FACILITATING EXECUTION OF A SELF-MODIFYING EXECUTABLE

US 20140068612A1
Filed: 09/06/2012
Published: 03/06/2014
Est. Priority Date: 09/06/2012
Status: Active Grant

First Claim

Patent Images

1. A method to facilitate trusted execution of a self-modifying executable, the method comprising:

detecting, by a hypervisor managing execution of a guest system on a processor, an attempt by the guest system to access a data portion of the self-modifying executable during execution of the self-modifying executable, the self-modifying executable comprising the data portion for storing data to be accessed during execution of the self-modifying executable and an instruction portion comprising instructions for execution of the self-modifying executable; and

retargeting, by the hypervisor, the attempt to access the data portion to a separate portion of memory space, separate from another portion of memory space in which the self-modifying executable is loaded for execution.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Trusted execution of a self-modifying executable is facilitated. An attempt to access a data portion of a self-modifying executable during execution of the self-modifying executable is detected. The self-modifying executable includes the data portion, for storing data to be accessed during execution of the self-modifying executable, and an instruction portion including instructions for execution of the self-modifying executable. The attempt to access the data portion is retargeted to a separate portion of memory space that is separate from another portion of memory space in which the self-modifying executable is loaded for execution. Meaningful measurability of the integrity of the self-modifying executable is thereby provided.

Citations

20 Claims

1. A method to facilitate trusted execution of a self-modifying executable, the method comprising:
- detecting, by a hypervisor managing execution of a guest system on a processor, an attempt by the guest system to access a data portion of the self-modifying executable during execution of the self-modifying executable, the self-modifying executable comprising the data portion for storing data to be accessed during execution of the self-modifying executable and an instruction portion comprising instructions for execution of the self-modifying executable; and
  
  retargeting, by the hypervisor, the attempt to access the data portion to a separate portion of memory space, separate from another portion of memory space in which the self-modifying executable is loaded for execution.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the retargeting comprises modifying, by the hypervisor, an entry in a paging structure to indicate a memory page that includes at least a portion of the separate portion of memory space, wherein the retargeting directs the attempt to access the data portion to the memory page.
  - 3. The method of claim 2, wherein the paging structure comprises a page table, wherein the entry comprises a machine physical address translated from a guest physical address, and wherein the modifying modifies the machine physical address to indicate an address of the memory page to which the attempt is directed.
  - 4. The method of claim 1, wherein the separate portion of memory space is included in at least one memory page, and wherein the method further comprises, prior to the detecting, indicating by the hypervisor in a paging structure permissions for accessing, by the guest system during execution of the self-modifying executable, each memory page of the at least one memory page, wherein the permissions for a memory page of the at least one memory page indicate data read and data write access, but not instruction access by the guest system.
  - 5. The method of claim 4, wherein the attempt to access the data portion is detected based on an attempt to perform an operation by the guest system, wherein execution of the guest system is halted based on the attempt to perform the operation, and wherein the retargeting comprises:
    - setting a trap flag to initiate a trap of the guest system to the hypervisor after performance of the operation by the guest system;
      
      determining, by the hypervisor, a memory page of the at least one memory page to which the access attempt is to be targeted, and performing a modification to an entry in the paging structure to indicate the determined memory page to which the access attempt is to be targeted;
      
      initiating resumption of execution of the guest system, wherein the guest system performs the operation and wherein the access to the data portion is targeted to the determined memory page based on the modification to the entry in the paging structure; and
      
      based on detecting the trap of the guest system to the hypervisor after performance of the operation, clearing at least one permission of the permissions indicated in the paging structure for accessing, by the guest system, the memory page, and unsetting the trap flag.
  - 6. The method of claim 5, wherein the operation comprises execution of an instruction, wherein thrashing occurs based on at least some of the separate portion of memory space and at least some of the another portion of memory space being included in the determined memory page, wherein the hypervisor detects the occurrence of thrashing, and wherein, based on detecting the occurrence of thrashing, the retargeting further comprises:
    - setting the permissions indicated in the paging structure for accessing, by the guest system, the memory page to indicate data read access, data write access, and instruction access by the guest system;
      
      copying the instruction to a location in the separate portion of memory space included in the determined memory page, wherein the instruction is executed from the location in the separate portion of memory space included in the determined memory page; and
      
      based on detecting the trap of the guest system to the hypervisor after execution of the instruction, flushing a processor buffer entry caching the entry of the paging structure.
  - 7. The method of claim 1, further comprising:
    - detecting, by the hypervisor, an attempt by the guest system to access the instruction portion of the self-modifying executable during execution of the self-modifying executable; and
      
      targeting, by the hypervisor, the attempt to access the instruction portion to the another portion of memory space, in which the self-modifying executable is loaded for execution.
  - 8. The method of claim 1, wherein the hypervisor executes on the processor at a higher privilege than the guest system executes on the processor.
  - 9. The method of claim 1, wherein the method further comprises checking, during execution of the self-modifying executable, the instruction portion of the self-modifying executable to detect whether modification to the instruction portion has occurred, wherein the checking comprises:
    - generating a hash of at least a portion of the instruction portion of the self-modifying executable loaded for execution in the another portion of memory space; and
      
      determining whether the generated hash matches an expected hash generated prior to commencement of execution of the self-modifying executable, wherein a mismatch between the generated hash and the expected hash indicates that modification to the instruction portion has occurred.
  - 10. The method of claim 1, wherein the hypervisor comprises a shim for performing the retargeting, wherein the shim comprises separate data and instruction portions to facilitate checking of the instruction portion of the shim to detect whether modification to the instruction portion of the shim has occurred, and wherein the shim provides self-checking, in which one or more instructions of the instruction portion of the shim execute to perform the checking of the instruction portion of the shim.

