy due to virtual
machine (VM) cloning, and VMs being re-instantiated in an
unauthorized manner. At least one embodiment of the invention
includes detecting, using malware-type agents which are difficult
to detect, whether a VM is genuine or is a copy or cloned VM, as
well as de-activating an instance of a cloned VM via the
malware-type agent upon detection.
[0011] At least one embodiment of the invention can be implemented
in a context such as the following example scenario. A customer or
a third-party runs a server which keeps tracks of unique VMs. A VM
running in a cloud runs an agent (on the VM) which periodically or
randomly reports a unique identifier to the server. As such, in
order to evade detection by a separate user or entity that wishes
to clone VMs without the permission of the customer, an aspect of
the invention includes running the agent in a similar fashion to a
malware (for example, attached to a dynamic-link library (DLL),
being invoked randomly upon a system call invocation, etc.). If the
network access is blocked, the agent running can disrupt the
working of a cloned VM.
[0012] Accordingly, as further described in connection with FIG. 1,
a malware-like agent can be embedded as security protection into
all VMs in a network. As such, at least one embodiment of the
invention can include utilizing malware techniques when virtual
machines images are first readied or virtual machines are first
instantiated. The malware-type agents are typically installed by
the creator of the first virtual machine instance or image. The
malware-type agent takes active action against tampering (for
example, by checking hash of its executable at random points during
its execution). Each agent generates a unique identifier (ID)
associated with its host VM, and periodically (for example, at
random or pre-specified intervals), each agent sends said ID to the
customer's server which ensures that no other VM with the same said
ID is concurrently running.
[0013] As additionally detailed herein, the agents can query a
central server or form a peer-to-peer network to query an
identifier.
[0014] By way of example, an agent can query a central server
and/or peer-to-peer network to determine if any entity therein has
a copy of a similar ID. Accordingly, if an agent is running on a
cloned VM, and if a copy of the relevant ID is located/determined,
remedial action will be taken. By way of example, in at least one
embodiment of the invention, the agent on the cloned VM will
self-destruct its host VM.
[0015] FIG. 1 is a block diagram illustrating an example
embodiment, according to an aspect of the invention. By way of
illustration, FIG. 1 depicts a cloud environment 102, which
includes an original VM 108 with a corresponding agent component
110 and a cloned VM 104 with a corresponding agent component 106.
As noted herein, the agent components 110 and 106 are run like or
akin to malware. FIG. 1 additionally depicts a server 112, which
can include a central server and/or a peer-to-peer network, as
detailed herein.
[0016] As also illustrated in FIG. 1, if agent 110 identifies
itself (via a unique ID associated with host VM 108) to the server
112, the server 112 determines and/or acknowledges that there are
no other concurrently running VMs with this particular ID. However,
if agent 106 identifies itself (via the ID associated with cloned
VM 104) to the server 112, the server 112 determines and/or
acknowledges that a VM with this ID (namely, VM 108) already exists
and/or is concurrently running, and accordingly, the server 112
generates and alarm and/or initiate one or more remedial actions.
For example, the server 112 can have/maintain an authenticated list
of IDs that can be utilized for this determination and/or
comparison.
[0017] In an example embodiment of the invention, a system
administrator of the cloud 102 can terminate an agent of a cloned
VM 104 upon detection. Alternatively, the system administrator of
the cloud 102 can block the network with respect to the cloned VM
104 upon detection.
[0018] Also, at least one embodiment of the invention can be
implemented with a peer-to-peer network. In such a context, an
agent can search for other VMs on the same subnet and use those VMs
as relays. By way of illustration, consider that the agent on the
unauthorized VM wants to communicate with the server; however, the
administrator of the VM may have disabled communication with that
server directly from this VM. Therefore, the VM would attempt to
discover a network path using other VMs or servers. One method to
potentially accomplish this is to develop a peer-to-peer network
via various VMs in the same and/or different networks in which the
first VM resides. Consider, for example, three VMs: V1, V2, and V3.
V1 is unauthorized. V2 and V3 are connected to V1. V1 tries to
communicate with V2 and V3 so that it (that is, V1) can authorize
itself with the server. Either V2 or V3, based on the peer-to-peer
protocol, would forward its packets to the server.
[0019] In another method, V2 or V3 would determine whether V1 is
authorized or not; V2 and V3 would act as the authorization points
and send the information to the server if they need to or have
access to do so.
