Patent application number | Description | Published |
20130054895 | COOPERATIVE MEMORY RESOURCE MANAGEMENT FOR VIRTUALIZED COMPUTING DEVICES - A computing device employs a cooperative memory management technique to dynamically balance memory resources between host and guest systems running therein. According to this cooperative memory management technique, memory that is allocated to the guest system is dynamically adjusted up and down according to a fairness policy that takes into account various factors including the relative amount of readily freeable memory resources in the host and guest systems and the relative amount of memory allocated to hidden applications in the host and guest systems. | 02-28-2013 |
20130054922 | COOPERATIVE MEMORY RESOURCE MANAGEMENT FOR VIRTUALIZED COMPUTING DEVICES - A computing device employs a cooperative memory management technique to dynamically balance memory resources between host and guest systems running therein. According to this cooperative memory management technique, memory that is allocated to the guest system is dynamically adjusted up and down according to a fairness policy that takes into account various factors including the relative amount of readily freeable memory resources in the host and guest systems and the relative amount of memory allocated to hidden applications in the host and guest systems. | 02-28-2013 |
20130117742 | SHARING WORK ENVIRONMENT INFORMATION SOURCES WITH PERSONAL ENVIRONMENT APPLICATIONS - One or more embodiments of the invention enable an application running in a personal environment of a mobile device to access an information source registered with a guest operating system (OS) of a work environment. The personal environment is a host OS of the mobile device and the work environment is running in a virtual machine supported by a hypervisor running within the personal environment. A hypervisor-aware service in the virtual machine provides registration information for the information source to the hypervisor. The hypervisor updates the registration information to include a reference to the hypervisor and transmits the updated registration information to the host OS which registers the information source. Upon a request by the application for information from the information source, the hypervisor-aware service receives a request from the hypervisor to access the information source and provides access to the information source for the application through the hypervisor. | 05-09-2013 |
20130130651 | PROVISIONING WORK ENVIRONMENTS ON PERSONAL MOBILE DEVICES - A virtual business mobile device can be provisioned on a personal mobile device, by binding a mobile application for provisioning the business mobile device to a privileged component of a host operating system of the personal mobile device, wherein the binding enables a hypervisor component and a management service component of the mobile application to execute in a privileged mode. The mobile application is then able to download a virtual phone image for the business mobile device and security-related policy settings relating to use of the business mobile device from a mobile management server, wherein the hypervisor component is able to launch a virtual machine for the business mobile device based on the virtual phone image. Once the virtual phone image has been downloaded, the management service component initiates a periodic attempt to establish a connection with the mobile management server to comply with the downloaded security-related policy settings. | 05-23-2013 |
20130130652 | CONTROLLING USE OF A BUSINESS ENVIRONMENT ON A MOBILE DEVICE - A business environment on a mobile device can be controlled by an enterprise server by receiving identifying information transmitted from a mobile device, wherein the identifying information identifies a user of the mobile device to the enterprise server. A virtual phone template is transmitted to the mobile device, wherein the virtual phone template (i) corresponds to the identifying information, and (ii) is configured to provide the business environment on the mobile device as a virtual machine running on a hypervisor installed on top of a host operating system of the mobile device. The enterprise server then receives a periodic transmission from the mobile device to indicate that the mobile device remains in periodic communication with the enterprise server. | 05-23-2013 |
20130130653 | USER INTERFACE FOR CONTROLLING USE OF A BUSINESS ENVIRONMENT ON A MOBILE DEVICE - A graphical user interface to provision business environments on mobile devices presents a navigation panel that displays a virtual phone template menu item and a policy setting menu item. Upon selection of the virtual phone template menu item, a template user interface is presented that enables an administrator to customize virtual phone image templates for users to be delivered to mobile devices that are configured to run the virtual phone image templates as virtual machines on the mobile devices in order to provide a business environment. Upon selection of the policy setting menu item, a policy user interface is presented that enables the administrator to set security policies, wherein each of the security policies specifies a time interval within which a mobile device running a virtual machine corresponding to one of the virtual phone image templates should communicate with an enterprise server to comply with the security policy. | 05-23-2013 |
