Protection Agents and Privilege Modes
First Claim
1. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- receiving, at a virtual machine monitor, a request that a range of memory be made unalterable from or inaccessible from an operating-system privilege mode;
making the range of memory unalterable from or inaccessible from the operating-system privilege mode; and
running a protection agent that resides within the range of memory.
2 Assignments
0 Petitions
Accused Products
Abstract
This document describes tools capable of making a portion of operating-system memory associated with a protection agent unalterable or inaccessible from an operating-system privilege mode. In some embodiments, these tools are capable of creating a protection-agent privilege mode by requesting that a virtual machine monitor protect this portion of operating-system memory. In other embodiments, these tools are capable of creating the protection-agent privilege mode by virtualizing a physical processor into multiple virtual processors, at least one of which is a protection-agent virtual processor designed to run the protection agent. By making this portion of operating-system memory unalterable or inaccessible from the operating-system privilege mode, the protection agent may be less vulnerable to attacks by entities operating within the operating-system privilege mode.
-
Citations
20 Claims
-
1. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
-
receiving, at a virtual machine monitor, a request that a range of memory be made unalterable from or inaccessible from an operating-system privilege mode; making the range of memory unalterable from or inaccessible from the operating-system privilege mode; and running a protection agent that resides within the range of memory. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
virtualizing one or more real computing processors into virtual computing processors, the virtual computing processors comprising; one or more operating-system virtual processors each having a privilege to alter its own operating-system memory and use a portion of a processing bandwidth of the one or more real computing processors; and at least one protection-agent virtual processor having a privilege to alter its own protection-agent memory and use a different portion of the processing bandwidth of the one or more real computing processors; and causing the protection-agent virtual processor to execute a protection agent effective to determine whether or not a portion of said operating-system memory has been altered. - View Dependent Claims (11, 12, 13, 14, 15)
-
- 16. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device comprising an underlying physical processor that includes one or more privilege modes, cause the computing device to add a privilege mode that is not present on the underlying physical processor.
Specification