[0020] In connection with a peer-to-peer network context, at least
one embodiment of the invention can include community detection. In
a system that is not controlled by an attacker (that is, an
intending cloner), for example, the server 112 can be replaced one
or more VMs (detecting peers). Accordingly, a peer-to-peer network
is formed and/or utilized to identify a malicious/intending cloner
and inform that VM (that is, the VM cloned by the cloner) to
self-destruct.
[0021] Additionally, in at least one embodiment of the invention, a
peer-to-peer network can exist in conjunction with a central server
(such as server 112), and a cloned VM (for example, VM 104), upon
detection, is blocked from communicating with its agent (for
example, agent 106), but the peer-to-peer network is probed and
another VM is identified with whom the agent can communicate. To
guard against tampering of malware-type agents, the probing agent
may contact several agents and take a majority vote. For example, a
conservative configuration for a malware-type agent will
self-destruct a VM if it cannot contact a central server.
[0022] Also, in at least one embodiment of the invention, once it
is suspected that there is at least one unauthorized cloned VM, the
server and/or detecting peer queries the suspected VM to prove its
unique identity. If the suspected VM ultimately proves to in fact
be a cloned VM, the system administrator of the cloud can terminate
the agent of the cloned VM or the system administrator can block
the network with respect to that agent and VM (as detailed above).
In a peer-to-peer network context, the agent of the cloned VM can,
as noted above, search for other VMs on the same subnet and use the
other VMs as relays. Additionally, the agent of the cloned VM can
self-destruct its host VM.
[0023] In accordance with at least one embodiment of the invention,
an agent is created when a VM (that is, the agent's host VM) is
cloned, and the agent is active after each instantiation of the
virtual machine image. The agent records all actions/operations
by/on the VM until it is determined that the host VM is a clone. As
described herein, such a determination can be made based upon
utilization of the unique ID associated with each VM. Upon this
determination, the agent destroys all of the records of logs to
remove the trace of its existence.
[0024] The agent stops running and/or self-destructs its host VM as
soon as it contacts the server and/or detecting peer VM in a
peer-to-peer network and verifies that a VM instance is a clone.
The agent may also self-destruct a VM or take any other remedial
action if it (that is, the agent) is unable to reach the server
and/or detecting peer VMs. In at least one embodiment of the
invention, the agent additionally sends all logs and configuration
information to the server and/or detecting peer VM. The frequency
of attempting to contact the server or the peer-to-peer network
(for the agent) can be generated by a pseudo-random process, and
the frequency can change as the processing stage of an agent
evolves.
[0025] Accordingly, agent processing stages can include the
following. Initially, the agent runs on a host VM in user-land (as
a non-kernel process). If the agent cannot contact the server
and/or detecting peer VM in a peer-to-peer network, the agent runs
in an operating system (OS) layer. Alternatively, if the agent
cannot contact the server and/or detecting peer VM, the agent runs
in privileged mode. Further, in at least one embodiment of the
invention, if the agent cannot contact the server and/or detecting
peer VM, the agent locks down the VM (for example, by invoking the
screen save lock feature) and/or destroys it (that is,
self-destructs).
[0026] Once the VM is unlocked (for example, by a key or via action
by the system administrator), the agent wakes up/re-activates and
sends the logs and configuration information to the server.
Accordingly, the server may act as a command-control center with
the agent as a bot.
[0027] As detailed herein, an aspect of the invention includes
initiating and/or executing one or more remedial actions. Such
remedial actions can include, for example, self-destruction of an
agent or host VM, or automatic or manual shutdown of a VM. Further,
remedial actions can also include providing a notification (for
example, via email) from a central server to a system administrator
of the provider to block or black-list a particular user.
Additionally, a notification (for example, via email) can be
provided from the (malware) agent to a user to block or avoid a
particular user or VM.
[0028] FIG. 2 is a flow diagram illustrating techniques for
detecting a cloned virtual machine instance, according to an
embodiment of the present invention. Step 202 includes transmitting
an identifier associated a virtual machine from an agent embedded
in the virtual machine akin to a malware to a detection entity in a
network. The transmitting can be done, for example, at a random
frequency, at a pre-specified interval, and/or at a frequency that
corresponds to mode of the agent. As detailed herein, the agent
utilizes at least one malware technique.
