US 11,954,217 B2
Securing privileged virtualized execution instances
Nimrod Stoler, Zoran (IL); and Lavi Lazarovitz, Petach-Tikva, IL (US)
Assigned to CyberArk Software Ltd., Petach-Tikva (IL)
Filed by CyberArk Software Ltd., Petach-Tikva (IL)
Filed on Nov. 17, 2020, as Appl. No. 16/950,006.
Application 16/950,006 is a continuation of application No. 16/837,625, filed on Apr. 1, 2020, granted, now 10,878,119.
Application 16/837,625 is a continuation in part of application No. 16/451,680, filed on Jun. 25, 2019, granted, now 10,735,430, issued on Aug. 4, 2020.
Application 16/451,680 is a continuation in part of application No. 16/390,542, filed on Apr. 22, 2019.
Prior Publication US 2021/0073406 A1, Mar. 11, 2021
Int. Cl. G06F 21/31 (2013.01); G06F 9/455 (2018.01); G06F 11/07 (2006.01); G06F 11/30 (2006.01); G06F 21/62 (2013.01)
CPC G06F 21/6218 (2013.01) [G06F 9/45558 (2013.01); G06F 11/0772 (2013.01); G06F 11/301 (2013.01); G06F 21/31 (2013.01); G06F 2009/45562 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01); G06F 2009/45595 (2013.01)] 20 Claims
OG exemplary drawing
 
11. A computer-implemented method for identifying vulnerabilities for virtualized execution instances, the method comprising:
identifying a virtualized execution instance, before instantiation of the virtualized execution instance, wherein the virtualized execution instance is configured for instantiation in a virtual computing environment;
performing, before instantiation of the virtualized execution instance, a privileged configuration inspection for the virtualized execution instance, performing the privileged configuration inspection comprising:
obtaining one or more configuration parameters for the virtualized execution instance;
determining, based on the obtained one or more configuration parameters, that the virtualized execution instance is permitted to perform operations on a virtualized host environment beyond an environment of the virtualized execution instance, the determination comprising at least one of:
identifying whether a rights flag is set for the virtualized execution instance,
identifying whether a permission is granted for the virtualized execution instance, or
identifying whether secrets or credentials are included in, or accessible to, the virtualized execution instance; and
determining, based on the determination that the virtualized execution instance is permitted to perform operations on the virtualized host environment beyond the environment of the virtualized execution instance, that the virtualized execution instance presents a privilege vulnerability at least in part by determining that a criterion is satisfied by:
a one of the one or more configuration parameters,
a combination of the one or more configuration parameters, or
a score determined using the one or more configuration parameters; and
providing, based on the privileged configuration inspection, a notification associated with the privilege vulnerability or the virtualized execution instance.