EXPLOIT DETECTION SYSTEM WITH THREAT-AWARE MICROVISOR
First Claim
1. An exploit detection system comprising:
- a threat-aware microvisor configured to generate a capability violation in response to a process executing in an operating system attempting to access a kernel resource for which the process does not have permission; and
a virtual machine monitor (VMM) coupled to the microvisor and, in response to the capability violation, configured to spawn a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine further configured to monitor operation of the process as the process attempts to access the kernel resource to detect whether the process includes an exploit.
5 Assignments
0 Petitions
Accused Products
Abstract
An exploit detection system deploys a threat-aware microvisor to facilitate real-time security analysis, including exploit detection and threat intelligence, of an operating system process executing on a node of a network environment. The microvisor may be organized as a main protection domain representative of the operating system process. In response to the process attempting to access a kernel resource for which it does not have permission, a capability violation may be generated at the main protection domain of the microvisor and a micro-virtual machine (VM) may be spawned as a container configured to encapsulate the process. The main protection domain may then be cloned to create a cloned protection domain that is representative of the process and that is bound to the spawned micro-VM. Capabilities of the cloned protection domain may be configured to be more restricted than the capabilities of the main protection domain with respect to access to the kernel resource. The restricted capabilities may be configured to generate more capability violations than those generated by the capabilities of the main protection domain and, in turn, enable further monitoring of the process as it attempts to access the kernel resource.
155 Citations
29 Claims
-
1. An exploit detection system comprising:
-
a threat-aware microvisor configured to generate a capability violation in response to a process executing in an operating system attempting to access a kernel resource for which the process does not have permission; and a virtual machine monitor (VMM) coupled to the microvisor and, in response to the capability violation, configured to spawn a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine further configured to monitor operation of the process as the process attempts to access the kernel resource to detect whether the process includes an exploit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method comprising:
-
organizing a microvisor of an exploit detection system as a main protection domain representative of a process executing in an operating system of the exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the exploit detection system; generating a capability violation at the main protection domain in response to the process attempting to access a kernel resource for which the process does not have permission; in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the process; cloning the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain; binding the spawned micro-virtual machine to the cloned protection domain of the microvisor; and monitoring operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit. - View Dependent Claims (10, 11, 12, 13, 14, 15)
-
-
16. A system comprising:
-
a memory configured to store a process, an operating system kernel, a virtual machine monitor (VMM) and a microvisor, the microvisor organized as a main protection domain representative of the process and including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the system; a central processing unit (CPU) coupled to the memory and adapted to execute the process, the operating system kernel, the VMM and the microvisor, wherein the VMM and the microvisor when executed are operable to; generate one or more capability violations at the main protection domain in response to the process attempting to access one or more kernel resources for which the process does not have permission; in response to the one or more capability violations, spawn a micro-virtual machine as a container configured to encapsulate the process; clone the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate further capability violations than the one or more capability violations generated by the capabilities of the main protection domain; and cooperate with the micro-virtual machine to monitor operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
-
-
24. A method comprising:
-
organizing a microvisor as a main protection domain representative of an operating system process executing in a user space of an exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the operating system process to access kernel resources of the exploit detection system, the microvisor executing in a kernel space of the exploit detection system; instantiating a virtual machine (VM
0) as a container for an operating system kernel, the VM 0 instantiated by a virtual machine monitor (VMM) configured to expose the kernel resources to the operating system kernel, the VMM and VM 0 executing in the user space of the exploit detection system;originating an interception point by the operating system process to invoke a service of the operating system kernel to access to a first kernel resource; generating a capability violation at the main protection domain of the microvisor in response to the operating system process not having permission to access the first kernel resource; in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the operating system process; cloning the main protection domain to create a cloned protection domain representative of the operating system process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the more restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain; monitoring operation of the operating system process encapsulated in the micro-virtual machine as the process attempts to access a second kernel resource; and in response to the operating system process encapsulated in the micro-virtual machine attempting to access the second kernel resource, generating at least one capability violation of the more restricted capabilities at the cloned protection domain to thereby enable detection of anomalous behavior of the process. - View Dependent Claims (25, 26, 27, 28)
-
-
29. A computer readable media containing instructions for execution on a processor for a method comprising:
-
organizing a microvisor of an exploit detection system as a main protection domain representative of a process executing in an operating system of the exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the exploit detection system; generating a capability violation at the main protection domain in response to the process attempting to access a kernel resource for which the process does not have permission; in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the process; cloning the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain; and monitoring operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit.
-
Specification