System and method for virtual partition monitoring

US 10,032,024 B2
Filed: 03/28/2016
Issued: 07/24/2018
Est. Priority Date: 06/08/2011
Status: Active Grant

First Claim

Patent Images

1. At least one non-transitory machine readable medium including code for execution that, when executed by one or more processors, is to:

use an access code to gain access to a monitored process in a virtual partition of a virtualized platform;

create a memory region within the monitored process;

insert an embedded component into the memory region;

send, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process;

perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process;

execute, by a second thread in the virtual partition, a second task to identify context information associated with the event;

send, from the virtual partition, the identified context information to be evaluated; and

take an action based, at least in part, on an evaluation of the identified context information.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes receiving in an external handler an event notification associated with an event in a virtual partition. A thread in the process in the virtual partition that caused the event can be parked. Other threads and processes may be allowed to resume while a security handler evaluates the event for potential threats. A helper agent within the virtual partition may be instructed to execute a task, such as collecting and assembling event context within the virtual partition, and results based on the task can be returned to the external handler. A policy action can be taken based on the results returned by the helper agent, which may include, for example, instructing the helper agent to terminate the process that caused the event.

Citations

24 Claims

1. At least one non-transitory machine readable medium including code for execution that, when executed by one or more processors, is to:
- use an access code to gain access to a monitored process in a virtual partition of a virtualized platform;
  
  create a memory region within the monitored process;
  
  insert an embedded component into the memory region;
  
  send, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process;
  
  perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process;
  
  execute, by a second thread in the virtual partition, a second task to identify context information associated with the event;
  
  send, from the virtual partition, the identified context information to be evaluated; and
  
  take an action based, at least in part, on an evaluation of the identified context information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - create the embedded component within the monitored process by causing the monitored process to load the embedded component.
  - 3. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - create, by a helper agent in the virtual partition, one or more threads in the virtual partition to receive communications from the external handler.
  - 4. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - perform the first task responsive to receiving instructions from the external handler after the event notification is sent to the external handler.
  - 5. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - evaluate the event externally to the virtual partition to determine whether the event violates at least one of one or more security policies based on the identified context information; and
      
      responsive to the evaluation, provide an instruction to a helper agent in the virtual partition, the instruction indicating the action to be taken.
  - 6. The at least one non-transitory machine readable medium of claim 5, wherein, if it is determined that the event violates at least one of the one or more security policies, the action is to block the monitored process from further execution.
  - 7. The at least one non-transitory machine readable medium of claim 5, wherein, if it is determined that the event does not violate the one or more security policies, the action is to resume execution of the monitored process.
  - 8. The at least one non-transitory machine readable medium of claim 1, wherein the context information includes at least one of information about the monitored process, a type of action that triggered the event, a process that owned a specific memory region that was accessed by the monitored process, or details related to a file operation performed by the monitored process.
  - 9. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - receive, by a helper agent in the virtual partition, a request for the context information, the request sent to the helper agent in response to the event notification.
  - 10. The at least one non-transitory machine readable medium of claim 9, wherein the request is to enumerate all modules loaded within the monitored process.
  - 11. The at least one non-transitory machine readable medium of claim 1, wherein the virtual partition is a first virtualization guest of the virtualized platform, andwherein the external handler operates in a second virtualization guest in the virtualized platform, in a hypervisor of the virtualized platform, or in a virtualization host of the virtualized platform.
  - 12. The at least one non-transitory machine readable medium of claim 1, wherein the event notification is received by the external handler from a hypervisor extension in the virtualized platform.
  - 13. The at least one non-transitory machine readable medium of claim 1, wherein the code, when executed by the one or more processors, is to:
    - resume other processes in the virtual partition after suspending the first thread associated with the event.

14. An apparatus, comprising:
- one or more hardware processors;
  
  one or more virtual processors configured to execute in a virtual partition of a virtualized platform and to run on the one or more hardware processors;
  
  a helper agent to run on the one or more virtual processors to;
  
  use an access code to gain access to a monitored process in the virtual partition;
  
  create a memory region within the monitored process;
  
  insert an embedded component into the memory region;
  
  a security handler to operate externally to the virtual partition to receive an event notification indicating an event associated with the monitored process;
  
  a module to run on the one or more virtual processors to perform a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process,wherein the helper agent is to run on the one or more virtual processors to further;
  
  cause execution of a second task by a second thread in the virtual partition, the second task to identify context information associated with the event;
  
  send, from the virtual partition, the identified context information to be evaluated; and
  
  take an action based, at least in part, on an evaluation of the identified context information.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The apparatus of claim 14, wherein the event is evaluated externally to the virtual partition to determine whether the event violates at least one of one or more security policies based on the identified context information, andwherein, responsive to the evaluation, an instruction indicating the action to be taken is provided to the helper agent.
  - 16. The apparatus of claim 14, wherein the helper agent is to run on the one or more virtual processors to further:
    - receive a request for the context information, the request sent to the helper agent in response to the event notification.
  - 17. The apparatus of claim 14, wherein the request is to enumerate all modules loaded within the monitored process.
  - 18. The apparatus of claim 14, wherein the helper agent is to run on the one or more virtual processors to further:
    - create one or more threads in the virtual partition to receive communications from the external handler.
  - 19. The apparatus of claim 14, wherein the helper agent is to run on the one or more virtual processors to further:
    - perform the first task responsive to receiving instructions from the external handler, wherein the instructions are received after the event notification is sent to the external handler.
  - 20. The apparatus of claim 14, wherein, if a determination is made that the event violates at least one of one or more security policies, the action is to block the monitored process from further execution.

21. A method, comprising:
- creating a memory region within a monitored process in a virtual partition of a virtualized platform, wherein the memory region is created by a helper agent in the virtual partition using an access code to gain access to the monitored process;
  
  inserting an embedded component into the memory region;
  
  sending, to an external handler configured to operate externally to the virtual partition, an event notification indicating an event associated with the monitored process;
  
  performing a first task communicated by the embedded component in the monitored process to suspend a first thread of the monitored process;
  
  executing, by a second thread in the virtual partition, a second task to identify context information associated with the event;
  
  sending, from the virtual partition, the identified context information to be evaluated; and
  
  taking an action based, at least in part, on an evaluation of the identified context information.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, further comprising:
    - receiving, by the helper agent in the virtual partition, a request for the context information, the request sent to the helper agent in response to the event notification.
  - 23. The method of claim 22, wherein the request is to enumerate all modules loaded within the monitored process.
  - 24. The method of claim 21, further comprising:
    - receiving, by the helper agent, a request for the context information, wherein the request is to enumerate all modules loaded within the monitored process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, LLC
Inventors
Dalcher, Gregory W., Edwards, Jonathan L.
Primary Examiner(s)
Parsons, Theodore C
Assistant Examiner(s)
De Jesus Lassala, Carlos M

Application Number

US15/082,060
Publication Number

US 20160224792A1
Time in Patent Office

848 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 9/45558   Hypervisor-specific managem...

System and method for virtual partition monitoring

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for virtual partition monitoring

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links