20130133061 | METHOD AND SYSTEM FOR VPN ISOLATION USING NETWORK NAMESPACES - One embodiment of the present invention provide a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application. | 05-23-2013 |
20130145073 | MEMORY DEFRAGMENTATION IN A HOSTED HYPERVISOR - Machine memory fragmentation in a computer system having a host operating system and virtual machine running on a hypervisor hosted by the host operating system is reduced by having the hypervisor identify and release those machine memory pages that are more likely than others to reduce the fragmented state of the host machine memory. | 06-06-2013 |
20130145144 | SWITCHING BETWEEN MOBILE USER INTERFACES FOR PERSONAL AND WORK ENVIRONMENTS - One or more embodiments of the invention facilitate switching between a host environment of a mobile device and a guest environment of the mobile device. One method comprises configuring the host environment to launch a user interface (UI) proxy application upon receiving an indication by a user on a user interface (UI) of the mobile device of a desire to switch from the host environment to the guest environment. Upon a launch of the UI proxy application as a result of receiving the indication, the UI proxy application initiates a request to wake-up the guest environment and facilitates access by a hardware framebuffer of the mobile device to contents of a memory buffer that is updated with display data for the guest environment as a result of a waking-up of the guest environment. | 06-06-2013 |
20130145278 | UNIFIED NOTIFICATION BAR BETWEEN VIRTUAL MOBILE DEVICE AND PHYSICAL MOBILE DEVICE - One or more embodiments of the invention display alerts provided by applications of a guest environment in a notification bar controlled by a host operating system (OS) in a host environment of a mobile device, wherein the guest environment is running in a virtual machine supported by a hypervisor running within the host environment. A hypervisor-aware service in the virtual machine registers with a guest OS to be notified when applications request presentation of alerts in a notification bar controlled by the guest OS. Upon receipt of a notification by the guest OS of an application requesting presentation of an alert in the notification bar controlled by the guest OS, the hypervisor-aware service forwards the notification to the hypervisor and the hypervisor transmits a corresponding request to a notification management component of the host OS to present the alert on the notification bar controlled by the host OS. | 06-06-2013 |
20130145366 | DISPLAYING APPLICATIONS OF A VIRTUAL MOBILE DEVICE IN A USER INTERFACE OF A MOBILE DEVICE - One or more embodiments of the invention facilitate displaying application icons of a guest environment in a host environment of a mobile device, wherein the guest environment is running in a virtual machine supported by a hypervisor running within the host environment. One method comprises forwarding, by a hypervisor-aware service running in the virtual machine to the hypervisor, a list of applications installed in a guest operating system (OS) of the virtual machine. For each of the installed applications, the hypervisor provides metadata to a host OS running in the host environment, wherein the metadata comprises an application icon and an instruction to launch a proxy application installed in the host environment. Upon a launch of the proxy application when a user selects the application icon, the proxy application requests the hypervisor to communicate with the hypervisor-aware service to launch the installed application in the guest environment. | 06-06-2013 |
20130145448 | LOCK SCREENS TO ACCESS WORK ENVIRONMENTS ON A PERSONAL MOBILE DEVICE - One or more embodiments of the invention provide access to a work environment in a mobile device from a lock screen presented by a personal environment of the mobile device, wherein the work environment is running in a virtual machine supported by a hypervisor running within the personal environment and wherein the personal environment is a host operating system (OS) of the mobile device. The host OS receives an authentication credential from a user in response to a presentation of the lock screen on a user interface (UI) of the mobile device and then determines whether the authentication credential is valid for the personal environment or the work environment. If the authentication credential is valid for the personal environment, access is enabled only to the personal environment. If the authentication credential is valid for the work environment, access is enabled to both the personal environment and the work environment. | 06-06-2013 |
