Memory Introspection Engine for Integrity Protection of Virtual Machines

US 20140245444A1
Filed: 02/22/2013
Published: 08/28/2014
Est. Priority Date: 02/22/2013
Status: Active Grant

First Claim

Patent Images

1. A host system comprising at least one processor configured to execute:

an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and

a protection priming module configured, in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, to change a memory allocation of the target object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.

153 Citations

29 Claims

1. A host system comprising at least one processor configured to execute:
- an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and
  
  a protection priming module configured, in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, to change a memory allocation of the target object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The host system of claim 1, further comprising a memory introspection engine connected to the protection priming module, the memory introspection engine configured, in response to the protection priming module changing the memory allocation, to write-protect all pages containing at least part of the target software object.
  - 3. The host system of claim 2, wherein the memory introspection engine is further configured to:
    - determine whether the target software object has been initialized, andin response, when the target software object has been initialized, write-protect all pages containing at least part of the target software object.
  - 4. The host system of claim 1, wherein the selection criterion comprises selecting the target software object according to a type of the operating system.
  - 5. The host system of claim 4, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises identifying the type of the operating system according to a content of a model specific register (MSR) of the virtual machine.
  - 6. The host system of claim 4, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises identifying the type of the operating system according to a content of memory pointed to by a model specific register (MSR) of the virtual machine.
  - 7. The host system of claim 1, wherein changing the memory allocation comprises hooking a memory allocation function of the operating system.
  - 8. The host system of claim 1, wherein changing the memory allocation comprises instructing a memory allocation function of the operating system to allocate any page containing at least part of the target software object exclusively to the target software object.
  - 9. The host system of claim 8, wherein instructing the memory allocation function comprises changing a size of the target software object to an integer multiple of page size.
  - 10. The host system of claim 9, wherein instructing the memory allocation function further comprises aligning the section to a page boundary.
  - 11. The host system of claim 1, wherein the protection priming module is further configured to establish a reserved pool of pages, the pool reserved for allocation to malware-protected software objects, and wherein changing the memory allocation comprises allocating the section within the reserved pool of memory pages.
  - 12. The host system of claim 1, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises:
    - determining whether the target software object is a driver object; and
      
      in response, when the target software object is a driver object, determining that the target software object satisfies the selection criterion for malware protection.
  - 13. The host system of claim 1, wherein the protection priming module is further configured to change a de-allocation of the target object, wherein changing the de-allocation comprises:
    - determining whether a page containing at least part of the target software object is write-protected, andin response, when the page is write-protected, removing the write protection from the page.
  - 14. The host system of claim 12, wherein changing the de-allocation further comprises hooking a memory de-allocation function of the operating system.

15. A method comprising:
- employing at least one processor of a host system to form an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and
  
  in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, employing the at least one processor to change a memory allocation of the target software object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 16. The method of claim 15, further comprising, in response to changing the memory allocation, write-protecting all pages containing at least part of the target software object.
  - 17. The method of claim 16, further comprising:
    - determining whether the target software object has been initialized, andin response, when the target software object has been initialized, write-protecting all pages containing at least part of the target software object.
  - 18. The method of claim 15, wherein the selection criterion comprises selecting the target software object according to a type of the operating system.
  - 19. The method of claim 18, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises identifying the type of the operating system according to a content of a model specific register (MSR) of the virtual machine.
  - 20. The method of claim 18, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises identifying the type of the operating system according to a content of memory pointed to by a model specific register (MSR) of the virtual machine.
  - 21. The method of claim 15, wherein changing the memory allocation comprises hooking a memory allocation function of the operating system.
  - 22. The method of claim 21, wherein changing the memory allocation comprises instructing a memory allocation function of the operating system to allocate all pages containing at least part of the target software object exclusively to the target software object.
  - 23. The method of claim 22, wherein instructing the memory allocation function comprises changing a size of the target software object to an integer multiple of page size.
  - 24. The method of claim 23, wherein instructing the memory allocation function further comprises aligning the section to a page boundary.
  - 25. The method of claim 15, wherein changing the memory allocation comprises:
    - establishing a reserved pool of pages, the pool reserved for allocation to malware-protected software objects, andallocating the section within the reserved pool of memory pages.
  - 26. The method of claim 15, wherein the determination of whether the target software object satisfies the selection criterion for malware protection comprises:
    - determining whether the target software object is a driver object; and
      
      in response, when the target software object is a driver object, determining that the target software object satisfies the selection criterion for malware protection.
  - 27. The method of claim 15, further comprising employing the at least one processor to change a de-allocation of the target software object, wherein changing the de-allocation comprises:
    - determining whether a page containing at least part of the software object is write-protected, andin response, when the page is write-protected, removing the write protection from the page.
  - 28. The method of claim 27, wherein changing the de-allocation further comprises hooking a memory de-allocation function of the operating system.

29. A non-transitory computer-readable medium encoding instructions which, when executed by at least one processor of a host system, cause the at least one processor to:
- allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and
  
  in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, change a memory allocation of the target software object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Original Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Inventors
LUKACS, Sandor, LUTAS, Dan H., LUTAS, Andrei V.

Granted Patent

US 8,875,295 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

G06F 12/0882   Page mode

G06F 12/109   for multiple virtual addres...

G06F 12/1466   Key-lock mechanism

G06F 12/1491   in a hierarchical protectio...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/53   by executing in a restricte...

G06F 21/56   Computer malware detection ...

G06F 21/562   Static detection

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/6227   where protection concerns t...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/1441   Countermeasures against mal...

Memory Introspection Engine for Integrity Protection of Virtual Machines

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

153 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Memory Introspection Engine for Integrity Protection of Virtual Machines

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

153 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links