THREAT-AWARE MICROVISOR
First Claim
1. A system comprising:
- a central processing unit (CPU) adapted to execute a process, an operating system kernel and a microvisor; and
a memory configured to store the process, the operating system kernel and the microvisor, the microvisor including;
a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities, wherein the capabilities of the first protection domain are configured to specify access control permissions to kernel resources accessible by the process, the first protection domain associated with services provided to the process by ii the operating system kernel to control the kernel resources accessible by the process; and
a second protection domain configured as a clone of the first protection domain except for the capabilities, wherein the capabilities of the second protection domain are configured to specify limited access control permissions to the kernel resources accessible by the process, the second protection domain associated with the process.
7 Assignments
0 Petitions
Accused Products
Abstract
A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.
-
Citations
21 Claims
-
1. A system comprising:
-
a central processing unit (CPU) adapted to execute a process, an operating system kernel and a microvisor; and a memory configured to store the process, the operating system kernel and the microvisor, the microvisor including; a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities, wherein the capabilities of the first protection domain are configured to specify access control permissions to kernel resources accessible by the process, the first protection domain associated with services provided to the process by ii the operating system kernel to control the kernel resources accessible by the process; and a second protection domain configured as a clone of the first protection domain except for the capabilities, wherein the capabilities of the second protection domain are configured to specify limited access control permissions to the kernel resources accessible by the process, the second protection domain associated with the process. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method comprising:
-
storing an operating system process and a microvisor in a memory of a node in a computer network; organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access resources of the node; copying the execution contexts, scheduling contexts and capabilities of the first protection domain to create a second protection domain of the microvisor; and configuring the capabilities of the second protection domain to limit the permissions of the operating system process to access the resources. - View Dependent Claims (12, 13, 14, 15)
-
-
16. A method comprising:
-
storing an operating system process and a microvisor in a memory of a node in a computer network; organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access hardware resources of the node; decomposing the operating system process into a plurality of threads; executing a thread of the operating system process on a central processing unit (CPU) of the node; checking the capabilities of the first protection domain to determine whether the thread has permission to access a hardware resource; and cloning the first protection domain to create a second protection domain of the microvisor if the thread does not have permission to access the hardware resource. - View Dependent Claims (17, 18, 19, 20)
-
-
21. A computer readable media containing instructions for execution on a processor for a method comprising:
-
storing an operating system process and a microvisor in a memory of a node in a computer network; organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access resources of the node; copying the execution contexts, scheduling contexts and capabilities of the first protection domain to create a second protection domain of the microvisor; and configuring the capabilities of the second protection domain to limit the permissions of the operating system process to access the resources.
-
Specification