Memory Introspection Engine for Integrity Protection of Virtual Machines
First Claim
1. A host system comprising at least one processor configured to execute:
- an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and
a protection priming module configured, in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, to change a memory allocation of the target object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.
2 Assignments
0 Petitions
Accused Products
Abstract
Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.
153 Citations
29 Claims
-
1. A host system comprising at least one processor configured to execute:
-
an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and a protection priming module configured, in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, to change a memory allocation of the target object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
employing at least one processor of a host system to form an operating system configured to allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, employing the at least one processor to change a memory allocation of the target software object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A non-transitory computer-readable medium encoding instructions which, when executed by at least one processor of a host system, cause the at least one processor to:
-
allocate a section of a virtualized physical memory of a virtual machine to a target software object executing within the virtual machine, the virtual machine exposed by a hypervisor executing on the host system, wherein the virtualized physical memory is partitioned into pages, a page being the smallest unit of memory individually mapped between the virtualized physical memory and a physical memory of the host system; and in response to a determination of whether the target software object satisfies a selection criterion for malware protection, when the target software object satisfies the selection criterion, change a memory allocation of the target software object, wherein changing the memory allocation comprises ensuring that any page containing at least part of the target software object is reserved for the target software object.
-
Specification