Computer Security Systems And Methods Using Virtualization Exceptions
First Claim
1. A host system comprising at least one hardware processor configured to execute a hypervisor, the hypervisor further configured to:
- configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within a virtual machine exposed by the hypervisor, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and
configure the memory access permission so that an attempt to execute the target function violates the memory access permission.
1 Assignment
0 Petitions
Accused Products
Abstract
Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.
46 Citations
20 Claims
-
1. A host system comprising at least one hardware processor configured to execute a hypervisor, the hypervisor further configured to:
-
configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within a virtual machine exposed by the hypervisor, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and configure the memory access permission so that an attempt to execute the target function violates the memory access permission. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method of protecting a host system from computer security threats, the method comprising employing at least one hardware processor of the host system to execute a hypervisor, wherein executing the hypervisor includes:
-
exposing a virtual machine on the host system; configuring the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within the virtual machine, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and configuring the memory access permission so that an attempt to execute the target function violates the memory access permission. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a host system, cause the host system to form a hypervisor and a computer security program, the computer security program executing within a virtual machine exposed by the hypervisor, and wherein the hypervisor is configured to:
-
configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing the computer security program, wherein the target function executes within the virtual machine, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and configure the memory access permission so that an attempt to execute the target function violates the memory access permission.
-
-
20. A method of protecting a host system from computer security threats, the method comprising employing at least one hardware processor of the host system to:
-
determine whether executing a target function within a virtual machine exposed on the host system causes a violation of a memory access permission; and in response, when executing the target function causes the violation; generate an exception, the exception causing the at least one hardware processor to switch from executing the target function to executing a computer security program within the virtual machine, the computer security program configured to determine whether the violation is indicative of a computer security threat.
-
Specification