Impeding Progress of Malicious Guest Software

US 20090044274A1
Filed: 03/19/2008
Published: 02/12/2009
Est. Priority Date: 08/08/2007
Status: Active Grant

First Claim

Patent Images

1. A method of operating a virtualization system, the method comprising:

instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute;

monitoring the execution contexts from the virtualization system; and

selectively impeding computational progress of a particular one of the execution contexts.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention is a method of operating a virtualization system, the method including: (a) instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute; (b) monitoring the execution contexts from the virtualization system; and (c) selectively impeding computational progress of a particular one of the execution contexts.

Citations

46 Claims

1. A method of operating a virtualization system, the method comprising:
- instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute;
  
  monitoring the execution contexts from the virtualization system; and
  
  selectively impeding computational progress of a particular one of the execution contexts.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 2. The method of claim 1,wherein the particular execution context is, or is identified as, a malicious context.
  - 3. The method of claim 1,wherein the guest includes a guest operating system and the execution contexts include processes, threads or tasks coordinated by the guest operating system.
  - 4. The method of claim 3,wherein the impeding is performed from behind a virtualization barrier and without cooperation from the guest operating system.
  - 5. The method of claim 1,wherein the monitoring and the impeding are hidden from the execution contexts.
  - 6. The method of claim 1, further comprising:
    - executing, under control of the virtualization system, instruction sequences that correspond to respective ones of the execution contexts,wherein the impeding includes, for an instruction sequence corresponding to the particular execution context, selectively altering behavior of the virtual machine.
  - 7. The method of claim 6,wherein the altered behavior includes supplying, in response to an otherwise valid instruction, a fault, trap or interrupt not dictated by faithful emulation of the machine virtualized.
  - 8. The method of claim 6,wherein the altered behavior includes interdicting a transition of the virtual machine from user mode to kernel mode, wherein the interdicted transition is attempted in connection with execution, for the particular execution context, of an otherwise valid system call.
  - 9. The method of claim 8,wherein the interdicting includes one or more of:
    - returning an error without executing the otherwise valid system call; and
      
      performing an alterative system call in lieu of the otherwise valid system call.
  - 10. The method of claim 6,wherein the altered behavior includes interdicting a hypercall attempted in connection with execution of the particular execution context.
  - 11. The method of claim 6,wherein the altered behavior includes supplying the guest with a succession of events not dictated by faithful emulation of the machine virtualized, but rather selected to cause the guest to deschedule or deprioritize computations of the particular execution context.
  - 12. The method of claim 11,wherein the events include timer interrupts delivered at a rate that exceeds that expected by the guest.
  - 13. The method of claim 6, further comprising:
    - modifying page table entries associated with the particular execution context to preclude the particular execution context from reading from, writing to or executing from an otherwise mapped memory page.
  - 14. The method of claim 13,wherein the modified page table entries are maintained by the virtualization system and are not visible to the execution contexts of the guest.
  - 15. The method of claim 1, further comprising:
    - executing, under control of the virtualization system, instruction sequences that correspond to respective ones of the execution contexts,wherein the impeding includes altering a particular instruction sequence otherwise executed for the particular execution context.
  - 16. The method of claim 15,wherein the altered instruction sequence includes binary code executed by the virtualization system for the particular execution context, andwherein the altering includes overwriting, patching or otherwise modifying the binary code to alter semantics or control flow of the particular execution context.
  - 17. The method of claim 15,wherein the altering is performed in the virtualization system and is not visible to execution contexts of the guest.
  - 18. The method of claim 1,wherein the impeding includes restricting use by the particular execution context of a resource mapped by the exposed virtual machine.
  - 19. The method of claim 18,wherein the restricted resource includes memory, input/output bandwidth, device functionality or processor cycles exposed to the particular execution context of the guest.
  - 20. The method of claim 18,wherein the restricting includes descheduling or deprioritizing one or more virtual processors of the exposed virtual machine coincident with scheduling, by the guest, of the particular execution context for execution thereon.
  - 21. The method of claim 18,wherein the restricting includes changing operating frequency or power management state of the exposed virtual machine or underlying hardware coincident with scheduling, by the guest, of the particular execution context for execution thereon.
  - 22. The method of claim 18,wherein the restricting includes delaying completion or apparent completion of an input/output operation initiated by the particular execution context.
  - 23. The method of claim 1, wherein the monitoring includes:
    - checking, coincident with switches between execution contexts of the guest, at least one characteristic of a switched-to execution context against one or more characteristics of an execution context identified as malicious.
  - 24. The method of claim 23, wherein the checked-against characteristic is selected from a set that includes:
    - a process, thread or task identifier; and
      
      presence, in a mapped address space of the switched-to execution context, of one or more memory pages associated with malicious code.
  - 25. The method of claim 1, further comprising:
    - identifying the malicious execution context.
  - 26. The method of claim 25, wherein the identifying is performed using one or more of:
    - an antivirus system;
      
      an intrusion detection system; and
      
      content- or behavior-based identification by the virtualization system.
  - 27. The method of claim 1,wherein the virtualization system includes software that is itself executed under control of a host operating system.
  - 28. The method of claim 1,wherein the virtualization system includes software that is executed directly on the underlying hardware machine.