11. A computer program product to facilitate trusted execution of a self-modifying executable, the computer program product comprising:
- a computer readable storage medium readable by a processor and storing instructions for execution by the processor to perform a method comprising;
  
  detecting, by a hypervisor managing execution of a guest system, an attempt by the guest system to access a data portion of the self-modifying executable during execution of the self-modifying executable, the self-modifying executable comprising the data portion for storing data to be accessed during execution of the self-modifying executable and an instruction portion comprising instructions for execution of the self-modifying executable; and
  
  retargeting, by the hypervisor, the attempt to access the data portion to a separate portion of memory space, separate from another portion of memory space in which the self-modifying executable is loaded for execution.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The computer program product of claim 11, wherein the retargeting comprises modifying, by the hypervisor, an entry in a paging structure to indicate a memory page that includes at least a portion of the separate portion of memory space, wherein the retargeting directs the attempt to access the data portion to the memory page.
  - 13. The computer program product of claim 11, wherein the separate portion of memory space is included in at least one memory page, and wherein the method further comprises, prior to the detecting, indicating by the hypervisor in a paging structure permissions for accessing, by the guest system during execution of the self-modifying executable, each memory page of the at least one memory page, wherein the permissions for a memory page of the at least one memory page indicate data read and data write access, but not instruction access by the guest system.
  - 14. The computer program product of claim 13, wherein the attempt to access the data portion is detected based on an attempt to perform an operation by the guest system, wherein execution of the guest system is halted based on the attempt to perform the operation, and wherein the retargeting comprises:
    - setting a trap flag to initiate a trap of the guest system to the hypervisor after performance of the operation by the guest system;
      
      determining, by the hypervisor, a memory page of the at least one memory page to which the access attempt is to be targeted, and performing a modification to an entry in the paging structure to indicate the determined memory page to which the access attempt is to be targeted;
      
      initiating resumption of execution of the guest system, wherein the guest system performs the operation and wherein the access to the data portion is targeted to the determined memory page based on the modification to the entry in the paging structure; and
      
      based on detecting the trap of the guest system to the hypervisor after performance of the operation, clearing at least one permission of the permissions indicated in the paging structure for accessing, by the guest system, the memory page, and unsetting the trap flag.
  - 15. The computer program product of claim 11, wherein the hypervisor executes on the processor at a higher privilege than the guest system executes on the processor.
  - 16. The computer program product of claim 11, wherein the method further comprises checking, during execution of the self-modifying executable, the instruction portion of the self-modifying executable to detect whether modification to the instruction portion has occurred, wherein the checking comprises:
    - generating a hash of at least a portion of the instruction portion of the self-modifying executable loaded for execution in the another portion of memory space; and
      
      determining whether the generated hash matches an expected hash generated prior to commencement of execution of the self-modifying executable, wherein a mismatch between the generated hash and the expected hash indicates that modification to the instruction portion has occurred.

17. A computer system to facilitate trusted execution of a self-modifying executable, the computer system comprising:
- a memory; and
  
  a processor in communication with the memory, wherein the computer system is configured to perform a method comprising;
  
  detecting, by a hypervisor managing execution of a guest system, an attempt by the guest system to access a data portion of the self-modifying executable during execution of the self-modifying executable, the self-modifying executable comprising the data portion for storing data to be accessed during execution of the self-modifying executable and an instruction portion comprising instructions for execution of the self-modifying executable; and
  
  retargeting, by the hypervisor, the attempt to access the data portion to a separate portion of memory space, separate from another portion of memory space in which the self-modifying executable is loaded for execution.
- View Dependent Claims (18, 19, 20)
- - 18. The computer system of claim 17, wherein the retargeting comprises modifying, by the hypervisor, an entry in a paging structure to indicate a memory page that includes at least a portion of the separate portion of memory space, wherein the retargeting directs the attempt to access the data portion to the memory page.
  - 19. The computer system of claim 17, wherein:
    - the separate portion of memory space is included in at least one memory page, wherein the method further comprises, prior to the detecting, indicating by the hypervisor in a paging structure permissions for accessing, by the guest system during execution of the self-modifying executable, each memory page of the at least one memory page, wherein the permissions for a memory page of the at least one memory page indicate data read and data write access, but not instruction execution access by the guest system;
      
      the attempt to access the data portion is detected based on an attempt to perform an operation by the guest system, wherein execution of the guest system is halted based on the attempt to perform the operation; and
      
      wherein the retargeting comprises;
      
      setting a trap flag to initiate a trap of the guest system to the hypervisor after performance of the operation by the guest system;
      
      determining, by the hypervisor, a memory page of the at least one memory page to which the access attempt is to be targeted, and performing a modification to an entry in the paging structure to indicate the determined memory page to which the access attempt is to be targeted;
      
      initiating resumption of execution of the guest system, wherein the guest system performs the operation and wherein the access to the data portion is targeted to the determined memory page based on the modification to the entry in the paging structure; and
      
      based on detecting the trap of the guest system to the hypervisor after performance of the operation, clearing at least one permission of the permissions indicated in the paging structure for accessing, by the guest system, the memory page, and unsetting the trap flag.
  - 20. The computer system of claim 17, wherein the hypervisor executes on the processor at a higher privilege than the guest system executes on the processor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Assured Information Security, Inc.
Original Assignee
Assured Information Security, Inc.
Inventors
TORREY, Jacob

Granted Patent

US 8,856,789 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 21/00   Security arrangements for p...

G06F 21/50   Monitoring users, programs ...

G06F 21/60   Protecting data

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

FACILITATING EXECUTION OF A SELF-MODIFYING EXECUTABLE

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

FACILITATING EXECUTION OF A SELF-MODIFYING EXECUTABLE

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links