Method and apparatus to detect kernel mode rootkit events through virtualization traps

US 20070271610A1
Filed: 05/16/2006
Published: 11/22/2007
Est. Priority Date: 05/16/2006
Status: Active Grant

First Claim

Patent Images

1. A method of comprising:

detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and

analyzing the virtualization trap to detect the presence of the rootkit in the computing system.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a rootkit in a computing system may be achieved by detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. Action may then be taken to block the rootkit activity to safeguard the computing system.

113 Citations

30 Claims

1. A method of comprising:
- detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
  
  analyzing the virtualization trap to detect the presence of the rootkit in the computing system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving registration from an anti-rootkit security monitor to be notified of the occurrence of selected virtualization traps;
      
      sending information relating to the virtualization trap to the anti-rootkit security monitor when the virtualization trap matches the registration; and
      
      wherein analyzing the virtualization trap to detect the presence of the rootkit in the computing system includes analyzing the trap information by the anti-rootkit security monitor.
  - 3. The method of claim 1, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 4. The method of claim 3, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 5. The method of claim 3, wherein the partitions are implemented as virtual machines.
  - 6. The method of claim 2, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.
  - 7. The method of claim 1, wherein the virtual machine monitor executes at a higher privilege level than the rootkit.
  - 8. The method of claim 4, further comprising launching the security partition before launching the user partition.
  - 9. The method of claim 4, further comprising taking action against the rootkit when the rootkit is detected.
  - 10. The method of claim 9, wherein the action comprises at least one of halting execution of the user partition, blocking execution of an instruction of the rootkit by a processor of the computing system, logging the rootkit action, and sending an alert to a system administrator console of the computing system.
  - 11. The method of claim 1, wherein the rootkit action comprises modifying a control register of a processor of the computing system or accessing an Interrupt Descriptor Table (IDT) of the computing system.

12. An article comprising:
- a tangible machine accessible medium containing instructions, which when executed by a processor, result indetecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
  
  analyzing the virtualization trap to detect the presence of the rootkit in the computing system.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The article of claim 12, further comprising instructions toreceive registration from an anti-rootkit security monitor to be notified of the occurrence of selected virtualization traps;
    - send information relating to the virtualization trap to the anti-rootkit security monitor when the virtualization trap matches the registration; and
      
      wherein analyzing the virtualization trap to detect the presence of the rootkit in the computing system includes analyzing the trap information by the anti-rootkit security monitor.
  - 14. The article of claim 12, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 15. The article of claim 14, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 16. The article of claim 14, wherein the partitions are implemented as virtual machines.
  - 17. The article of claim 13, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.
  - 18. The article of claim 12, wherein the virtual machine monitor executes at a higher privilege level than the rootkit.
  - 19. The article of claim 15, further comprising launching the security partition before launching the user partition.
  - 20. The article of claim 15, further comprising instructions for taking action against the rootkit when the rootkit is detected.
  - 21. The article of claim 20, wherein the action comprises at least one of halting execution of the user partition, blocking execution of an instruction of the rootkit by a processor of the computing system, logging the rootkit action, and sending an alert to a system administrator console of the computing system.
  - 22. The article of claim 12, wherein the rootkit action comprises modifying a control register of a processor of the computing system or accessing an Interrupt Descriptor Table (IDT) of the computing system.

23. A computing system comprising:
- a virtual machine monitor adapted to detect a virtualization trap occurring as a result of an action by a rootkit, to receive a registration for notification of occurrence of selected virtualization traps, and to send information relating to the virtualization trap when the virtualization trap matches the registration; and
  
  an anti-rootkit security monitor adapted to register to be notified of the occurrence of selection virtualization traps, to receive the trap information, and to analyze the trap information to detect the presence of the rootkit in the computing system.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The computing system of claim 23, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 25. The computing system of claim 24, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 26. The computing system of claim 24, wherein the partitions are implemented as virtual machines supported by the virtual machine monitor.
  - 27. The computing system of claim 24, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.
  - 28. The computing system of claim 24, wherein the virtual machine monitor executes at a higher privilege level than the rootkit.
  - 29. The computing system of claim 25, wherein the virtual machine monitor is adapted to launch the security partition before launching the user partition.
  - 30. The computing system of claim 25, wherein the anti-rootkit security monitor takes action against the rootkit when the rootkit is detected.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grobman, Steven

Granted Patent

US 7,845,009 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

Method and apparatus to detect kernel mode rootkit events through virtualization traps

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

113 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to detect kernel mode rootkit events through virtualization traps

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links