Protection Agents and Privilege Modes

US 20080184373A1
Filed: 01/25/2007
Published: 07/31/2008
Est. Priority Date: 01/25/2007
Status: Active Grant

First Claim

Patent Images

1. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:

receiving, at a virtual machine monitor, a request that a range of memory be made unalterable from or inaccessible from an operating-system privilege mode;

making the range of memory unalterable from or inaccessible from the operating-system privilege mode; and

running a protection agent that resides within the range of memory.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This document describes tools capable of making a portion of operating-system memory associated with a protection agent unalterable or inaccessible from an operating-system privilege mode. In some embodiments, these tools are capable of creating a protection-agent privilege mode by requesting that a virtual machine monitor protect this portion of operating-system memory. In other embodiments, these tools are capable of creating the protection-agent privilege mode by virtualizing a physical processor into multiple virtual processors, at least one of which is a protection-agent virtual processor designed to run the protection agent. By making this portion of operating-system memory unalterable or inaccessible from the operating-system privilege mode, the protection agent may be less vulnerable to attacks by entities operating within the operating-system privilege mode.

Citations

20 Claims

1. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device, cause the computing device to perform acts comprising:
- receiving, at a virtual machine monitor, a request that a range of memory be made unalterable from or inaccessible from an operating-system privilege mode;
  
  making the range of memory unalterable from or inaccessible from the operating-system privilege mode; and
  
  running a protection agent that resides within the range of memory.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The media of claim 1, further comprising setting a timer to run the protection agent.
  - 3. The media of claim 2, wherein the timer instructs the virtual machine monitor to run the protection agent at regular intervals.
  - 4. The media of claim 1, wherein the protection agent is configured to receive an enforcement policy describing one or more resources accessible from the operating-system privilege mode and, in response to the receiving of the enforcement policy, determine whether one or more of the one or more resources have been altered.
  - 5. The media of claim 4, further comprising shutting down an operating system associated with the operating-system privilege mode in response to a determination by the protection agent that one or more of the one or more resources have been altered.
  - 6. The media of claim 4, wherein the one or more resources include a system service dispatch table (SSDT), an interrupt dispatch table (IDT), or a global descriptor table (GDT).
  - 7. The media of claim 1, further comprising receiving, at the virtual machine monitor and after the running of the protection agent, a notification that the protection agent has finished running.
  - 8. The media of claim 1, further comprising shutting down an operating system associated with the operating-system privilege mode in response to an attempted access of, from the operating-system privilege mode, the range of memory or the protection agent.
  - 9. The media of claim 1, further comprising cycling between the running of the protection agent and not running the protection agent, such that at least when the protection agent runs it is unalterable or inaccessible from the operating-system privilege mode.

10. A method comprising:
- virtualizing one or more real computing processors into virtual computing processors, the virtual computing processors comprising;
  
  one or more operating-system virtual processors each having a privilege to alter its own operating-system memory and use a portion of a processing bandwidth of the one or more real computing processors; and
  
  at least one protection-agent virtual processor having a privilege to alter its own protection-agent memory and use a different portion of the processing bandwidth of the one or more real computing processors; and
  
  causing the protection-agent virtual processor to execute a protection agent effective to determine whether or not a portion of said operating-system memory has been altered.
- View Dependent Claims (11, 12, 13, 14, 15)
- - 11. The method of claim 10 further comprising:
    - receiving an indication that the protection agent determined that the portion of said operating-system memory has been altered; and
      
      in response to the receiving of the indication, shutting down a corresponding operating system.
  - 12. The method of claim 10, wherein the one or more operating-system virtual processors are incapable of altering the protection-agent memory.
  - 13. The method of claim 10, wherein the causing of the protection-agent virtual processor to execute the protection agent comprises causing the protection-agent virtual processor to execute the protection agent at specified time intervals.
  - 14. The method of claim 10, wherein the protection-agent virtual processor is dedicated only to executing the protection agent.
  - 15. The method of claim 10, wherein the protection-agent virtual processor is scheduled by a virtual machine monitor and is transparent to an operating system associated with said operating-system memory.

16. One or more computer-readable media having computer-readable instructions therein that, when executed by a computing device comprising an underlying physical processor that includes one or more privilege modes, cause the computing device to add a privilege mode that is not present on the underlying physical processor.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The media of claim 16, wherein the added privilege mode is capable of altering a portion of memory of the computing device that is different than a portion of memory that is alterable by the one or more privilege modes that are initially present on the underlying physical processor.
  - 18. The media of claim 16, wherein the one or more privilege modes initially present on the underlying physical processor include a user privilege mode and an operating-system privilege mode, and wherein the added privilege mode is more privileged than both the user privilege mode and the operating-system privilege mode.
  - 19. The media of claim 16, wherein the one or more privilege modes initially present on the underlying physical processor include a user privilege mode and an operating system-privilege mode, and wherein the added privilege mode is more privileged than the mode but less privileged than the operating-system privilege mode.
  - 20. The media of claim 16, wherein the one or more privilege modes initially present on the underlying physical processor include an operating-system privilege mode, and wherein the adding of the privilege mode comprises calling a virtual machine monitor to request that a range of memory associated with a protection agent be made unalterable from or inaccessible from the operating-system privilege mode.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Foltz, Forrest C., Sinha, Suyash, Traut, Eric, Thornton, Andrew

Granted Patent

US 8,380,987 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

G06F 12/1491   in a hierarchical protectio...

G06F 21/554   involving event detection a...

G06F 9/45533   Hypervisors; Virtual machin...

Protection Agents and Privilege Modes

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection Agents and Privilege Modes

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links