System and Method to Create a Number of Breakpoints in a Virtual Machine Via Virtual Machine Trapping Events

US 20140189687A1
Filed: 04/24/2013
Published: 07/03/2014
Est. Priority Date: 12/28/2012
Status: Active Grant

First Claim

Patent Images

1. A method to create a number of passive breakpoints in a virtual machine, the method comprising the steps of:

triggering a virtualization trapping event in a hardware-assisted virtualization platform, during software execution within a guest virtual machine;

intercepting the virtualization trapping event via a hardware-assisted virtualization hypervisor;

independently registering the virtualization trapping event via an analysis engine; and

determining whether the virtualization trapping event includes any arbitrary software execution.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for dynamic software analysis operable to describe program behavior via instrumentation of virtualization events.

Citations

13 Claims

1. A method to create a number of passive breakpoints in a virtual machine, the method comprising the steps of:
- triggering a virtualization trapping event in a hardware-assisted virtualization platform, during software execution within a guest virtual machine;
  
  intercepting the virtualization trapping event via a hardware-assisted virtualization hypervisor;
  
  independently registering the virtualization trapping event via an analysis engine; and
  
  determining whether the virtualization trapping event includes any arbitrary software execution.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the triggering is performed by at least one of (i) an operating system, and (ii) application software.
  - 3. The method according to claim 1, further comprising the step of:
    - instrumenting the guest virtual machine to at least one of (i) register to receive events, and (ii) modify guest execution behavior.
  - 4. The method according to claim 3, wherein the modifying guest execution behavior includes at least one of (i) modifying page permissions, and (ii) operating in a single-stepping mode.
  - 5. The method according to claim 1, wherein when the guest virtual machine attempts to execute any code contained within a physical page, (i) a permission of the physical page is set to executable, and (ii) a single stepping flag is turned on.

6. A method to create a number of passive breakpoints in a virtual machine via instrumentation of common virtual machine trapping events, the method comprising the steps of:
- parsing a configuration;
  
  installing an executor in a virtual machine;
  
  starting the virtual machine;
  
  executing malware in the virtual machine;
  
  detecting at least one event occurrence of the virtual machine;
  
  performing introspection within a memory of the virtual machine;
  
  dynamically resolving at least one hook address via a control interface;
  
  installing at least one hook in at least one of malware, an affected process, and a kernel of an operating system; and
  
  logging at least one hook result in a predetermined format.

7. A system to create a number of passive breakpoints in a virtual machine via instrumentation of common virtual machine trapping events, the system including:
- an event driven hooking engine operable to manipulate at least one page permission in a virtual machine and utilize at least one virtual machine trap exposed by a hypervisor virtualization platform to provide execution at an arbitrary address within a process of the virtual machine.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The system according to claim 7, further comprising:
    - a hardware-assisted virtualization hypervisor configured to intercept a virtualization trapping event, the virtualization trapping event triggered (i) in the virtual machine, and (ii) during software execution within the virtual machine.
  - 9. The system according to claim 8, further comprising:
    - an analysis engine configured to (i) register the virtualization trapping event, and (ii) determine whether the virtualization trapping event includes any arbitrary software execution.
  - 10. The system according to claim 9, further comprising:
    - an operating system configured to trigger the virtualization trapping event.
  - 11. The system according to claim 9, wherein the virtualization trapping event is triggered by application software.
  - 12. The system according to claim 9, wherein the engine is configured to instrument the virtual machine to at least one of (i) register to receive events, and (ii) modify execution behavior, the modifying execution behavior including at least one of (i) modifying the page permission, and (ii) operating in a single-stepping mode.
  - 13. The system according to claim 9, wherein the engine is configured to, when the virtual machine attempts to execute any code contained within a physical page, (i) set a permission of the physical page to executable, and (ii) turn a single stepping flag on.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
FireEye, Inc. (Alphabet Inc.)
Inventors
Jung, Robert, Saba, Antony

Granted Patent

US 10,572,665 B2
Time in Patent Office

Days
Field of Search
US Class Current

718/1
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/14   against software analysis o...

G06F 21/53   by executing in a restricte...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

System and Method to Create a Number of Breakpoints in a Virtual Machine Via Virtual Machine Trapping Events

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

System and Method to Create a Number of Breakpoints in a Virtual Machine Via Virtual Machine Trapping Events

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links