System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer
First Claim
1. A computing device comprising:
- one or more hardware processors; and
a memory coupled to the one or more processors, the memory comprises software that supports virtualization including (i) a virtual machine operating in a guest mode and controlled by a guest operating system (OS) kernel and (ii) a virtualization layer operating in a host mode,wherein the virtualization layer being configured to send one or more virtual interrupts to the guest OS kernel of the virtual machine that causes an interrupt service routine within the guest OS kernel to perform a particular service to determine whether a protected process running in the virtual machine is active and, responsive to determining that the protected process is inactive, alter one or more permissions for a memory page associated with the protected process by removing the one or more permission from at least one nested page table entry that is associated with the memory page containing code pertaining to the protected process.
7 Assignments
0 Petitions
Accused Products
Abstract
A computing device features one or more hardware processors and a memory that is coupled to the one or more processors. The memory comprises software that is implemented with a security mechanism to protect the availability of a software component operating within a virtual machine, which is controlled by a guest operating system (OS) kernel. The software comprises a virtualization layer operating in a host mode, where the virtualization layer, when executed by the one or more hardware processors, is configured to send one or more virtual interrupts to the guest OS kernel of the virtual machine. A virtual interrupt causes an interrupt service routine within the guest OS kernel to perform a particular service that prevents a protected process (or protected software data structures) from being effected by malware.
-
Citations
29 Claims
-
1. A computing device comprising:
-
one or more hardware processors; and a memory coupled to the one or more processors, the memory comprises software that supports virtualization including (i) a virtual machine operating in a guest mode and controlled by a guest operating system (OS) kernel and (ii) a virtualization layer operating in a host mode, wherein the virtualization layer being configured to send one or more virtual interrupts to the guest OS kernel of the virtual machine that causes an interrupt service routine within the guest OS kernel to perform a particular service to determine whether a protected process running in the virtual machine is active and, responsive to determining that the protected process is inactive, alter one or more permissions for a memory page associated with the protected process by removing the one or more permission from at least one nested page table entry that is associated with the memory page containing code pertaining to the protected process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A computerized method for protecting a protected process comprising:
-
sending one or more virtual interrupts by a virtualization layer operating in a host mode to a guest operating system (OS) kernel, the guest OS kernel to control a virtual machine operating in a guest mode; receiving the one or more virtual interrupts by an interrupt service routine within the guest OS kernel; and responsive to receiving the one or more virtual interrupts, performing a particular service by the interrupt service routine to determine whether a protected process running in the virtual machine is active and removing one or more permissions controlling access to a memory page associated with the protected process upon determining that the protected process is inactive so as to prevent the protected process from being controlled by malware, wherein the protected process includes a guest agent monitoring behaviors of an object being analyzed for malware during run time of the object within the virtual machine and capturing any resulting events that occur during the run-time. - View Dependent Claims (12)
-
-
13. A computerized method for protecting a protected process comprising:
-
sending one or more virtual interrupts by a virtualization layer operating in a host mode to a guest operating system (OS) kernel, the guest OS kernel to control a virtual machine operating in a guest mode; receiving the one or more virtual interrupts by an interrupt service routine within the guest OS kernel; and responsive to receiving the one or more virtual interrupts, performing a particular service by the interrupt service routine to determine whether a protected process running in the virtual machine is active and removing one or more permissions controlling access to a memory page associated with the protected process upon determining that the protected process is inactive so as to prevent the protected process from being controlled by malware, wherein the sending of the one or more virtual interrupts by the virtualization layer comprises sending the one or more virtual interrupts that cause the interrupt service routine to perform the particular service that prevents the protected process from being disabled, the interrupt service routine to perform the particular service that includes either (i) checking an integrity of a portion of the guest OS, or (ii) checking integrity of a data structure of the protected process, or (iii) requesting a response message from the protected process to verify that the protected process is not disabled. - View Dependent Claims (14, 15, 16)
-
-
17. A computerized method for protecting a protected process comprising:
-
sending one or more virtual interrupts to a guest operating system (OS) kernel, the guest OS kernel to control a virtual machine operating in a guest mode; receiving the one or more virtual interrupts by an interrupt service routine within the guest OS kernel; and responsive to receiving the one or more virtual interrupts, performing a particular service by the interrupt service routine to determine whether a protected process running in the virtual machine is active and removing one or more permissions controlling access to a memory page associated with the protected process upon determining that the protected process is inactive so as to prevent the protected process from being controlled by malware, wherein the sending of the one or more virtual interrupts to the interrupt service routine is conducted periodically in response to detection of a particular event and the one or more virtual interrupts causing the protected process to remain in an active state. - View Dependent Claims (18)
-
-
19. A computerized method for protecting a protected process comprising:
-
sending one or more virtual interrupts by a virtualization layer operating in a host mode to a guest operating system (OS) kernel, the guest OS kernel to control a virtual machine operating in a guest mode; receiving the one or more virtual interrupts by an interrupt service routine within the guest OS kernel; and responsive to receiving the one or more virtual interrupts, performing a particular service by the interrupt service routine to determine whether a protected process running in the virtual machine is active and removing one or more permissions controlling access to a memory page associated with the protected process upon determining that the protected process is inactive so as to prevent the protected process from being controlled by malware, wherein the interrupt service routine within the guest OS kernel preventing the protected process running in the virtual machine from being controlled by malware by ensuring that the protected process, providing enhanced security to the computing device, is operating in the virtual machine as confirmed by the protected process assisting in servicing the one or more virtual interrupts.
-
-
20. A non-transitory storage medium including software that, upon execution by one or more processors, performs operations to protect one or more processes being performed by a computing device from being compromised through a malicious attack, the non-transitory storage medium comprising:
-
a virtual machine operating in a guest mode and controlled by a guest OS kernel; and a virtualization layer operating in a host mode, wherein the virtualization layer, during execution, is configured to send one or more virtual interrupts to the guest OS kernel of the virtual machine that causes an interrupt service routine within the guest OS kernel to (i) perform a particular service to determine whether a protected process running in the virtual machine is active and, responsive to determining that the protected process is inactive and (ii) alter one or more permissions for a memory page associated with the protected process by removing the one or more permission from at least one nested page table entry that is associated with the memory page containing code pertaining to the protected process. - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
-
Specification