29. A computational system that, from behind a virtualization barrier, selectively impedes progress of a malicious context executing within an exposed virtual machine without substantially impeding progress of other execution contexts executing therein.
- View Dependent Claims (30, 31, 32, 33, 34)
- - 30. The computational system of claim 29, further comprising:
    - a guest operating system operative on the virtual machine,wherein the execution of the malicious context and the other execution contexts are coordinated by the guest operating system.
  - 31. The computational system of claim 29, further comprising:
    - a virtualization system that coordinates execution of respective instruction sequences that correspond to the execution contexts, including the malicious context, operative on the virtual machine,wherein the impeding includes selectively altering, for a particular instruction sequence that corresponds to the malicious context, behavior of the virtual machine.
  - 32. The computational system of claim 31, wherein the altered behavior includes one or more of:
    - supplying, in response to an otherwise valid instruction of the sequence, a fault, trap or interrupt not dictated by faithful emulation of the machine virtualized;
      
      interdicting a transition of the virtual machine from user mode to kernel mode, wherein the interdicted transition is attempted in connection with execution, for the malicious context, of an otherwise valid system call;
      
      supplying a guest operating system that coordinates execution of the execution contexts with a succession of events not dictated by faithful emulation of the machine virtualized, but rather selected to cause the guest operating system to deschedule or deprioritize computations of the malicious context; and
      
      modifying page table entries associated with the malicious context to preclude the malicious context from reading from, writing to or executing from an otherwise mapped memory page.
  - 33. The computational system of claim 29,wherein the impeding includes altering, in the virtualization system, a particular instruction sequence of the malicious context, wherein the alteration is not visible to execution contexts operative in the virtual machine.
  - 34. The computational system of claim 29,wherein the impeding includes restricting use by the malicious context of a resource mapped by the exposed virtual machine,the restricted resource including one or more of memory, input/output bandwidth, device functionality and processor cycles exposed to the malicious context.

35. An apparatus comprising:
- a hardware machine;
  
  virtualization software encoded in one or more media accessible to the hardware machine and executable to expose at least one virtual machine using resources of the hardware machine; and
  
  guest software encoded in one or more media accessible to the virtual machine, the guest software executable on an exposed virtual machine,wherein the virtualization software includes code executable on the hardware machine to selectively impede, from behind a virtualization barrier and without cooperation of the guest software, progress of a malicious context executing within the exposed virtual machine.
- View Dependent Claims (36, 37, 38)
- - 36. The apparatus of claim 35,wherein the impeding includes selectively altering, for a particular instruction sequence that corresponds to the malicious context, behavior of the virtual machine;
    - andfurther comprising one or more of;
      
      code executable to supply, in response to an otherwise valid instruction of the sequence, a fault, trap or interrupt not dictated by faithful emulation of the machine virtualized;
      
      code executable to interdict a transition of the virtual machine from user mode to kernel mode, wherein the interdicted transition is attempted in connection with execution, for the malicious context, of an otherwise valid system call;
      
      code executable to supply a guest operating system that coordinates execution of the execution contexts with a succession of events not dictated by faithful emulation of the machine virtualized, but rather selected to cause the guest operating system to deschedule or deprioritize computations of the malicious context; and
      
      code executable to modify page table entries associated with the malicious context to preclude the malicious context from reading from, writing to or executing from an otherwise mapped memory page.
  - 37. The apparatus of claim 35, further comprising:
    - code executable to selectively alter emulation by the virtualization software of a particular instruction sequence of the malicious context, wherein the alteration is not visible to execution contexts operative in the virtual machine.
  - 38. The apparatus of claim 35, wherein the virtualization system includes:
    - code executable to restrict use by the malicious context of a resource mapped by the exposed virtual machine, the restricted resource including one or more of memory, input/output bandwidth, device functionality and processor cycles exposed to the malicious context.

39. A computer program product comprising:
- one or more functional sequences executable as, or in conjunction with, a virtualization system to selectively impede, from behind a virtualization barrier and without cooperation of guest software, progress of a malicious context executing within a virtual machine exposed by the virtualization system.
- View Dependent Claims (40, 41, 42, 43, 44, 45, 46)
- - 40. The computer program product of claim 39, further comprising:
    - a binary translator operable within the virtualization system to alter an instruction sequence of the malicious context and thereby contribute to the impeding.
  - 41. The computer program product of claim 39, further comprising:
    - a fault, trap or interrupt signaling interface exposed on execution of the virtualization system, the exposed interface configured to supply, in response to an otherwise valid instruction of the malicious context, a fault, trap or interrupt not dictated by faithful emulation of the machine virtualized and thereby contribute to the impeding.
  - 42. The computer program product of claim 39, further comprising:
    - emulation code for a processor of the exposed virtual machine, the emulation code operable to selectively interdict a transition of the emulated processor from user mode to kernel mode and thereby contribute to the impeding, wherein the interdicted transition is attempted in connection with execution, for the malicious context, of an otherwise valid system call.
  - 43. The computer program product of claim 39, further comprising:
    - an event signaling interface exposed on execution of the virtualization system, the exposed interface configured to supply a guest operating system with events, wherein the exposed interface selectively supplies a succession of events not dictated by faithful emulation of the machine virtualized, but rather selected to cause the guest operating system to selectively deschedule or deprioritize computations of the malicious context and thereby contribute to the impeding.
  - 44. The computer program product of claim 39, further comprising:
    - memory management code executable to selectively modify page table entries maintained for the malicious context by the virtualization system and thereby contribute to the impeding by precluding the malicious context from reading from, writing to or executing from an otherwise mapped memory page.
  - 45. The computer program product of claim 39, encoded in at least one computer readable medium selected from the set of a disk, tape or other magnetic, optical or electronic storage medium.
  - 46. The computer program product of claim 39, at least transiently encoded in connection with transmission via a network, wire line, wireless or other communications medium.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Waldspurger, Carl A., Chen, Xiaoxin, Horovitz, Oded, Budko, Dmitriy

Granted Patent

US 8,763,115 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

Impeding Progress of Malicious Guest Software

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Impeding Progress of Malicious Guest Software

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links