SECURE VIRTUALIZATION SYSTEM SOFTWARE
First Claim
1. A method implemented on a computing device for securing a virtualization environment against malware, comprising:
- suspending an event in a kernel mode of the virtualization environment;
making the event available to a user mode security module of the virtualization environment;
receiving a security analysis of the event from the user mode security module of the virtualization environment;
if the security analysis indicates execution of the event is not secure, blocking execution of the event; and
if the security analysis indicates execution of the event is secure, resuming execution of the suspended event.
4 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for protecting a virtualization environment against malware. The methods involve intercepting an event in a kernel mode of the virtualization environment, suspending execution of the event, and transmitting the event to a user mode security module that determines whether the event should be blocked, allowed, or redirected. Events may be intercepted from any level of the virtualization environment, including an interrupt request table, device driver, OS object manager, OS service dispatch table, Portable Execution (P/E) import/export table, or binary code, among others. In one embodiment, an event may trigger a chain of related events, such that interception of an event without first intercepting an expected antecedent event is one indication of malware. The method also involves securing a virtual storage device against unauthorized access and providing for secure communication between guest OS and virtualization environment security modules.
-
Citations
20 Claims
-
1. A method implemented on a computing device for securing a virtualization environment against malware, comprising:
-
suspending an event in a kernel mode of the virtualization environment; making the event available to a user mode security module of the virtualization environment; receiving a security analysis of the event from the user mode security module of the virtualization environment; if the security analysis indicates execution of the event is not secure, blocking execution of the event; and if the security analysis indicates execution of the event is secure, resuming execution of the suspended event. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer system for securing a virtual storage device stored on a physical storage device, comprising:
-
a computer readable medium having a plurality of instructions stored thereon; and at least one processing device communicatively coupled to the computer readable medium and configured for executing the plurality of instructions that cause the computer system to perform actions comprising; receiving an access event for the physical storage device; suspending the physical storage device access event in the virtualization environment; making the physical storage device access event available to a user mode security module; receiving an indication from the user mode security module whether to block or allow the physical storage device access event, the indication based in part on whether the physical storage device access event originated from a virtual storage device device driver in a guest operating system; if the indication is to block the physical storage device access event, blocking execution of the physical storage device access event; and if the indication is to allow the physical storage device access event, resuming execution of the suspended physical storage device access event. - View Dependent Claims (15, 16)
-
-
17. A system implemented on a computing device comprising:
-
a virtualization environment including a virtualization environment security module and a virtual machine; and a guest operating system (OS) executing on the virtual machine, wherein the guest OS includes a guest OS security module, wherein the guest OS security module determines when a guest OS event originates from malware, and wherein the guest OS security module transmits the guest OS event to the virtualization environment security module when the guest OS event is determined to originate from malware. - View Dependent Claims (18, 19, 20)
-
Specification