Computer Security Systems And Methods Using Virtualization Exceptions

US 20150199514A1
Filed: 11/05/2014
Published: 07/16/2015
Est. Priority Date: 01/10/2014
Status: Active Grant

First Claim

Patent Images

1. A host system comprising at least one hardware processor configured to execute a hypervisor, the hypervisor further configured to:

configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within a virtual machine exposed by the hypervisor, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and

configure the memory access permission so that an attempt to execute the target function violates the memory access permission.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.

46 Citations

View as Search Results

20 Claims

1. A host system comprising at least one hardware processor configured to execute a hypervisor, the hypervisor further configured to:
- configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within a virtual machine exposed by the hypervisor, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and
  
  configure the memory access permission so that an attempt to execute the target function violates the memory access permission.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The host system of claim 1, wherein the memory access permission restricts access to a section of a memory of the host system, the section of the memory storing a part of the target function.
  - 3. The host system of claim 2, wherein configuring the memory access permission comprises marking the section as non-executable.
  - 4. The host system of claim 2, wherein configuring the memory access permission comprises marking the section as non-readable.
  - 5. The host system of claim 2, wherein the part of the target function includes an entry point of the target function.
  - 6. The host system of claim 1, wherein the computer security program is further configured, in response to the hardware processor generating the exception, to configure the at least one hardware processor to switch from a first memory context to an second memory context, the second memory context configured so that the attempt to execute the target function does not trigger the exception.
  - 7. The host system of claim 6, wherein the computer security program is further configured, in response to switching to the second memory context, to:
    - instruct the at least one hardware processor to execute a trigger instruction, the trigger instruction identified as a processor instruction undergoing execution when the at least one hardware processor generated the exception; and
      
      in response, configure the at least one processor to switch from the second memory context to the first memory context.
  - 8. The host system of claim 1, wherein the computer security program is further configured, in response to the hardware processor generating the exception, to transmit a signal to the hypervisor, and wherein the hypervisor is further configured, in response to receiving the signal, to change the memory access permission.
  - 9. The host system of claim 8, wherein the computer security program is further configured, in response to transmitting the signal to the hypervisor, to:
    - instruct the at least one hardware processor to execute a trigger instruction, the trigger instruction identified as a processor instruction undergoing execution when the at least one hardware processor generated the exception; and
      
      in response, transmit a second signal to the hypervisor, andwherein the hypervisor is further configured, in response to receiving the second signal, to reinstate the memory access permission.

10. A method of protecting a host system from computer security threats, the method comprising employing at least one hardware processor of the host system to execute a hypervisor, wherein executing the hypervisor includes:
- exposing a virtual machine on the host system;
  
  configuring the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing a computer security program, wherein both the target function and the computer security program execute within the virtual machine, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and
  
  configuring the memory access permission so that an attempt to execute the target function violates the memory access permission.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method of claim 10, wherein the memory access permission restricts access to a section of a memory of the host system, the section of the memory storing a part of the target function.
  - 12. The method of claim 11, wherein configuring the memory access permission comprises marking the section as non-executable.
  - 13. The method of claim 11, wherein configuring the memory access permission comprises marking the section as non-readable.
  - 14. The method of claim 11, wherein the part of the target function includes an entry point of the target function.
  - 15. The method of claim 10, further comprising, in response to the hardware processor generating the exception, employing the at least one hardware processor to switch from a first memory context to an second memory context, the second memory context configured so that the attempt to execute the target function does not trigger the exception.
  - 16. The method of claim 15, further comprising, in response to switching to the second memory context:
    - employing the at least one hardware processor to execute a trigger instruction within the virtual machine, the trigger instruction identified as a processor instruction undergoing execution when the at least one hardware processor generated the exception; and
      
      in response, employing the at least one hardware processor to switch from the second memory context to the first memory context.
  - 17. The method of claim 10, further comprising, in response to the hardware processor generating the exception, employing the at least one hardware processor to change the memory access permission.
  - 18. The method of claim 17, further comprising, in response to changing the memory access permission:
    - employing the at least one hardware processor to execute a trigger instruction within the virtual machine, the trigger instruction identified as a processor instruction undergoing execution when the at least one hardware processor generated the exception; and
      
      in response, employing the at least one hardware processor to reinstate the memory access permission.

19. A non-transitory computer-readable medium storing instructions which, when executed by at least one hardware processor of a host system, cause the host system to form a hypervisor and a computer security program, the computer security program executing within a virtual machine exposed by the hypervisor, and wherein the hypervisor is configured to:
- configure the at least one hardware processor to generate an exception in response to detecting a violation of a memory access permission, wherein generating the exception causes the at least one hardware processor to switch from executing a target function to executing the computer security program, wherein the target function executes within the virtual machine, and wherein the computer security program is configured to determine whether the violation is indicative of a computer security threat; and
  
  configure the memory access permission so that an attempt to execute the target function violates the memory access permission.

20. A method of protecting a host system from computer security threats, the method comprising employing at least one hardware processor of the host system to:
- determine whether executing a target function within a virtual machine exposed on the host system causes a violation of a memory access permission; and
  
  in response, when executing the target function causes the violation;
  
  generate an exception, the exception causing the at least one hardware processor to switch from executing the target function to executing a computer security program within the virtual machine, the computer security program configured to determine whether the violation is indicative of a computer security threat.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Original Assignee
Bitdefender IPR Management Limited (Bitdefender LLC)
Inventors
TOSA, Raul V., LUTAS, Dan H., LUKACS, Sandor, TICLE, Daniel I.

Granted Patent

US 9,400,885 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/57   Certifying or maintaining t...

G06F 21/74   operating in dual or compar...

G06F 2221/033   Test or assess software

G06F 9/45558   Hypervisor-specific managem...

Computer Security Systems And Methods Using Virtualization Exceptions

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

46 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Computer Security Systems And Methods Using Virtualization Exceptions

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

46 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links