EXPLOIT DETECTION SYSTEM WITH THREAT-AWARE MICROVISOR

US 20150199531A1
Filed: 03/28/2014
Published: 07/16/2015
Est. Priority Date: 01/16/2014
Status: Active Grant

First Claim

Patent Images

1. An exploit detection system comprising:

a threat-aware microvisor configured to generate a capability violation in response to a process executing in an operating system attempting to access a kernel resource for which the process does not have permission; and

a virtual machine monitor (VMM) coupled to the microvisor and, in response to the capability violation, configured to spawn a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine further configured to monitor operation of the process as the process attempts to access the kernel resource to detect whether the process includes an exploit.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exploit detection system deploys a threat-aware microvisor to facilitate real-time security analysis, including exploit detection and threat intelligence, of an operating system process executing on a node of a network environment. The microvisor may be organized as a main protection domain representative of the operating system process. In response to the process attempting to access a kernel resource for which it does not have permission, a capability violation may be generated at the main protection domain of the microvisor and a micro-virtual machine (VM) may be spawned as a container configured to encapsulate the process. The main protection domain may then be cloned to create a cloned protection domain that is representative of the process and that is bound to the spawned micro-VM. Capabilities of the cloned protection domain may be configured to be more restricted than the capabilities of the main protection domain with respect to access to the kernel resource. The restricted capabilities may be configured to generate more capability violations than those generated by the capabilities of the main protection domain and, in turn, enable further monitoring of the process as it attempts to access the kernel resource.

155 Citations

29 Claims

1. An exploit detection system comprising:
- a threat-aware microvisor configured to generate a capability violation in response to a process executing in an operating system attempting to access a kernel resource for which the process does not have permission; and
  
  a virtual machine monitor (VMM) coupled to the microvisor and, in response to the capability violation, configured to spawn a micro-virtual machine as a container configured to encapsulate the process, the micro-virtual machine further configured to monitor operation of the process as the process attempts to access the kernel resource to detect whether the process includes an exploit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The exploit detection system of claim 1 wherein the threat-aware microvisor comprises:
    - a main protection domain including one or more execution contexts and capabilities defining permissions for the process to access the kernel resource.
  - 3. The exploit detection system of claim 2 wherein threat-aware microvisor further comprises:
    - a cloned protection domain representative of the process, the cloned protection domain created by copying the execution contexts and capabilities of the main protection domain, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resource, and wherein the restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain.
  - 4. The exploit detection system of claim 1 wherein the VMM further comprises:
    - instrumentation logic configured to determine a likelihood that the process contains the exploit.
  - 5. The exploit detection system of claim 4 wherein the kernel resource is a memory page and wherein the instrumentation logic is further configured to:
    - determine whether the memory page includes information selected from one of (i) just-in-time compiler program instructions and just-in-time compiler headers, and (ii) non-standard program instruction sequences and unusual headers; and
      
      in response to determining that the memory page includes non-standard program instructions and unusual headers, determining that the process likely contains the exploit.
  - 6. The exploit detection system of claim 5 wherein the micro-virtual machine is spawned in response to determining that the process likely contains the exploit.
  - 7. The exploit detection system of claim 1 wherein the VMM is further configured to analyze one or more interception points originated by the process to invoke one or more services of the operating system kernel to access to the kernel resource, wherein the one or more interception points include one of a memory access request, a function call and a system call.
  - 8. The exploit detection system of claim 3 wherein the threat-aware microvisor and VMM execute on a node of a network environment and wherein the node is embodied as an endpoint.

9. A method comprising:
- organizing a microvisor of an exploit detection system as a main protection domain representative of a process executing in an operating system of the exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the exploit detection system;
  
  generating a capability violation at the main protection domain in response to the process attempting to access a kernel resource for which the process does not have permission;
  
  in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the process;
  
  cloning the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain;
  
  binding the spawned micro-virtual machine to the cloned protection domain of the microvisor; and
  
  monitoring operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 wherein generating a capability violation comprises:
    - generating a trap by a central processing unit of the exploit detection system; and
      
      servicing the generated trap by an exception handler of the microvisor.
  - 11. The method of claim 9 further comprising:
    - instantiating a virtual machine as a first module configured to support execution of an operating system kernel of the exploit detection system.
  - 12. The method of claim 11 wherein spawning the micro-virtual machine comprises:
    - creating an instance of a second module substantially similar to the first module of the virtual machine, the second module having instrumentation logic directed to determination of the exploit.
  - 13. The method of claim 12 wherein binding comprises binding of the spawned micro-virtual machine to the cloned protection domain of the microvisor through memory context switching.
  - 14. The method of claim 12 further comprising:
    - allocating a shadow memory for use by the micro-virtual machine to analyze the process.
  - 15. The method of claim 14 further comprising:
    - logging the capability violations in a system logger of the exploit detection system.

