System and Method for Providing Address Protection in a Virtual Environment

US 20110047543A1
Filed: 08/21/2009
Published: 02/24/2011
Est. Priority Date: 08/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one system address, and wherein the address space is provided to a virtual machine monitor; and

generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes identifying an address space in a memory element of a system configured to operate in a virtual environment. The address space includes at least one system address, and the address space is provided to a virtual machine monitor. The method also includes generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process. The page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system. In more specific embodiments, the method may include evaluating a page fault to determine access to the address space, where access to a writeable area of the memory element is denied.

Citations

20 Claims

1. A method, comprising:
- identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one system address, and wherein the address space is provided to a virtual machine monitor; and
  
  generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, further comprising:
    - intercepting a page fault; and
      
      evaluating the page fault to determine access to the address space, wherein access from a writeable area of the memory element is denied.
  - 3. The method of claim 1, further comprising:
    - maintaining the shadow page table for one or more guest operating systems; and
      
      updating the shadow page table as additional processes are initiated by the guest operating system.
  - 4. The method of claim 1, wherein when the guest operating system initiates the process, the system address is converted to a physical address.
  - 5. The method of claim 1, wherein a critical system address to be protected is communicated to the virtual machine monitor via a privileged domain using hypercalls.
  - 6. The method of claim 1, further comprising:
    - intercepting a processor execution request from the guest operating system; and
      
      using a page fault handler to permit or deny access to the system address.
  - 7. The method of claim 1, wherein a single step flag is marked in a processor flag for a processor to identify.

8. Logic encoded in one or more tangible media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one system address, and wherein the address space is provided to a virtual machine monitor; and
  
  generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The logic of claim 8, the processor being operable to perform operations comprising:
    - intercepting a page fault; and
      
      evaluating the page fault to determine access to the address space, wherein access from a writeable area of the memory element is denied.
  - 10. The logic of claim 8, the processor being operable to perform operations comprising:
    - maintaining the shadow page table for one or more guest operating systems; and
      
      updating the shadow page table as additional processes are initiated by the guest operating system.
  - 11. The logic of claim 8, wherein when the guest operating system initiates the process, the system address is converted to a physical address.
  - 12. The logic of claim 8, wherein a critical system address to be protected is communicated to the virtual machine monitor via a privileged domain using hypercalls.
  - 13. The logic of claim 8, wherein a single step flag is marked in a processor flag for a processor to identify.
  - 14. The logic of claim 8, the processor being operable to perform operations comprising:
    - intercepting a processor execution request from the guest operating system; and
      
      using a page fault handler to permit or deny access to the system address.

15. An apparatus, comprising:
- a virtual machine monitor;
  
  a memory element configured to store data; and
  
  a processor operable to execute instructions associated with the data, wherein the virtual machine monitor includes an address protection module configured to;
  
  identify an address space in the memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one system address, and wherein the address space is provided to the virtual machine monitor; and
  
  generate a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein the virtual machine monitor is configured to:
    - intercept a page fault; and
      
      evaluate the page fault to determine access to the address space, wherein access from a writeable area of the memory element is denied.
  - 17. The apparatus of claim 15, wherein the virtual machine monitor is configured to:
    - maintain the shadow page table for one or more guest operating systems; and
      
      update the shadow page table as additional processes are initiated by the guest operating system.
  - 18. The apparatus of claim 15, wherein when the guest operating system initiates the process, the system address is converted to a physical address.
  - 19. The apparatus of claim 15, wherein a critical system address to be protected is communicated to the virtual machine monitor via a privileged domain using hypercalls.
  - 20. The apparatus of claim 15, further comprising:
    - page fault handler, wherein a processor execution request is intercepted from the guest operating system and the page fault handler is configured to permit or deny access to the system address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohinder, Preet

Granted Patent

US 8,341,627 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 12/145   the protection being virtua...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

System and Method for Providing Address Protection in a Virtual Environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method for Providing Address Protection in a Virtual Environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links