System and method of threat detection under hypervisor control

US 10,033,759 B1
Filed: 06/29/2016
Issued: 07/24/2018
Est. Priority Date: 09/28/2015
Status: Active Grant

First Claim

Patent Images

1. A computing device comprising:

one or more hardware processors; and

a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, operates as (i) a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources and (ii) a hypervisor configured to intercept a system call issued from the guest application,wherein the hypervisor is configured to signal logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state,wherein the hypervisor is further configured to obfuscate interception of the system call in response to the intercepted system call being issued during a second operating state,wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that, when executed by the processors, operates as (i) a virtual machine and (ii) a hypervisor. The virtual machine includes a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more virtual resources. The hypervisor configures a portion of the guest kernel to intercept a system call from the guest application and redirect information associated with the system call to the hypervisor. The hypervisor enables logic within the guest kernel to analyze information associated with the system call to determine whether the system call is associated with a malicious attack in response to the system call being initiated during a memory page execution cycle. Alternatively, the hypervisor operates to obfuscate interception of the system call in response to the system call being initiated during memory page read cycle.

512 Citations

20 Claims

1. A computing device comprising:
- one or more hardware processors; and
  
  a memory coupled to the one or more processors, the memory comprises software that, when executed by the one or more hardware processors, operates as (i) a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources and (ii) a hypervisor configured to intercept a system call issued from the guest application,wherein the hypervisor is configured to signal logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state,wherein the hypervisor is further configured to obfuscate interception of the system call in response to the intercepted system call being issued during a second operating state,wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computing device of claim 1, wherein the first guest cycle is a guest execute cycle.
  - 3. The computing device of claim 2, wherein the second guest cycle is a guest read cycle.
  - 4. The computing device of claim 1, wherein the hypervisor is further configured to obfuscate interception of the system call by re-inserting an original first instruction of the system call, which has been previously overwritten by a particular instruction that diverts control to the hypervisor, so that no guest application or guest operating system functionality is able to detect presence of the particular instruction.
  - 5. The computing device of claim 4, wherein the particular instruction is a HALT instruction.
  - 6. The computing device of claim 1, wherein a portion of the guest kernel includes a service dispatch table.
  - 7. The computing device of claim 6, wherein the hypervisor is configured to intercept the system call by inserting a single-byte instruction as a first instruction in code associated with the system call that is accessed via a pointer in the service dispatch table corresponding to the system call.
  - 8. The computing device of claim 7, wherein the hypervisor is configured to intercept the system call by processing the single-byte instruction which is a HALT instruction that causes a trap to the hypervisor, the trap includes at least an identifier of the guest application that issued the system call and an identifier of the system call.
  - 9. The computing device of claim 8, wherein the memory further comprises threat protection logic that, when executed by the one or more hardware processors, determines whether the guest application is a type of application being monitored and signals the hypervisor to divert operation control to the logic operating within the guest kernel in response to detecting that the system call is initiated during the first operating state.
  - 10. The computing device of claim 9, wherein the logic operating within the guest kernel comprises an exploit detection logic that fetches context information associated with the intercepted system call, when the intercepted system call was issued by an object being processed by the guest application and that conducts a heuristic analysis of the context information to determine whether the object that issued the system call resides in a code section or a data portion.

11. A computerized method comprising:
- intercepting, using a hypervisor, a system call issued from an object being processed by a guest application operating within a virtual machine, the virtual machine including a guest kernel that facilitates communications between the guest application and one or more resources within the virtual machine;
  
  responsive to the intercepted system call occurring during a first operating state, signaling logic with the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack; and
  
  responsive to the intercepted system call occurring during a second operating state different than the first operating state, obfuscating interception of the system call,wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The computerized method of claim 11, wherein the first guest cycle is a guest execute cycle and the second guest cycle is a guest read cycle.
  - 13. The computerized method of claim 12, wherein the obfuscating interception of the system call comprises re-inserting an original first instruction associated with the system call, which has been previously overwritten by a particular instruction that diverts control to the hypervisor, so that no guest application or guest operating system functionality is able to detect a presence of the particular instruction.
  - 14. The computerized method of claim 13, wherein the particular instruction is a HALT instruction.
  - 15. The computerized method of claim 11, wherein intercepting the system call comprises inserting a single-byte instruction as a first instruction in stored code associated with the system call that, when accessed, causes a trap to the hypervisor.
  - 16. The computerized method of claim 15, wherein the single-byte instruction includes a HALT instruction and the trap includes at least an identifier of the guest application running the object that issued the system call and an identifier of the system call.
  - 17. The computerized method of claim 16, wherein prior to signaling the logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack, the computerized method further comprises determining whether the guest application is a particular type of application that is to be monitored and signaling a hypervisor to divert operation control to the logic operating within the guest kernel in response to detecting that the system call is issued during the first operating state.

18. A computing device comprising:
- a virtual machine including a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more resources; and
  
  a hypervisor communicatively coupled to the virtual machine, the hypervisor being configured to receive an intercepted system call initiated by an object being processed within the guest application within the virtual machine, the intercepted system call being directed to a memory page in an altered state with a first instruction of the memory page being substituted with a HALT instruction to trap to the hypervisor,wherein the hypervisor (i) signals logic within the guest kernel to analyze information associated with the intercepted system call to determine whether the intercepted system call is associated with a malicious attack in response to the intercepted system call occurring during a first operating state and (ii) obfuscates interception of the system call by emulating a read access to the memory page in an unaltered state in response to the intercepted system call occurring during a second operating state different than the first operating state,wherein the first operating state is a first guest cycle and the second operating state is a second guest cycle.
- View Dependent Claims (19, 20)
- - 19. The computing device of claim 18, wherein the first guest cycle is a guest execute cycle.
  - 20. The computing device of claim 19, wherein the second guest cycle is a guest read cycle.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Kabra, Atul, Stecklina, Julian, Rathor, Hirendra, Steinberg, Udo
Primary Examiner(s)
Lewis, Lisa C

Application Number

US15/197,634
Time in Patent Office

755 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/629   to features or functions of...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45541   Bare-metal, i.e. hypervisor...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45554   Instruction set architectur...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/145   the attack involving the pr...

H04L 63/1466   Active attacks involving in...

System and method of threat detection under hypervisor control

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

512 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method of threat detection under hypervisor control

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

512 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others