MICRO-VIRTUALIZATION ARCHITECTURE FOR THREAT-AWARE MICROVISOR DEPLOYMENT IN A NODE OF A NETWORK ENVIRONMENT

US 20150199532A1
Filed: 03/28/2014
Published: 07/16/2015
Est. Priority Date: 01/16/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a central processing unit (CPU) adapted to execute a virtual machine monitor (VMM) and a microvisor; and

a memory coupled to the CPU and organized to store the VMM and microvisor as a micro-virtualization architecture having a user space and a kernel space, wherein the VMM executes in the user space of the architecture and the microvisor executes in the kernel space of the architecture, the microvisor configured to execute at a highest privilege level of the CPU to control access permissions to kernel resources of the system and the VMM configured to execute at a highest privilege level of the microvisor.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.

172 Citations

24 Claims

1. A system comprising:
- a central processing unit (CPU) adapted to execute a virtual machine monitor (VMM) and a microvisor; and
  
  a memory coupled to the CPU and organized to store the VMM and microvisor as a micro-virtualization architecture having a user space and a kernel space, wherein the VMM executes in the user space of the architecture and the microvisor executes in the kernel space of the architecture, the microvisor configured to execute at a highest privilege level of the CPU to control access permissions to kernel resources of the system and the VMM configured to execute at a highest privilege level of the microvisor.
- View Dependent Claims (2, 3)
- - 2. The system of claim 1 wherein the CPU is further adapted to execute an operating system kernel in the user space of the architecture, the operating system kernel overlaying the microvisor and configured to execute at a privilege level lower than the highest privilege level of the microvisor.
  - 3. The system of claim 1 wherein the microvisor is configured to communicate with the VMM over a privileged interface embodied as a set of hyper-calls.

4. A system comprising:
- a central processing unit (CPU) adapted to execute a process, an operating system kernel, a virtual machine monitor (VMM) and a microvisor;
  
  a memory configured to store the process, the operating system kernel, the VMM and the microvisor as a micro-virtualization architecture that organizes the memory as a user space and a kernel space, wherein the process, the operating system kernel and the VMM execute in the user space of the architecture, and wherein the microvisor executes in the kernel space of the architecture,the microvisor disposed beneath the operating system kernel and configured to communicate with the VMM over a privileged interface, the microvisor further configured to execute at a highest privilege level of the CPU to control access permissions to kernel resources accessible by the process, andthe VMM configured to execute at a highest privilege level of the microvisor to expose the kernel resources to the operating system kernel, the operating system kernel configured to execute at a privilege level lower than the highest privilege level of the microvisor.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 5. The system of claim 4 wherein the operating system kernel comprises an operating system (OS) specific VMM extension adapted to communicate with the VMM, the OS specific VMM extension configured to provide an interface to the VMM that allows introspection of contents of internal structures of the operating system kernel.
  - 6. The system of claim 5 wherein introspection of the contents of the internal structures comprises examination of data structures of the operating system kernel without duplicating the structures.
  - 7. The system of claim 5 wherein the OS specific VMM extension communicates with the VMM over an application programming interface.
  - 8. The system of claim 5 wherein the microvisor comprises one or more protection domains, each protection domain including one or more execution contexts, each execution context tightly linked to a scheduling context and configured to interact with capabilities having contents that specify access control permissions to the kernel resources by the process.
  - 9. The system of claim 8 wherein the scheduling context includes information defining a priority for execution of the execution context on the CPU and wherein the microvisor further comprises a global scheduler configured to cooperate with the scheduling context to schedule the execution context for execution on the CPU.
  - 10. The system of claim 9 wherein the defined priority is implemented by one or more queues and wherein the global scheduler examines the queues to dispatch the scheduling context to the CPU for execution of its linked execution context.
  - 11. The system of claim 8 wherein the microvisor further comprises an exception handler configured to service a trap generated by the CPU in response to a capability violation of an access control permission to a kernel resource.
  - 12. The system of claim 11 wherein the trap comprises one of a page fault and a general protection fault.
  - 13. The system of claim 11 wherein the exception handler is further configured to report the capability violation to the VMM.
  - 14. The system of claim 13 wherein the VMM comprises instrumentation logic that is invoked in response to the capability violation to determine whether the process is suspicious.
  - 15. The system of claim 14 wherein, in response to determining that that process is suspicious, the VMM is configured to spawn a micro-virtual machine for further analysis of the process.

