Microvisor-based malware detection appliance architecture

US 10,528,726 B1
Filed: 04/02/2018
Issued: 01/07/2020
Est. Priority Date: 12/29/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a microvisor configured to control access to a kernel resource of the system by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource;

a type 0 virtual machine monitor (VMM

0) disposed over the microvisor and configured to expose the kernel resource to an operating system kernel of the system; and

a type 1 virtual machine monitor (VMM

1) further disposed over the microvisor and configured to operate under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat-aware microvisor may be deployed in a malware detection appliance architecture and execute on a malware detection system (MDS) appliance to provide exploit and malware detection within a network environment. The microvisor may underlie an operating system kernel of the MDS appliance and execute in kernel space of the architecture to control access to kernel resources of the appliance for any operating system process. A type 0 virtual machine monitor may be disposed over the microvisor and execute in user space of the architecture as a pass-through module configured to expose the kernel resources of the appliance to the operating system kernel. One or more hypervisors, e.g., type 1 VMM, may be further disposed over the microvisor and execute in user space of the architecture under control of the microvisor to support execution of one or more guest operating systems inside one or more full virtual machines.

774 Citations

18 Claims

1. A system comprising:
- a microvisor configured to control access to a kernel resource of the system by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource;
  
  a type 0 virtual machine monitor (VMM
  
  0) disposed over the microvisor and configured to expose the kernel resource to an operating system kernel of the system; and
  
  a type 1 virtual machine monitor (VMM
  
  1) further disposed over the microvisor and configured to operate under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 wherein the microvisor comprises a main protection domain including one or more execution contexts and capabilities defining permissions for the object to access the kernel resource of the system.
  - 3. The system of claim 2 wherein the VMM 1 is further configured to create a virtual machine to contain the guest operating system, the virtual machine bound to a clone of the main protection domain representative of the guest operating system.
  - 4. The system of claim 3 wherein the clone of the main protection domain is created by copying the execution contexts and capabilities of the main protection domain, wherein the capabilities of the clone of the main protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resource.
  - 5. The system of claim 1 further comprising a behavioral analysis logic engine configured to correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness.
  - 6. The system of claim 5 further comprising a classifier configured to use the correlation information to render a decision as to whether the object is malicious, the classifier further configured to classify the correlation information, including the behaviors and the capability violation, of the object relative to known malware.
  - 7. The system of claim 1, wherein the microvisor is configured to communicate with the operating system kernel and perform a subset of hypervisor functionality including initiating one or more hyper-calls to implement a virtual machine monitor.
  - 8. The system of claim 1, wherein the virtual machine monitor corresponds to VMM 1.
  - 9. The system of claim 1, wherein the microvisor executes in a kernel space of the system to control access to the kernel resources.
  - 10. The system of claim 9 being a virtualization architecture including a trusted computing base (TCB) that is configured to provide a trusted malware detection environment, the TCB includes at least the microvisor.
  - 11. The system of claim 10, wherein the microvisor being configured to enforce a security policy for the TCB.
  - 12. The system of claim 11 further comprising a behavioral analysis logic engine deployed as part of the TCB, the behavioral analysis logic engine to correlate the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness.

13. A system comprising:
- one or more processing units;
  
  one or more network interfaces;
  
  one or more input/output (I/O) devices; and
  
  a memory coupled to the one or more processing units, the memory comprisesa microvisor that, when executed by the one or more processing units, controls access to a kernel resource, being at least one of a collection of resources including any of the one or more processing units, the one or more network interfaces and the one or more I/O devices, by generating a capability violation in response to an object running in a guest operating system attempting to access the kernel resource;
  
  a type 0 virtual machine monitor (VMM
  
  0) that, when executed by the one or more processing units, exposes the kernel resource to an operating system kernel of the system; and
  
  a type 1 virtual machine monitor (VMM
  
  1) that, when executed by the one or more processing units, operates under control of the microvisor to instrument the object as the object runs in the guest operating system,wherein the VMM 1 and VMM 0 being configured to cooperate with the microvisor to capture run-time behaviors of the object as dynamic analysis results in response to the capability violation to detect whether the behaviors are indicative of malware.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The system of claim 13 wherein the microvisor implemented within the memory and executed by the one or more processing units comprises a main protection domain including one or more execution contexts and capabilities defining permissions for the object to access the kernel resource of the system.
  - 15. The system of claim 14 wherein the VMM 1 of the memory is further configured to create a virtual machine to contain the guest operating system, the virtual machine bound to a clone of the main protection domain representative of the guest operating system.
  - 16. The system of claim 15 wherein the clone of the main protection domain is created by copying the execution contexts and capabilities of the main protection domain, wherein the capabilities of the clone of the main protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resource.
  - 17. The system of claim 13, wherein the memory further comprises a behavioral analysis logic engine that, when executed by the one or more processing units, correlates the dynamic analysis results against correlation rules to generate correlation information pertaining to a level of risk used to arrive at a decision of maliciousness.
  - 18. The system of claim 17, wherein the memory further comprises a classifier that, when executed by the one or more processing units, uses the correlation information to render a decision as to whether the object is malicious, the classifier further configured to classify the correlation information, including the behaviors and the capability violation, of the object relative to known malware.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul
Primary Examiner(s)
Williams, Jeffery L

Application Number

US15/943,357
Time in Patent Office

645 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/552   involving long-term monitor...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/034   Test or assess a computer o...

G06F 8/60   Software deployment

G06F 9/45558   Hypervisor-specific managem...

Microvisor-based malware detection appliance architecture

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

774 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Microvisor-based malware detection appliance architecture

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

774 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links