Technique for implementing memory views using a layered virtualization architecture

US 10,191,861 B1
Filed: 09/06/2016
Issued: 01/29/2019
Est. Priority Date: 09/06/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a memory to store a guest process, a guest operating system kernel and a virtualization layer;

a memory management unit (MMU) coupled to the memory and including a guest page table hierarchy associated with the guest process; and

a central processing unit (CPU) coupled to the MMU, the CPU to execute the guest process, the guest operating system kernel and the virtualization layer, the virtualization layer when executed operable to;

classify the guest process when the guest operating system kernel switches to the guest process for execution on the CPU;

bind a first memory view to the guest process based on the classification of the guest process; and

activate the first memory view bound to the guest process, the first memory view used as a container for the guest process, the first memory view using a first nested page table hierarchy to constrain access to the memory while the guest process is active.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique implements memory views using a virtualization layer of a virtualization architecture executing on a node of a network environment. The virtualization layer may include a user mode portion having hyper-processes and a kernel portion having a micro-hypervisor that cooperate to virtualize a guest operating system kernel within a virtual machine (VM) of the node. The micro-hypervisor may further cooperate with the hyper-processes, such as a guest monitor, of the virtualization layer to implement one or more memory views of the VM. As used herein, a memory view is illustratively a hardware resource (i.e., a set of nested page tables) used as a container (i.e., to constrain access to memory of the node) for one or more guest processes of the guest operating system kernel.

214 Citations

19 Claims

1. A system comprising:
- a memory to store a guest process, a guest operating system kernel and a virtualization layer;
  
  a memory management unit (MMU) coupled to the memory and including a guest page table hierarchy associated with the guest process; and
  
  a central processing unit (CPU) coupled to the MMU, the CPU to execute the guest process, the guest operating system kernel and the virtualization layer, the virtualization layer when executed operable to;
  
  classify the guest process when the guest operating system kernel switches to the guest process for execution on the CPU;
  
  bind a first memory view to the guest process based on the classification of the guest process; and
  
  activate the first memory view bound to the guest process, the first memory view used as a container for the guest process, the first memory view using a first nested page table hierarchy to constrain access to the memory while the guest process is active.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein the virtualization layer when executed is further operable to:
    - associate a protection profile with the guest process, wherein the protection profile includes an identifier of the guest process and a pointer to the first nested page table hierarchy.
  - 3. The system of claim 2 wherein the protection profile further includes types of process events that the virtualization layer intercepts while the guest process is active.
  - 4. The system of claim 2 wherein the virtualization layer when executed is further operable to:
    - monitor the guest process for exploit detection; and
      
      migrate the guest process to a second memory view, wherein the second memory view is more restrictive than the first memory view.
  - 5. The system of claim 4 wherein the virtualization layer when executed is further operable to:
    - update the pointer of the protection profile to reference a second nested page table hierarchy associated with the second memory view.
  - 6. The system of claim 1 wherein the virtualization layer when executed is further operable to:
    - determine whether the guest process is identified as having a known vulnerability; and
      
      in response to determining that the guest process is identified to have the known vulnerability, migrate the guest process to a second memory view, wherein the second memory view is more restrictive than the first memory view.
  - 7. The system of claim 4 wherein the virtualization layer when executed is further operable to:
    - determine whether the guest process is malicious; and
      
      in response to determining that the guest process is not malicious, migrate the guest process to the first memory view.
  - 8. The system of claim 2 wherein the protection profile includes restrictions for a sub-page portion of the first nested page table hierarchy.
  - 9. The system of claim 8 wherein the virtualization layer when executed is further operable to:
    - set a first access permission on a first sub-page portion of a memory page, the first access permission more restrictive than a second access permission on a second sub-page portion of the memory page accessed by the guest process.
  - 10. The system of claim 1 wherein the first memory view is combined with the guest page hierarchy organized as shadow pages.

11. A method comprising:
- storing a guest page table hierarchy associated with a guest process in a memory management unit (MMU) of a node having a memory and a central processing unit (CPU), the CPU to execute the guest process, a guest operating system kernel and a virtualization layer;
  
  classifying the guest process when the guest operating system kernel switches to the guest process for execution on the CPU;
  
  binding a first memory view to the guest process based on the classification of the guest process; and
  
  activating the first memory view bound to the guest process, the first memory view used as a container for the guest process, the first memory view using a first nested page table hierarchy to constrain access to the memory while the guest process is active.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11 further comprising:
    - associating a protection profile with the guest process, wherein the protection profile includes an identifier of the guest process and a pointer to a first nested page table hierarchy associated with the first memory view.
  - 13. The method of claim 12 wherein the protection profile further includes types of process events that the virtualization layer intercepts while the guest process is active.
  - 14. The method of claim 12 further comprising:
    - monitoring the guest process for exploit detection; and
      
      migrating the guest process to a second memory view, wherein the second memory view is more restrictive than the first memory view.
  - 15. The method of claim 14 further comprising:
    - updating the pointer of the protection profile to reference a second nested page table hierarchy associated with the second memory view.
  - 16. The method of claim 11 further comprising:
    - determining whether the guest process is identified as having a known vulnerability; and
      
      in response to the determining that the guest process is identified to have the known vulnerability, migrating the guest process to a second memory view, wherein the second memory view is more restrictive than the first memory view.
  - 17. The method of claim 14 further comprising:
    - determining whether the guest process is malicious; and
      
      in response to determining that the guest process is not malicious, migrating the guest process to the first memory view.
  - 18. The method of claim 12 wherein the protection profile includes restrictions for a sub-page portion of the first nested page table hierarchy.
  - 19. The method of claim 18 further comprising:
    - accessing by the guest process a first sub-page portion of a memory page of the memory, wherein a second sub-page portion of the memory page has more restrictive access permissions than the first sub-page portion.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Steinberg, Udo, Ismael, Osman Abdoul
Primary Examiner(s)
Nguyen, Hiep T

Application Number

US15/257,704
Time in Patent Office

875 Days
Field of Search
US Class Current
CPC Class Codes

G06F 12/1475   in a virtual system, e.g. w...

G06F 12/1491   in a hierarchical protectio...

G06F 2009/45575   Starting, stopping, suspend...

G06F 2009/45583   Memory management, e.g. acc...

G06F 21/56   Computer malware detection ...

G06F 9/45558   Hypervisor-specific managem...

Technique for implementing memory views using a layered virtualization architecture

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

214 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Technique for implementing memory views using a layered virtualization architecture

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

214 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links