[0029] Step 204 includes determining whether the identifier is a
unique identifier or whether the identifier is a clone of an
identifier associated with a separate virtual machine in the
network. The determining step can include utilizing an
authenticated list of identifiers for comparison with the
transmitted identifier. Also, as described herein, the detection
entity can include a central server or one or more detecting peer
virtual machines in a peer-to-peer network.
[0030] Step 206 includes initiating at least one remedial action
with the agent embedded in the virtual machine if the identifier is
determined to be a clone of an identifier associated with a
separate virtual machine in the network. Remedial actions can
include self-destruction of by the agent, as well as automatic or
manual shutdown of the virtual machine associated with the cloned
identifier (for example by wiping out the virtual machine disk) if
the agent cannot reach the network within a pre-determined amount
of time. Further, in at least one embodiment of the invention,
remedial actions can additionally include providing a notification
to a system administrator of a provider or original owner of
virtual machine to block the virtual machine associated with the
cloned identifier, and/or providing a notification to a user to
block the virtual machine associated with the cloned
identifier.
[0031] The techniques depicted in FIG. 2 can additionally include
embedding an agent into each virtual machine in the network, as
well as generating a unique identifier for each virtual machine in
the network.
[0032] Additionally, in at least one embodiment of the invention,
the detection entity includes a central server and/or a
peer-to-peer network. Such an embodiment can also include blocking
the virtual machine associated with the cloned identifier from
communicating with its agent, and probing the peer-to-peer network
to identify another virtual machine in the network with whom the
agent can communicate.
[0033] The techniques depicted in FIG. 2 can also, as described
herein, include providing a system, wherein the system includes
distinct software modules, each of the distinct software modules
being embodied on a tangible computer-readable recordable storage
medium. All of the modules (or any subset thereof) can be on the
same medium, or each can be on a different medium, for example. The
modules can include any or all of the components shown in the
figures and/or described herein. In an aspect of the invention, the
modules can run, for example, on a hardware processor. The method
steps can then be carried out using the distinct software modules
of the system, as described above, executing on a hardware
processor. Further, a computer program product can include a
tangible computer-readable recordable storage medium with code
adapted to be executed to carry out at least one method step
described herein, including the provision of the system with the
distinct software modules.
[0034] Additionally, the techniques depicted in FIG. 2 can be
implemented via a computer program product that can include
computer useable program code that is stored in a computer readable
storage medium in a data processing system, and wherein the
computer useable program code was downloaded over a network from a
remote data processing system. Also, in an aspect of the invention,
the computer program product can include computer useable program
code that is stored in a computer readable storage medium in a
server data processing system, and wherein the computer useable
program code is downloaded over a network to a remote data
processing system for use in a computer readable storage medium
with the remote system.
[0035] As will be appreciated by one skilled in the art, aspects of
the present invention may be embodied as a system, method or
computer program product. Accordingly, aspects of the present
invention may take the form of an entirely hardware embodiment, an
entirely software embodiment (including firmware, resident
software, micro-code, etc.) or an embodiment combining software and
hardware aspects that may all generally be referred to herein as a
"circuit," "module" or "system." Furthermore, aspects of the
present invention may take the form of a computer program product
embodied in a computer readable medium having computer readable
program code embodied thereon.
[0036] An aspect of the invention or elements thereof can be
implemented in the form of an apparatus including a memory and at
least one processor that is coupled to the memory and operative to
perform exemplary method steps.
[0037] Additionally, an aspect of the present invention can make
use of software running on a general purpose computer or
workstation. With reference to FIG. 3, such an implementation might
employ, for example, a processor 302, a memory 304, and an
input/output interface formed, for example, by a display 306 and a
keyboard 308. The term "processor" as used herein is intended to
include any processing device, such as, for example, one that
includes a CPU (central processing unit) and/or other forms of
processing circuitry. Further, the term "processor" may refer to
more than one individual processor. The term "memory" is intended
to include memory associated with a processor or CPU, such as, for
example, RAM (random access memory), ROM (read only memory), a
fixed memory device (for example, hard drive), a removable memory
device (for example, diskette), a flash memory and the like. In
addition, the phrase "input/output interface" as used herein, is
intended to include, for example, a mechanism for inputting data to
the processing unit (for example, mouse), and a mechanism for
providing results associated with the processing unit (for example,
printer). The processor 302, memory 304, and input/output interface
such as display 306 and keyboard 308 can be interconnected, for
example, via bus 310 as part of a data processing unit 312.