16. A system comprising:
- a memory configured to store a process, an operating system kernel, a virtual machine monitor (VMM) and a microvisor, the microvisor organized as a main protection domain representative of the process and including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the system;
  
  a central processing unit (CPU) coupled to the memory and adapted to execute the process, the operating system kernel, the VMM and the microvisor, wherein the VMM and the microvisor when executed are operable to;
  
  generate one or more capability violations at the main protection domain in response to the process attempting to access one or more kernel resources for which the process does not have permission;
  
  in response to the one or more capability violations, spawn a micro-virtual machine as a container configured to encapsulate the process;
  
  clone the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate further capability violations than the one or more capability violations generated by the capabilities of the main protection domain; and
  
  cooperate with the micro-virtual machine to monitor operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23)
- - 17. The system of claim 16 wherein the process when executed is operable to:
    - originate one or more interception points to invoke one or more services of the operating system kernel to access to the one or more kernel resources.
  - 18. The system of claim 17 wherein the one or more interception points comprises a system call at which a switch occurs from a privilege level of the process to a privilege level of the operating system kernel.
  - 19. The system of claim 18 wherein the VMM when executed is further operable to:
    - instantiate a virtual machine as a first module configured to support execution of the operating system kernel.
  - 20. The system of claim 19 wherein the VMM when executed is further operable to:
    - create an instance of a second module substantially similar to the first module of the virtual machine, the second module having instrumentation logic directed to determination of the exploit.
  - 21. The system of claim 20 wherein the VMM when executed is further operable to:
    - intercept the system call;
      
      generate a hyper-call; and
      
      pass the hyper-call over a privileged interface to the microvisor to enable the main protection domain of the microvisor to control access to the one or more kernel resources.
  - 22. The system of claim 21 wherein the microvisor when executed is further operable to:
    - check the permission of the process to access the one or more kernel resources;
      
      allowing the access if the process has permission to access the one or more kernel resources; and
      
      report the one or more capability violations to the VMM over the privileged interface if the process does not have permission to access the one or more kernel resources.
  - 23. The system of claim 17 wherein the VMM when executed is further operable to:
    - collect the one or more capability violations in response to the one or more interception points to evaluate a state of the process in order to detect the exploit without requiring policy enforcement.

24. A method comprising:
- organizing a microvisor as a main protection domain representative of an operating system process executing in a user space of an exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the operating system process to access kernel resources of the exploit detection system, the microvisor executing in a kernel space of the exploit detection system;
  
  instantiating a virtual machine (VM
  
  0) as a container for an operating system kernel, the VM 0 instantiated by a virtual machine monitor (VMM) configured to expose the kernel resources to the operating system kernel, the VMM and VM 0 executing in the user space of the exploit detection system;
  
  originating an interception point by the operating system process to invoke a service of the operating system kernel to access to a first kernel resource;
  
  generating a capability violation at the main protection domain of the microvisor in response to the operating system process not having permission to access the first kernel resource;
  
  in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the operating system process;
  
  cloning the main protection domain to create a cloned protection domain representative of the operating system process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the more restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain;
  
  monitoring operation of the operating system process encapsulated in the micro-virtual machine as the process attempts to access a second kernel resource; and
  
  in response to the operating system process encapsulated in the micro-virtual machine attempting to access the second kernel resource, generating at least one capability violation of the more restricted capabilities at the cloned protection domain to thereby enable detection of anomalous behavior of the process.
- View Dependent Claims (25, 26, 27, 28)
- - 25. The method of claim 24 further comprising, wherein the interception point includes a system call:
    - decomposing the operating system process into a plurality of threads;
      
      sending the system call to the operating system kernel requesting access to a kernel resource; and
      
      intercepting the system call at the VMM.
  - 26. The method of claim 25 further comprising:
    - generating a hyper-call at the VMM;
      
      passing the hyper-call over a privileged interface to the first protection domain of the microvisor, wherein the hyper-call enables switching from the user space of the exploit detection system to the kernel space of the system;
      
      checking the permission of the thread to access the kernel resource; and
      
      allowing the access if the thread has permission to access the kernel resource.
  - 27. The method of claim 25 wherein generating the capability violation at the main protection domain comprises:
    - reporting the capability violation to the VMM over a privileged interface; and
      
      assuming control over the operating system kernel at the VMM to enable monitoring of activity of the thread of the operating system process.
  - 28. The method of claim 24 wherein the first kernel resource is different from the second kernel resource.

29. A computer readable media containing instructions for execution on a processor for a method comprising:
- organizing a microvisor of an exploit detection system as a main protection domain representative of a process executing in an operating system of the exploit detection system, the main protection domain including one or more execution contexts and capabilities defining permissions for the process to access kernel resources of the exploit detection system;
  
  generating a capability violation at the main protection domain in response to the process attempting to access a kernel resource for which the process does not have permission;
  
  in response to the capability violation, spawning a micro-virtual machine as a container configured to encapsulate the process;
  
  cloning the main protection domain by copying the execution contexts and capabilities to create a cloned protection domain representative of the process, wherein the capabilities of the cloned protection domain are more restricted than the capabilities of the main protection domain with respect to access to the kernel resources, and wherein the restricted capabilities of the cloned protection domain are configured to generate more capability violations than the capability violation generated by the capabilities of the main protection domain; and
  
  monitoring operation of the process encapsulated in the micro-virtual machine as the process attempts to access the kernel resource to determine whether the process includes an exploit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar

Granted Patent

US 9,507,935 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/629   to features or functions of...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

EXPLOIT DETECTION SYSTEM WITH THREAT-AWARE MICROVISOR

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

155 Citations

29 Claims

Specification

Use Cases

Quick Links

Others

EXPLOIT DETECTION SYSTEM WITH THREAT-AWARE MICROVISOR

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

155 Citations

29 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others