Technique for protecting guest processes using a layered virtualization architecture
First Claim
1. A system comprising:
- a memory configured to store a guest process, a guest operating system kernel and a virtualization layer;
a memory management unit (MMU) coupled to and separate from the memory, the MMU including a guest page table hierarchy associated with the guest process; and
a central processing unit (CPU) coupled to the MMU and adapted to execute the guest process, the guest operating system kernel and the virtualization layer, the CPU including a control register represented by a virtual control register within the virtualization layer, the virtualization layer, when executed, being operable to;
determine that the guest operating system kernel is switching from a prior guest process to the guest process for execution on the CPU when an address for the guest page table hierarchy associated with the guest process is loaded into the virtual control register;
determine an identity of the guest process associated with the guest page table hierarchy using at least one of an agent of the guest operating system, guest operating system specific knowledge, or content analysis of the guest process; and
apply a protection profile associated with the identified guest process to override permissions of one or more memory pages of the guest process as defined by the guest page table hierarchy.
5 Assignments
0 Petitions
Accused Products
Abstract
A technique protects guest processes of a guest operating system kernel using a virtualization layer of a virtualization architecture executing on a node of a network environment. The virtualization layer may include a user mode portion having hyper-processes and a kernel portion having an micro-hypervisor that cooperate to virtualize the guest operating system kernel within a virtual machine and to make hardware resources of the node available for use by the guest operating system kernel, either as pass-through resources, emulated resources, or a combination thereof. Illustratively, the micro-hypervisor may cooperate with the hyper-processes of the virtualization layer to protect the guest processes against attack by one or more exploits that may employ malware. To that end, the guest process protection technique enables the micro-hypervisor and/or hyper-processes of the virtualization layer to determine (i) when the guest operating system switches to a guest process for execution, (ii) an identity of the guest process, and (iii) a protection policy to be associated with the guest process identity.
839 Citations
32 Claims
-
1. A system comprising:
-
a memory configured to store a guest process, a guest operating system kernel and a virtualization layer; a memory management unit (MMU) coupled to and separate from the memory, the MMU including a guest page table hierarchy associated with the guest process; and a central processing unit (CPU) coupled to the MMU and adapted to execute the guest process, the guest operating system kernel and the virtualization layer, the CPU including a control register represented by a virtual control register within the virtualization layer, the virtualization layer, when executed, being operable to; determine that the guest operating system kernel is switching from a prior guest process to the guest process for execution on the CPU when an address for the guest page table hierarchy associated with the guest process is loaded into the virtual control register; determine an identity of the guest process associated with the guest page table hierarchy using at least one of an agent of the guest operating system, guest operating system specific knowledge, or content analysis of the guest process; and apply a protection profile associated with the identified guest process to override permissions of one or more memory pages of the guest process as defined by the guest page table hierarchy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 22)
-
-
17. A method comprising:
-
storing one or more guest page tables of a guest page table hierarchy and one or more nested page tables of a nested page table hierarchy; storing an address for the guest page hierarchy in a virtual control register being part of a virtualization layer and corresponding to a control register of a central processing unit (CPU) of a node, the CPU being adapted to execute a guest process, a guest operating system kernel and the virtualization layer resident in a memory of the node; determining that the guest operating system kernel switches from a prior guest process to the guest process for execution on the CPU when the address for the guest page table hierarchy associated with the guest process is loaded into the virtual control register; determining an identity of the guest process associated with the guest page table hierarchy at the virtualization layer using at least one of an agent of the guest operating system, guest operating system specific knowledge, or content analysis or the guest process; and applying a protection profile associated with the identified guest process at the virtualization layer to override permissions of one or more code pages of the guest process as defined by the guest page table hierarchy. - View Dependent Claims (18, 19, 20, 21, 23, 24, 25)
-
-
26. A non-transitory computer readable media containing instructions for execution on a central processing unit (CPU) of a node that performs operations comprising:
-
storing one or more guest page tables of a guest page table hierarchy and one or more nested page tables of a nested page table hierarchy; storing an address for the guest page table hierarchy in a virtual control register associated with the CPU, the CPU being adapted to execute a guest process, a guest operating system kernel and a virtualization layer resident in a memory of the node; determining that the guest operating system kernel switches from a prior guest process to the guest process for execution on the CPU when the address for the guest page table hierarchy associated with the guest process is loaded into the virtual control register; determining an identity of the guest process associated with the guest page table hierarchy at the virtualization layer using at least one of an agent of the guest operating system, guest operating system specific knowledge, or content analysis of the guest process; and applying a protection profile associated with the identified guest process at the virtualization layer to override permissions of one or more memory pages of the guest process as defined by the guest page table hierarchy. - View Dependent Claims (27, 28, 29, 30, 31, 32)
-
Specification