THREAT-AWARE MICROVISOR

US 20150199513A1
Filed: 03/28/2014
Published: 07/16/2015
Est. Priority Date: 01/16/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a central processing unit (CPU) adapted to execute a process, an operating system kernel and a microvisor; and

a memory configured to store the process, the operating system kernel and the microvisor, the microvisor including;

a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities, wherein the capabilities of the first protection domain are configured to specify access control permissions to kernel resources accessible by the process, the first protection domain associated with services provided to the process by ii the operating system kernel to control the kernel resources accessible by the process; and

a second protection domain configured as a clone of the first protection domain except for the capabilities, wherein the capabilities of the second protection domain are configured to specify limited access control permissions to the kernel resources accessible by the process, the second protection domain associated with the process.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A threat-aware microvisor is configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing on a node of a network environment. The microvisor may be embodied as a module disposed or layered beneath (underlying) an operating system kernel executing on the node to thereby control privileges (i.e., access permissions) to kernel resources, such as one or more central processing units (CPUs), network interfaces, memory, and/or devices, of the node. Illustratively, the microvisor may be configured to control access to one or more of the resources in response to a request by an operating system process to access the resource.

149 Citations

21 Claims

1. A system comprising:
- a central processing unit (CPU) adapted to execute a process, an operating system kernel and a microvisor; and
  
  a memory configured to store the process, the operating system kernel and the microvisor, the microvisor including;
  
  a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities, wherein the capabilities of the first protection domain are configured to specify access control permissions to kernel resources accessible by the process, the first protection domain associated with services provided to the process by ii the operating system kernel to control the kernel resources accessible by the process; and
  
  a second protection domain configured as a clone of the first protection domain except for the capabilities, wherein the capabilities of the second protection domain are configured to specify limited access control permissions to the kernel resources accessible by the process, the second protection domain associated with the process.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 wherein the process comprises a plurality of threads, and wherein the execution context is a representation of a thread and defines a state of the thread for execution on the CPU.
  - 3. The system of claim 2 wherein the execution context comprises one of contents of CPU registers, values on a stack, a program counter, and allocation of memory.
  - 4. The system of claim 1 wherein the scheduling context provides information for scheduling the execution context for execution on the CPU.
  - 5. The system of claim 4 wherein the scheduling context information comprises a priority and a time for execution on the CPU.
  - 6. The system of claim 2 wherein the capabilities are organized as a set of access control permissions to the kernel resources that is examined each time the thread requests access to a kernel resource.
  - 7. The system of claim 6 wherein there is one set of capabilities for each protection domain.
  - 8. The system of claim 1 wherein the cloned second protection domain is created by copying the execution contexts, scheduling contexts and capabilities of the first protection domain, and configuring the copied capabilities to restrict access to one or more of the kernel resources, whereby the second protection domain is configured upon instantiation as the clone of the first protection domain except for the capabilities.
  - 9. The system of claim 1 wherein the kernel resources comprise the CPU, the memory, a network interface, and one or more devices.
  - 10. The system of claim 1 wherein the process is an operating system process.

11. A method comprising:
- storing an operating system process and a microvisor in a memory of a node in a computer network;
  
  organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access resources of the node;
  
  copying the execution contexts, scheduling contexts and capabilities of the first protection domain to create a second protection domain of the microvisor; and
  
  configuring the capabilities of the second protection domain to limit the permissions of the operating system process to access the resources.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The method of claim 11 further comprising:
    - decomposing the operating system process into a plurality of threads; and
      
      representing a thread of the operating system process as an execution context that defines a state of the thread for execution on a central processing unit (CPU) of the node.
  - 13. The method of claim 12 further comprising:
    - providing information for scheduling the execution context for execution on the CPU, wherein the information is provided by the scheduling context and includes a priority and a time for execution on the CPU.
  - 14. The method of claim 12 further comprising:
    - organizing the capabilities as a set of access control permissions to the resources; and
      
      examining the capabilities each time the thread requests access to a resource.
  - 15. The method of claim 14 further comprising:
    - providing one set of capabilities for each protection domain.

16. A method comprising:
- storing an operating system process and a microvisor in a memory of a node in a computer network;
  
  organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access hardware resources of the node;
  
  decomposing the operating system process into a plurality of threads;
  
  executing a thread of the operating system process on a central processing unit (CPU) of the node;
  
  checking the capabilities of the first protection domain to determine whether the thread has permission to access a hardware resource; and
  
  cloning the first protection domain to create a second protection domain of the microvisor if the thread does not have permission to access the hardware resource.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method of claim 16 wherein cloning comprises:
    - copying the execution contexts, scheduling contexts and capabilities of the first protection domain to create the second protection domain.
  - 18. The method of claim 17 further comprising:
    - configuring the capabilities of the second protection domain to limit the permissions of the operating system process to access the hardware resources.
  - 19. The method of claim 16 further comprising:
    - providing information for scheduling the execution context for execution on the CPU, wherein the information is provided by the scheduling context and includes a priority and a time for execution on the CPU.
  - 20. The method of claim 16 further comprising:
    - organizing the capabilities as a set of access control permissions to the hardware resources; and
      
      examining the capabilities each time the thread requests access to a hardware resource.

21. A computer readable media containing instructions for execution on a processor for a method comprising:
- storing an operating system process and a microvisor in a memory of a node in a computer network;
  
  organizing the microvisor to include a first protection domain having a plurality of execution contexts and scheduling contexts, each execution context linked to a scheduling context and interacting with capabilities specifying permissions of the operating system process to access resources of the node;
  
  copying the execution contexts, scheduling contexts and capabilities of the first protection domain to create a second protection domain of the microvisor; and
  
  configuring the capabilities of the second protection domain to limit the permissions of the operating system process to access the resources.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar

Granted Patent

US 9,740,857 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/629   to features or functions of...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

THREAT-AWARE MICROVISOR

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

THREAT-AWARE MICROVISOR

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links