System and method for protecting memory pages associated with a process using a virtualization layer
First Claim
1. A computerized method for protecting processes operating within a computing device, comprising:
- identifying, by a virtualization layer operating in a host mode and being executed by hardware circuitry, when a guest process switch has occurred, the guest process switch corresponds to a change as to an operating state of a process within a virtual machine that is detected by (i) a change in a data store associated with the hardware circuitry and (ii) the data store stores a value different from an address space associated with the guest agent process; and
responsive to the identified guest process switch, determining, by the virtualization layer, whether the hardware circuitry within the computing device is to access a different nested page table for use in memory address translations, wherein the different nested page table alters page permissions for one or more memory pages associated with one or more processes including the process that are executable in the virtual machine.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized method is provided for protecting processes operating within a computing device. The method comprises an operation for identifying, by a virtualization layer operating in a host mode, when a guest process switch has occurred. The guest process switch corresponds to a change as to an operating state of a process within a virtual machine. Responsive to an identified guest process switch, an operation is conducted to determine, by the virtualization layer, whether hardware circuitry within the computing device is to access a different nested page table for use in memory address translations. The different nested page table alters page permissions for one or more memory pages associated with at least the process that are executable in the virtual machine.
508 Citations
20 Claims
-
1. A computerized method for protecting processes operating within a computing device, comprising:
-
identifying, by a virtualization layer operating in a host mode and being executed by hardware circuitry, when a guest process switch has occurred, the guest process switch corresponds to a change as to an operating state of a process within a virtual machine that is detected by (i) a change in a data store associated with the hardware circuitry and (ii) the data store stores a value different from an address space associated with the guest agent process; and responsive to the identified guest process switch, determining, by the virtualization layer, whether the hardware circuitry within the computing device is to access a different nested page table for use in memory address translations, wherein the different nested page table alters page permissions for one or more memory pages associated with one or more processes including the process that are executable in the virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A computing device, comprising:
-
a hardware processor including a control register; a memory coupled to the hardware processor, the memory includes virtualization software that includes a virtual machine to operate in a guest mode and a virtualization layer to operate in a host mode, wherein in response to detecting a guest process switch corresponding to a change to an operating state of a guest agent process within a virtual machine as being set into an inactive operating state, the virtualization layer, being executed by the processor, assigns a page table for use in memory address translations different than a page table currently in use, the different page table alters page permissions for one or more memory pages associated with the guest agent process, and wherein the virtualization layer detects the guest process switch by detecting a change in content with the control register of the processor that is executing the virtualization layer and the virtualization layer assigns the different page table to restrict the page permissions for the one or more memory pages associated with the guest agent process when the content of the control register corresponds to an address space different than an address space associated with the guest agent process. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. An endpoint device, comprising:
-
a system interconnect; a hardware processor coupled to the system interconnect, the hardware processor includes a control register; a network interface coupled to the system interconnect, the network interface being configured to transmit or receive messages in accordance with a selected communication protocol; and a memory coupled to the system interconnect, the memory includes virtualization software that includes a virtual machine to operate in a guest mode and a virtualization layer to operate in a host mode, wherein in response to detecting a guest process switch corresponding to a change to an operating state of a guest agent process within a virtual machine as being set into an inactive state, the virtualization layer, being executed by the processor, assigns at least one nested page table for use in memory address translations different than nested page tables currently in use, the at least one different nested page table restricting page permissions for one or more memory pages associated with guest agent process while being set into the inactive state, and wherein the virtualization layer assigns the at least one different nested page table to restrict the page permissions for the one or more memory pages associated with the guest agent process when content of the control register corresponds to an address space different than an address space associated with the guest agent process.
-
Specification