20130185480 | STORAGE BALLOONING - One embodiment of the present invention provides a system for managing storage space in a mobile device. During operation, the system detects a decrease in available disk space in a host file system, wherein an image file for a guest system is stored in the host file system. In response to the detected decrease, the system increases a size of a balloon file in a storage of a guest system. The system then receives an indication of a TRIM or discard communication and intercepts the TRIM or discard communication. Next, the system determines that at least one block is free based on the intercepted TRIM or discard communication. Subsequently, the system frees a physical block corresponding to the at least one block in a storage of the host system and reduces a size of the image file for the guest system in accordance with the intercepted TRIM or discard communication. | 07-18-2013 |
20130185720 | USER-MODE SYSTEM-LEVEL MOBILE VIRTUALIZATION - One embodiment of the present invention provides a system that facilitates user-mode system-level virtualization in a mobile device. During operation, a hypervisor intercepts a virtual machine's attempt to access a privileged resource. The hypervisor manages the virtual machine and runs on a host system in a user mode. Furthermore, the hypervisor emulates the privileged resource using a user-mode system call provided by the host system. In addition, the hypervisor provides access to the emulated privileged resource to the virtual machine, thereby allowing the virtual machine to operate with the emulated privileged resource without directly accessing actual privileged resources on the host system. | 07-18-2013 |
20140059525 | METHOD AND SYSTEM FOR FACILITATING REPLACEMENT OF SYSTEM CALLS - One embodiment of the present invention provides a system for facilitating replacement of a system call in an application with a customized function call. During operation, the system re-links the application's executable file with additional code or dynamically injects the additional code to the application's executable file during run time. The additional code can change a pointer in a table which indicates addresses of imported functions so that the pointer indicates an address of the customized function call. | 02-27-2014 |
20140059573 | METHOD AND SYSTEM FOR IDENTIFYING AND REPLACING SYSTEM CALLS - One embodiment of the system disclosed herein facilitates identifying a system call in an application and replacing the identified system call with a customized function call. During operation, the system executes an executable file of the application, wherein the executable file has been modified to execute a hooking and injection manager at run time. Prior to executing the system call, the system executes the hooking and injection manager. While executing the hooking and injection manager, the system determines, from a symbol table, a symbol table index value corresponding to a symbol associated with the system call. The system further determines an import table entry storing a pointer to the system call based on the symbol table index value, and changes the pointer in the import table entry so that the pointer indicates an address of the customized function call. | 02-27-2014 |
20140059642 | METHOD AND SYSTEM FOR FACILITATING ISOLATED WORKSPACE FOR APPLICATIONS - A system maintains a workspace environment of enterprise applications on a mobile device. The system receives enterprise applications for installation on the mobile device, wherein functionality has been inserted into binary executables of the enterprise applications to force the enterprise applications to communicate with an application management agent to obtain a security policy including a validity time period value related to keeping the workspace valid. The application management agent provides cryptographic keys to the enterprise applications to share encrypted messages. Upon launching, an enterprise application stores a workspace expiration time value as an encrypted message. The workspace expiration time value is extended if the user continues its use or, by another enterprise application, if the other enterprise application is launched by the user before an expiration of the expiration time value. The application management agent requests authentication credentials from the user if the workspace expiration time value expires. | 02-27-2014 |
20150033324 | METHOD AND SYSTEM FOR VPN ISOLATION USING NETWORK NAMESPACES - One embodiment of the present invention provides a system for providing exclusive access to a virtual private network (VPN) connection to an authorized application. During operation, the system creates a unique network namespace that is different from a default network namespace of a host system. The system then places a pseudo network interface associated with the VPN connection into the unique network namespace. Furthermore, the system places at least one socket for an authorized application into the unique network namespace. The system also precludes unauthorized applications on the host from accessing the unique network namespace, thereby facilitating exclusive access to the VPN connection by the authorized application. | 01-29-2015 |