Browse Prior Art Database

System and method of identifying a hypervisor configuration using exposed application programming interfaces to seed a results engine.

IP.com Disclosure Number: IPCOM000234597D
Publication Date: 2014-Jan-21
Document File: 7 page(s) / 271K

Publishing Venue

The IP.com Prior Art Database

Abstract

Included in the following article is a description of an assessment process for hypervisors. This process identifies a hypervisor configuration using exposed application programming interfaces to seed a results engine.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 29% of the total text.

Page 01 of 7

System and method of identifying a hypervisor configuration using exposed application programming interfaces to seed a results engine .

There is currently a strong need and desire to protect hypervisors from attacks. Unfortunately,

proprietary hypervisors don't typically give the necessary access to perform such evaluations. Assessing the security and compliance posture of a hypervisor has typically involved external network access to the hypervisor. In addition, elevated credentials are needed in order to get accurate information from the machine. This solution will provide security and compliance information by leveraging a Service Virtual Machine's access to configuration and management APIs. The information gathered in this manner can then be processed, and results generated, based on logic specific to a hypervisor and its environment. The task of assessing the security

posture of a hypervisor is challenging. External access to the hypervisor is typically restricted to a proprietary command and control channel. This means that the usual method of doing a remote scan is impossible unless the administrator opens remote network access to the host. With this method, that limitation is avoided by using a "Security Virtual Appliance", or SVM, to collect operating system and hypervisor specific information about the configuration and patch level of the host. Once collected, the SVM can compare the current state of the host against the entire set of collected data to make a decision about the vulnerability state of the machine against known threats.

This is a system which provides a method for collecting and assessing configuration and operating system application versions from a hypervisor host. This method is in contrast to the traditional means of gathering such information from a host using open services, such as ssh, in order to query the OS directly for information about installed patches or configuration details. The problem to be solved is one of restricted access to the hypervisor host. For instance, VMware* recommends putting the ESXi hypervisor host in lockdown mode for normal operations. With this mode enabled, it is difficult or impossible to collect information about the host operating system and hypervisor. Also, merely having a virtual machine hosted on the hypervisor gives no advantage to a machine that wishes to collect and analyze this data. This method is to utilize an API, such as the visdk available in the VMware ESX/ESXi hypervisor, to query the hypervisor for all available host configuration and patch information. This information is returned in an XML response using a REST API. The decision engine will be running in a guest Service Virtual Machine hosted on the hypervisor server that is intended to be assessed. This engine will take the response and construct a Hypervisor Results Data Structure containing all of the actionable data contained within the XML response. That data is then analyzed and matched agai...