SECURE VIRTUALIZATION SYSTEM SOFTWARE

US 20090288167A1
Filed: 05/19/2009
Published: 11/19/2009
Est. Priority Date: 05/19/2008
Status: Active Grant

First Claim

Patent Images

1. A method implemented on a computing device for securing a virtualization environment against malware, comprising:

suspending an event in a kernel mode of the virtualization environment;

making the event available to a user mode security module of the virtualization environment;

receiving a security analysis of the event from the user mode security module of the virtualization environment;

if the security analysis indicates execution of the event is not secure, blocking execution of the event; and

if the security analysis indicates execution of the event is secure, resuming execution of the suspended event.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for protecting a virtualization environment against malware. The methods involve intercepting an event in a kernel mode of the virtualization environment, suspending execution of the event, and transmitting the event to a user mode security module that determines whether the event should be blocked, allowed, or redirected. Events may be intercepted from any level of the virtualization environment, including an interrupt request table, device driver, OS object manager, OS service dispatch table, Portable Execution (P/E) import/export table, or binary code, among others. In one embodiment, an event may trigger a chain of related events, such that interception of an event without first intercepting an expected antecedent event is one indication of malware. The method also involves securing a virtual storage device against unauthorized access and providing for secure communication between guest OS and virtualization environment security modules.

Citations

20 Claims

1. A method implemented on a computing device for securing a virtualization environment against malware, comprising:
- suspending an event in a kernel mode of the virtualization environment;
  
  making the event available to a user mode security module of the virtualization environment;
  
  receiving a security analysis of the event from the user mode security module of the virtualization environment;
  
  if the security analysis indicates execution of the event is not secure, blocking execution of the event; and
  
  if the security analysis indicates execution of the event is secure, resuming execution of the suspended event.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method according to claim 1, wherein the event is one of the group consisting of an interrupt request, a function call, and an operating system message.
  - 3. The method according to claim 1, wherein the method secures a non-virtualization operating system against malware.
  - 4. The method according to claim 1, wherein the event is intercepted from one of the group consisting of an interrupt request table, a device driver, an operating system (OS) object manager, an OS service dispatch table, a Portable Execution (P/E) export table, and an executable instruction.
  - 5. The method according to claim 1, wherein the event originated in a hardware device.
  - 6. The method according to claim 1 further comprising receiving the event directly from a source module.
  - 7. The method according to claim 1, wherein the event is selected from the group consisting of a kernel mode event and a user mode event.
  - 8. The method according to claim 1, wherein a plurality of user mode security modules receive the event, and each of the plurality of user mode security modules are capable of determining whether execution of the event is secure.
  - 9. The method according to claim 1, wherein the user mode security module redirects the event to another module for additional processing before allowing the suspended event to be resumed.
  - 10. The method according to claim 1, wherein the security module modifies the event before allowing the suspended event to be resumed.
  - 11. The method according to claim 1, wherein the security analysis is based in part on determining whether malware initiated the event.
  - 12. The method according to claim 1, wherein the event is one of a series of related events, and wherein the security analysis is based in part on determining whether the event was preceded by at least one of the series of events.
  - 13. The method according to claim 1, further comprising detecting code injected into the virtualization environment by:
    - scanning for a portion of memory that is inaccessible to the virtualization environment;
      
      identifying a file on a storage device associated with the portion of inaccessible memory;
      
      determining when the file on the storage device associated with the portion of inaccessible memory includes malware.

14. A computer system for securing a virtual storage device stored on a physical storage device, comprising:
- a computer readable medium having a plurality of instructions stored thereon; and
  
  at least one processing device communicatively coupled to the computer readable medium and configured for executing the plurality of instructions that cause the computer system to perform actions comprising;
  
  receiving an access event for the physical storage device;
  
  suspending the physical storage device access event in the virtualization environment;
  
  making the physical storage device access event available to a user mode security module;
  
  receiving an indication from the user mode security module whether to block or allow the physical storage device access event, the indication based in part on whether the physical storage device access event originated from a virtual storage device device driver in a guest operating system;
  
  if the indication is to block the physical storage device access event, blocking execution of the physical storage device access event; and
  
  if the indication is to allow the physical storage device access event, resuming execution of the suspended physical storage device access event.
- View Dependent Claims (15, 16)
- - 15. The computer system according to claim 14, wherein the user mode security module redirects the physical storage device access event to an encryption module when the event includes a write event, and wherein the security module redirects the physical storage device access event to a decryption module when the event includes a read event.
  - 16. The computer system according to claim 14, wherein the user mode security module is executed in kernel mode.

17. A system implemented on a computing device comprising:
- a virtualization environment including a virtualization environment security module and a virtual machine; and
  
  a guest operating system (OS) executing on the virtual machine, wherein the guest OS includes a guest OS security module, wherein the guest OS security module determines when a guest OS event originates from malware, and wherein the guest OS security module transmits the guest OS event to the virtualization environment security module when the guest OS event is determined to originate from malware.
- View Dependent Claims (18, 19, 20)
- - 18. The system according to claim 17, wherein the guest OS includes a first guest OS, the system further including a second guest OS that includes a security module, wherein the virtualization environment security module communicates the existence of malware to the security module of the second guest OS in response to receiving an indication of the existence of malware on the first guest OS.
  - 19. The system according to claim 17, wherein tampering to the virtualization environment security module and the guest OS security module is detected by verification against a digital signature.
  - 20. The system according to claim 17, wherein tampering to the virtualization environment security module and the guest OS security module is detected by comparing in-memory representations of the virtualization environment security module and the guest OS security module with representations of the virtualization environment security module and the guest OS security module on a storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Wontok, Inc. (Wontok Enterprises Pty Ltd.)
Original Assignee
SafeCentral, Inc. (Wontok Enterprises Pty Ltd.)
Inventors
Freericks, Helmuth, Kouznetsov, Oleg

Granted Patent

US 9,235,705 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/54   by adding security routines...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/62   Protecting access to data v...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

SECURE VIRTUALIZATION SYSTEM SOFTWARE

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURE VIRTUALIZATION SYSTEM SOFTWARE

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links