Suitable interconnections, for example via bus 310, can also be
provided to a network interface 314, such as a network card, which
can be provided to interface with a computer network, and to a
media interface 316, such as a diskette or CD-ROM drive, which can
be provided to interface with media 318.
[0038] Accordingly, computer software including instructions or
code for performing the methodologies of the invention, as
described herein, may be stored in associated memory devices (for
example, ROM, fixed or removable memory) and, when ready to be
utilized, loaded in part or in whole (for example, into RAM) and
implemented by a CPU. Such software could include, but is not
limited to, firmware, resident software, microcode, and the
like.
[0039] A data processing system suitable for storing and/or
executing program code will include at least one processor 302
coupled directly or indirectly to memory elements 304 through a
system bus 310. The memory elements can include local memory
employed during actual implementation of the program code, bulk
storage, and cache memories which provide temporary storage of at
least some program code in order to reduce the number of times code
must be retrieved from bulk storage during implementation.
[0040] Input/output or I/O devices (including but not limited to
keyboards 308, displays 306, pointing devices, and the like) can be
coupled to the system either directly (such as via bus 310) or
through intervening I/O controllers (omitted for clarity).
[0041] Network adapters such as network interface 314 may also be
coupled to the system to enable the data processing system to
become coupled to other data processing systems or remote printers
or storage devices through intervening private or public networks.
Modems, cable modem and Ethernet cards are just a few of the
currently available types of network adapters.
[0042] As used herein, including the claims, a "server" includes a
physical data processing system (for example, system 312 as shown
in FIG. 3) running a server program. It will be understood that
such a physical server may or may not include a display and
keyboard.
[0043] As noted, aspects of the present invention may take the form
of a computer program product embodied in a computer readable
medium having computer readable program code embodied thereon.
Also, any combination of computer readable media may be utilized.
The computer readable medium may be a computer readable signal
medium or a computer readable storage medium. A computer readable
storage medium may be, for example, but not limited to, an
electronic, magnetic, optical, electromagnetic, infrared, or
semiconductor system, apparatus, or device, or any suitable
combination of the foregoing. More specific examples (a
non-exhaustive list) of the computer readable storage medium would
include the following: an electrical connection having one or more
wires, a portable computer diskette, a hard disk, a random access
memory (RAM), a read-only memory (ROM), an erasable programmable
read-only memory (EPROM or Flash memory), an optical fiber, a
portable compact disc read-only memory (CD-ROM), an optical storage
device, a magnetic storage device, or any suitable combination of
the foregoing. In the context of this document, a computer readable
storage medium may be any tangible medium that can contain, or
store a program for use by or in connection with an instruction
execution system, apparatus, or device.
[0044] A computer readable signal medium may include a propagated
data signal with computer readable program code embodied therein,
for example, in baseband or as part of a carrier wave. Such a
propagated signal may take any of a variety of forms, including,
but not limited to, electro-magnetic, optical, or any suitable
combination thereof. A computer readable signal medium may be any
computer readable medium that is not a computer readable storage
medium and that can communicate, propagate, or transport a program
for use by or in connection with an instruction execution system,
apparatus, or device.
[0045] Program code embodied on a computer readable medium may be
transmitted using an appropriate medium, including but not limited
to wireless, wireline, optical fiber cable, RF, etc., or any
suitable combination of the foregoing.
[0046] Computer program code for carrying out operations for
aspects of the present invention may be written in any combination
of at least one programming language, including an object oriented
programming language such as Java, Smalltalk, C++ or the like and
conventional procedural programming languages, such as the "C"
programming language or similar programming languages. The program
code may execute entirely on the user's computer, partly on the
user's computer, as a stand-alone software package, partly on the
user's computer and partly on a remote computer or entirely on the
remote computer or server. In the latter scenario, the remote
computer may be connected to the user's computer through any type
of network, including a local area network (LAN) or a wide area
network (WAN), or the connection may be made to an external
computer (for example, through the Internet using an Internet
Service Provider).
