SYSTEM AND METHOD FOR HYPERVISOR BREAKPOINTS

US 20150046908A1
Filed: 08/07/2013
Published: 02/12/2015
Est. Priority Date: 08/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method for debugging a computer program comprising:

selecting a first memory location as a breakpoint location;

determining a first memory page that contains the first memory location;

replacing at least a portion of the first memory page with new content, the new content including a breakpoint instruction; and

setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are prevented.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.

Citations

27 Claims

1. A method for debugging a computer program comprising:
- selecting a first memory location as a breakpoint location;
  
  determining a first memory page that contains the first memory location;
  
  replacing at least a portion of the first memory page with new content, the new content including a breakpoint instruction; and
  
  setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are prevented.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 further comprising:
    - copying contents of the first memory page to a temporary memory page.
  - 3. The method of claim 2 further comprising:
    - when the computer program attempts to read from the first memory location, sending the computer program data from the temporary memory page.
  - 4. The method of claim 2 further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 5. The method of claim 4 further comprising:
    - during an execution of the computer program, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.
  - 6. The method of claim 1 wherein:
    - the method is performed within a virtual machine being controlled by a hypervisor.
  - 7. The method of claim 1 wherein the breakpoint instruction is an INT 3 instruction.

8. A machine-readable medium that stores instructions which, when executed by a machine, causes the machine to perform operations comprising:
- selecting a first memory location as a breakpoint location;
  
  determining a first memory page that contains the first memory location;
  
  replacing at least a portion of the first memory location with new content, the new content including a breakpoint instruction; and
  
  wherein, the first memory page is marked as execute only, such that attempts to read from or write to the first memory page are prevented.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The machine-readable medium of claim 8 further comprising instructions that cause the machine to perform operations further comprising:
    - copying the contents of the memory page to a temporary memory page.
  - 10. The machine-readable medium of claim 9 further comprising instructions that cause the machine to perform operations further comprising:
    - when a computer program being debugged attempts to read from the first memory location, sending the computer program data from the temporary memory page.
  - 11. The machine-readable medium of claim 9 further comprising instructions that cause the machine to perform operations further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 12. The machine-readable medium of claim 9 further comprising instructions that cause the machine to further perform operations further comprising:
    - during an execution of a computer program being debugged, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.
  - 13. The machine-readable medium of claim 8 further comprising instructions that cause the machine to further perform operations further comprising:
    - executing a virtual machine controlled by a hypervisor, wherein the steps of selecting, determining, copying, and replacing are performed within the virtual machine.

14. A system for debugging a computer program comprising:
- memory, divided into pages including at least a first memory page;
  
  a processor coupled to the memory;
  
  wherein the processor is arranged to;
  
  select a first memory location as a breakpoint location;
  
  determine a first memory page that contains the first memory location;
  
  replace at least a portion of the first memory page with new content, the new content including a breakpoint instruction; and
  
  set the permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are prevented.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14 wherein the processor is further arranged to:
    - copy the contents of the first memory page to a temporary memory page.
  - 16. The system of claim 15 wherein the processor is further arranged to:
    - when the computer program attempts to read from the first memory location, send the computer program data from the temporary memory page.
  - 17. The system of claim 15 wherein the processor is further arranged to:
    - replace at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      set the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 18. The system of claim 17 wherein the processor is further arranged to:
    - during an execution of the computer program, redirect attempts to execute instructions located in the first memory page to the temporary memory page.
  - 19. The system of claim 14 further comprising:
    - a hypervisor arranged to execute on the processor.
  - 20. The system of claim 14 wherein the breakpoint instruction is an INT 3 instruction.

21. A method for determining the existence of malware on websites comprising:
- using a browser that is executing on a virtual machine to load a website into a browser;
  
  setting a breakpoint to detect indicia of malware; and
  
  logging any detected indicia of malware.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The method of claim 21 wherein setting a breakpoint comprises:
    - selecting a first memory location as a breakpoint location;
      
      determining a first memory page that contains the first memory location;
      
      replacing at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
      
      setting the permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the website are prevented.
  - 23. The method of claim 22 further comprising:
    - copying the contents of the first memory page to a temporary memory page.
  - 24. The method of claim 23 further comprising:
    - when the website attempts to read from the first memory location, sending data from the temporary memory page to the website.
  - 25. The method of claim 23 further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the website are prevented.
  - 26. The method of claim 25 further comprising:
    - during a visit to the website, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.
  - 27. The method of claim 21 wherein indicia of malware include an attempt to write to a registry;
    - an attempt to load a Dynamic Link Library;
      
      an attempt to create a process; and
      
      an attempt to read or write to specific memory locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nightwing Group LLC
Original Assignee
Raytheon Company (Rtx Corporation)
Inventors
Salsamendi, Ryan C.

Granted Patent

US 9,292,417 B2
Time in Patent Office

Days
Field of Search
US Class Current

717/129
CPC Class Codes

G06F 11/3636   by tracing the execution of...

G06F 11/3644   by instrumenting at runtime

G06F 11/3664   Environments for testing or...

G06F 12/145   the protection being virtua...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

SYSTEM AND METHOD FOR HYPERVISOR BREAKPOINTS

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEM AND METHOD FOR HYPERVISOR BREAKPOINTS

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links