16. A method comprising:
- storing a process, an operating system kernel, a virtual machine monitor (VMM) and a microvisor in a memory coupled to a central processing unit (CPU) of a node in a computer network;
  
  organizing the memory as a user space and a kernel space of a micro-virtualization rchitecture;
  
  executing the microvisor in the kernel space of the architecture and at a highest privilege level of the CPU to control access permissions to kernel resources accessible by the process;
  
  executing the VMM in the user space of the architecture and at a highest privilege level of the microvisor to expose the kernel resources to the operating system kernel; and
  
  executing the operating system kernel in the user space of the architecture and at a privilege level lower than the highest privilege level of the microvisor.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16 further comprising:
    - organizing the microvisor to include a first protection domain bound to the VMM, the first protection domain having one or more execution contexts, each execution context tightly linked to a scheduling context and configured to interact with capabilities having contents that specify access control permissions to the kernel resources by the process.
  - 18. The method of claim 17 further comprising:
    - switching privilege levels in response to an interception point, wherein the interception point includes one of a memory access request, a function call and a system call.
  - 19. The method of claim 18 wherein executing the VMM further comprises:
    - executing the VMM to instantiate a virtual machine (VM 0) as a container for the operating system kernel, the VM 0 including instrumentation logic directed to determination of an exploit in the process.
  - 20. The method of claim 19 wherein executing the VMM further comprises:
    - executing instrumentation logic of the VMM to analyze the interception point originated by the process to invoke services of the operating system kernel.
  - 21. The method of claim 20 wherein executing the VMM further comprises:
    - in response to the interception point, assuming control over the operating system kernel at the VMM to enable monitoring of activity of the process.
  - 22. The method of claim 21 wherein executing the VMM further comprises:
    - enabling communication between the operating system kernel and microvisor over a privileged interface embodied as a set of hyper-calls.

23. A system comprising:
- a central processing unit (CPU) adapted to execute a user mode process, an operating system kernel, a type 0 virtual machine monitor (VMM 0) and a microvisor;
  
  a memory configured to store the user mode process, the operating system kernel, the VMM 0 and the microvisor as a micro-virtualization architecture that organizes the memory as a user space and a kernel space, wherein the user mode process, the operating system kernel and the VMM 0 execute in the user space of the architecture, and wherein the microvisor executes in the kernel space of the architecture,the microvisor disposed beneath the operating system kernel and configured to communicate with the VMM 0 over a privileged interface, the microvisor further configured to execute at a highest privilege level of the CPU to control access permissions to kernel resources accessible by the user mode process,the VMM 0 including instrumentation logic configured to analyze a system call issued by the process to invoke services of the operating system kernel that include accesses to the kernel resources, the VMM 0 configured to execute at a highest privilege level of the microvisor to expose the kernel resources to the operating system kernel, andthe operating system kernel including an operating system specific VMM extension adapted to communicate with the VMM 0, the operating system kernel configured to execute at a privilege level lower than the highest privilege level of the microvisor.

24. A computer readable media containing instructions for execution on a processor for a method comprising:
- storing a process, an operating system kernel, a virtual machine monitor (VMM) and a microvisor in a memory coupled to a central processing unit (CPU) of a node in a computer network;
  
  organizing the memory as a user space and a kernel space of a micro-virtualization architecture;
  
  executing the microvisor in the kernel space of the architecture and at a highest privilege level of the CPU to control access permissions to kernel resources accessible by the process;
  
  executing the VMM in the user space of the architecture and at a highest privilege level of the microvisor to expose the kernel resources to the operating system kernel; and
  
  executing the operating system kernel in the user space of the architecture and at a privilege level lower than the highest privilege level of the microvisor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar

Granted Patent

US 9,292,686 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/552   involving long-term monitor...

G06F 21/629   to features or functions of...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5027   the resource being a machin...

MICRO-VIRTUALIZATION ARCHITECTURE FOR THREAT-AWARE MICROVISOR DEPLOYMENT IN A NODE OF A NETWORK ENVIRONMENT

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

172 Citations

24 Claims

Specification

Use Cases

Quick Links

Others

MICRO-VIRTUALIZATION ARCHITECTURE FOR THREAT-AWARE MICROVISOR DEPLOYMENT IN A NODE OF A NETWORK ENVIRONMENT

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

172 Citations

24 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others