System and Method for Enforcing Security Policies in a Virtual Environment

US 20110047542A1
Filed: 08/21/2009
Published: 02/24/2011
Est. Priority Date: 08/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

intercepting a request associated with an execution of an object in a computer configured to operate in a virtual machine environment, wherein the request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems;

verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element; and

denying the execution of the object if it is not authorized.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

196 Citations

20 Claims

1. A method, comprising:
- intercepting a request associated with an execution of an object in a computer configured to operate in a virtual machine environment, wherein the request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems;
  
  verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element; and
  
  denying the execution of the object if it is not authorized.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules.
  - 3. The method of claim 1, further comprising:
    - intercepting an attempt from a remote computer to execute code from a previously authorized binary; and
      
      evaluating an origination address of a hypercall associated with the code before executing the code.
  - 4. The method of claim 1, wherein the object is a kernel module or a binary.
  - 5. The method of claim 1, wherein the verifying of the authorization of the object includes comparing the object to an inventory of authorized objects stored in a user space of the computer, and wherein a log is created if the execution of the object is not authorized.
  - 6. The method of claim 1, further comprising:
    - allowing the object to be executed if its corresponding checksum is found as matching one of the plurality of stored checksums in the memory element.
  - 7. The method of claim 1, wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer.

8. Logic encoded in one or more tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- intercepting a request associated with an execution of an object in a computer configured to operate in a virtual machine environment, wherein the request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems;
  
  verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element; and
  
  denying the execution of the object if it is not authorized.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The logic of claim 8, the processor being operable to perform operations comprising:
    - evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules.
  - 10. The logic of claim 8, the processor being operable to perform operations comprising:
    - intercepting an attempt from a remote computer to execute code from a previously authorized binary; and
      
      evaluating an origination address of a hypercall associated with the code before executing the code.
  - 11. The logic of claim 8, wherein the object is a kernel module or a binary.
  - 12. The logic of claim 8, wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer.
  - 13. The logic of claim 8, wherein the verifying of the authorization of the object includes comparing the object to an inventory of authorized objects stored in a user space of the computer, and wherein a log is created if the execution of the object is not authorized.
  - 14. The logic of claim 8, the processor being operable to perform operations comprising:
    - allowing the object to be executed if its corresponding checksum is found as matching one of the plurality of stored checksums in the memory element.

15. An apparatus, comprising:
- a virtual machine element;
  
  a memory element configured to store data; and
  
  a processor operable to execute instructions associated with the data, wherein the virtual machine element is configured to;
  
  intercept a request associated with an execution of an object in a computer configured to operate in a virtual machine environment, wherein the request for the execution is associated with a privileged domain of the computer that operates logically below one or more operating systems;
  
  verify an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in the memory element; and
  
  deny the execution of the object if it is not authorized.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the virtual machine element is further configured to:
    - evaluate a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules.
  - 17. The apparatus of claim 15, wherein the virtual machine element is further configured to:
    - intercept an attempt from a remote computer to execute code from a previously authorized binary; and
      
      evaluate an origination address of a hypercall associated with the code before executing the code.
  - 18. The apparatus of claim 15, wherein the object is a kernel module or a binary.
  - 19. The apparatus of claim 15, wherein the object is a kernel module that is interacting with a hypercall, which attempts to access one or more privileged domain areas within the computer.
  - 20. The apparatus of claim 15, wherein the object is allowed to be executed if its corresponding checksum is found as matching one of the plurality of stored checksums in the memory element.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohinder, Preet, Dang, Amit

Granted Patent

US 8,381,284 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/12   Protecting executable software

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and Method for Enforcing Security Policies in a Virtual Environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

196 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Enforcing Security Policies in a Virtual Environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

196 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links