METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER

US 20120047580A1
Filed: 08/18/2010
Published: 02/23/2012
Est. Priority Date: 08/18/2010
Status: Abandoned Application

First Claim

Patent Images

1. In a computing system having a loader and a fault handler, a method of enforcing a security policy on an operating system (OS) independent antivirus (AV) application running in a guest OS comprising:

specifying, by the AV application, a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest;

verifying, by the loader, the fault handler code image and the fault handler manifest;

creating, by the loader, a first security domain having a first security level, copying the fault handler code image to memory associated with the first security domain, and initiating execution of the fault handler;

requesting, by the loader, to lock memory pages in the guest OS that are reserved for the AV application;

locking, by the fault handler, the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory pages;

measuring, by the loader, AV application memory and comparing the measurement to the AV application manifest; and

promoting, by the loader, the AV application to the first security domain when the AV application is successfully verified by the measuring and comparing step.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An antivirus (AV) application specifies a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest. A loader verifies the fault handler code image and the fault handler manifest, creates a first security domain having a first security level, copies the fault handler code image to memory associated with the first security domain, and initiates execution of the fault handler. The loader requests the locking of memory pages in the guest OS that are reserved for the AV application. The fault handler locks the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory.

70 Citations

View as Search Results

25 Claims

1. In a computing system having a loader and a fault handler, a method of enforcing a security policy on an operating system (OS) independent antivirus (AV) application running in a guest OS comprising:
- specifying, by the AV application, a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest;
  
  verifying, by the loader, the fault handler code image and the fault handler manifest;
  
  creating, by the loader, a first security domain having a first security level, copying the fault handler code image to memory associated with the first security domain, and initiating execution of the fault handler;
  
  requesting, by the loader, to lock memory pages in the guest OS that are reserved for the AV application;
  
  locking, by the fault handler, the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory pages;
  
  measuring, by the loader, AV application memory and comparing the measurement to the AV application manifest; and
  
  promoting, by the loader, the AV application to the first security domain when the AV application is successfully verified by the measuring and comparing step.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 24, 25)
- - 2. The method of claim 1, wherein the loader and the fault handler execute within a protected execution environment in the computing system.
  - 3. The method of claim 1, wherein other applications running in the guest OS are in a second security domain having a second security level, the first security level being higher than the second security level.
  - 4. The method of claim 3, wherein an application running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 5. The method of claim 3, wherein guest OS kernel code running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 6. The method of claim 1, further comprising executing the AV application to scan for malware in the computing system.
  - 7. The method of claim 6, further comprising verifying, by the fault handler, that messages from the AV application originate from the locked guest OS memory.
  - 8. The method of claim 1, wherein access to the security domains is controlled by resource manager logic of a processor of the computing system.
  - 9. The method of claim 1, wherein the AV application executes within a virtual machine controlled by a virtual machine manager (VMM).
  - 24. The computing system of claim 1, further comprising a virtual machine manager (VMM) in the guest OS to instantiate a virtual machine wherein the AV application executes within the virtual machine.
  - 25. The computing system of claim 1, wherein the execution container comprises a protected execution environment.

10. A computer-readable medium comprising one or more instructions that when executed on a processor of a computing system having a loader and a fault handler configure the processor to perform one or more operations tospecify, by an antivirus (AV) application, a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest;
- verify, by the loader, the fault handler code image and the fault handler manifest;
  
  create, by the loader, a first security domain having a first security level, copying the fault handler code image to memory associated with the first security domain, and initiating execution of the fault handler;
  
  request, by the loader, to lock memory pages in the guest OS that are reserved for the AV application;
  
  lock, by the fault handler, the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory pages;
  
  measure, by the loader, AV application memory and comparing the measurement to the AV application manifest; and
  
  promote, by the loader, the AV application to the first security domain when the AV application is successfully verified by the measuring and comparing step.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The medium of claim 10, wherein the loader and the fault handler execute within a protected execution environment in the computing system.
  - 12. The medium of claim 10, wherein other applications running in the guest OS are in a second security domain having a second security level, the first security level being higher than the second security level.
  - 13. The medium of claim 12, wherein an application running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 14. The medium of claim 12, wherein guest OS kernel code running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 15. The medium of claim 10, further comprising instructions to execute the AV application to scan for malware in the computing system.
  - 16. The medium of claim 15, further comprising instructions to verify, by the fault handler, that messages from the AV application originate from the locked guest OS memory.

17. A computing system comprising:
- a processor to execute instructions to enforce a security policy for the computing system, the processor including resource manager logic to control access to a plurality of security domains;
  
  an execution container including a loader and a fault handler; and
  
  a guest operating system (OS) including an antivirus (AV) application;
  
  wherein the AV application is to specify a fault handler code image, a fault handler manifest, a memory location of the AV application, and an AV application manifest;
  
  wherein the loader is to verify the fault handler code image and the fault handler manifest, to create a first security domain having a first security level, copy the fault handler code image to memory associated with the first security domain, initiate execution of the fault handler by the processor, and request to lock memory pages in the guest OS that are reserved for the AV application;
  
  wherein the fault handler is to lock the executable code image of the AV application loaded into guest OS memory by setting traps on selected code segments in guest OS memory pages; and
  
  wherein the loader is to measure AV application memory, to compare the measurement to the AV application manifest, and to promote the AV application to the first security domain when the AV application is successfully verified by the measuring and comparing step.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The computing system of claim 17, wherein other applications running in the guest OS are in a second security domain having a second security level, the first security level being higher than the second security level.
  - 19. The computing system of claim 18, wherein an application running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 20. The computing system of claim 18, wherein guest OS kernel code running in the second security domain cannot modify memory in the first security domain without triggering traps detected by the fault handler.
  - 21. The computing system of claim 17, further comprising executing the AV application to scan for malware in the computing system.
  - 22. The computing system of claim 21, wherein the fault handler is to verify that messages from the AV application originate from the locked guest OS memory.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Smith, Ned M., Danneels, Gunner D., Shanbhogue, Vedvyas, Sugumar, Suresh

Application Number

US12/858,882
Publication Number

US 20120047580A1
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/564   by virus signature recognition

G06F 21/575   Secure boot

METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

70 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD AND APPARATUS FOR ENFORCING A MANDATORY SECURITY POLICY ON AN OPERATING SYSTEM (OS) INDEPENDENT ANTI-VIRUS (AV) SCANNER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

70 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links