[0047] Aspects of the present invention are described herein with
reference to flowchart illustrations and/or block diagrams of
methods, apparatus (systems) and computer program products
according to embodiments of the invention. It will be understood
that each block of the flowchart illustrations and/or block
diagrams, and combinations of blocks in the flowchart illustrations
and/or block diagrams, can be implemented by computer program
instructions. These computer program instructions may be provided
to a processor of a general purpose computer, special purpose
computer, or other programmable data processing apparatus to
produce a machine, such that the instructions, which execute via
the processor of the computer or other programmable data processing
apparatus, create means for implementing the functions/acts
specified in the flowchart and/or block diagram block or
blocks.
[0048] These computer program instructions may also be stored in a
computer readable medium that can direct a computer, other
programmable data processing apparatus, or other devices to
function in a particular manner, such that the instructions stored
in the computer readable medium produce an article of manufacture
including instructions which implement the function/act specified
in the flowchart and/or block diagram block or blocks. Accordingly,
an aspect of the invention includes an article of manufacture
tangibly embodying computer readable instructions which, when
implemented, cause a computer to carry out a plurality of method
steps as described herein.
[0049] The computer program instructions may also be loaded onto a
computer, other programmable data processing apparatus, or other
devices to cause a series of operational steps to be performed on
the computer, other programmable apparatus or other devices to
produce a computer implemented process such that the instructions
which execute on the computer or other programmable apparatus
provide processes for implementing the functions/acts specified in
the flowchart and/or block diagram block or blocks.
[0050] The flowchart and block diagrams in the figures illustrate
the architecture, functionality, and operation of possible
implementations of systems, methods and computer program products
according to various embodiments of the present invention. In this
regard, each block in the flowchart or block diagrams may represent
a module, component, segment, or portion of code, which comprises
at least one executable instruction for implementing the specified
logical function(s). It should also be noted that, in some
alternative implementations, the functions noted in the block may
occur out of the order noted in the figures. For example, two
blocks shown in succession may, in fact, be executed substantially
concurrently, or the blocks may sometimes be executed in the
reverse order, depending upon the functionality involved. It will
also be noted that each block of the block diagrams and/or
flowchart illustration, and combinations of blocks in the block
diagrams and/or flowchart illustration, can be implemented by
special purpose hardware-based systems that perform the specified
functions or acts, or combinations of special purpose hardware and
computer instructions.
[0051] It should be noted that any of the methods described herein
can include an additional step of providing a system comprising
distinct software modules embodied on a computer readable storage
medium; the modules can include, for example, any or all of the
components detailed herein. The method steps can then be carried
out using the distinct software modules and/or sub-modules of the
system, as described above, executing on a hardware processor 302.
Further, a computer program product can include a computer-readable
storage medium with code adapted to be implemented to carry out at
least one method step described herein, including the provision of
the system with the distinct software modules.
[0052] In any case, it should be understood that the components
illustrated herein may be implemented in various forms of hardware,
software, or combinations thereof, for example, application
specific integrated circuit(s) (ASICS), functional circuitry, an
appropriately programmed general purpose digital computer with
associated memory, and the like. Given the teachings of the
invention provided herein, one of ordinary skill in the related art
will be able to contemplate other implementations of the components
of the invention.
[0053] The terminology used herein is for the purpose of describing
particular embodiments only and is not intended to be limiting of
the invention. As used herein, the singular forms "a," "an" and
"the" are intended to include the plural forms as well, unless the
context clearly indicates otherwise. It will be further understood
that the terms "comprises" and/or "comprising," when used in this
specification, specify the presence of stated features, integers,
steps, operations, elements, and/or components, but do not preclude
the presence or addition of another feature, integer, step,
operation, element, component, and/or group thereof.
[0054] The corresponding structures, materials, acts, and
equivalents of all means or step plus function elements in the
claims below are intended to include any structure, material, or
act for performing the function in combination with other claimed
elements as specifically claimed.
[0055] At least one aspect of the present invention may provide a
beneficial effect such as, for example, establishing channels of
communication from an untrusted environment to a trusted
server/peer and communicating with the trusted server/peer to
establish its genuineness.
[0056] The descriptions of the various embodiments of the present
invention have been presented for purposes of illustration, but are
not intended to be exhaustive or limited to the embodiments
disclosed. Many modifications and variations will be apparent to
those of ordinary skill in the art without departing from the scope
and spirit of the described embodiments. The terminology used
herein was chosen to best explain the principles of the
embodiments, the practical application or technical improvement
over technologies found in the marketplace, or to enable others of
ordinary skill in the art to understand the embodiments disclosed
herein.
* * * * *