Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features

US 20150332048A1
Filed: 05/15/2015
Published: 11/19/2015
Est. Priority Date: 05/15/2014
Status: Active Grant

First Claim

Patent Images

1. A method for processing information securely, the method comprising:

partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;

providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform that is a virtual machine in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;

processing the virtual machine via another guest;

hosting at least one detection mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;

upon detection of suspect behavior, securely transitioning execution to the detection mechanism within the VAL in a manner isolated from the guest operating system;

securely determining, via the detection mechanism, a policy decision regarding the suspect behavior; and

transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations.

111 Citations

25 Claims

1. A method for processing information securely, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
  
  providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform that is a virtual machine in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
  
  processing the virtual machine via another guest;
  
  hosting at least one detection mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
  
  upon detection of suspect behavior, securely transitioning execution to the detection mechanism within the VAL in a manner isolated from the guest operating system;
  
  securely determining, via the detection mechanism, a policy decision regarding the suspect behavior; and
  
  transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.
- View Dependent Claims (2, 3, 4, 7, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising one or more of:
    - providing a list of memory locations of an authorized guest to another guest;
      
      associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations;
      
      providing a message of the specification to the another guest; and
      
      providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest.
  - 3. The method of claim 1, further comprising one or more of:
    - hosting an unmapping mechanism to unmap specified pages on demand from the another guest;
      
      receiving, via the unmapping mechanism, the demand to unmap the specified pages; and
      
      unmapping, via the unmapping mechanism, the specified pages.
  - 4. The method of claim 3, wherein the securely determining, via the detection mechanism, the policy decision regarding the suspect behavior comprises:
    - analyzing the behavior of the guest operating system and its resources; and
      
      processing unmapped page exceptions taken by the guest operating system based on the unmapped pages.
  - 7. The method of claim 1, further comprising one or more of:
    - hosting a remapping mechanism to remap unmapped pages;
      
      upon securely determining, via the detection mechanism, the policy decision, transitioning execution to the remapping mechanism;
      
      remapping, via the remapping mechanism, the unmapped pages as accessible; and
      
      transitioning, via the remapping mechanism;
      
      execution to the detection mechanism.
  - 10. The method of claim 1, further comprising:
    - isolating the domains in time and space from each other.
  - 11. The method of claim 1, further comprising:
    - providing a list of memory locations of an authorized guest to another guest.
  - 12. The method of claim 1, further comprising:
    - associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations.
  - 13. The method of claim 1, further comprising:
    - providing a message of the specification to the another guest.
  - 14. The method of claim 1, further comprising:
    - providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest.
  - 15. The method of claim 1, wherein the virtual representation of the hardware platform is a virtual machine comprising a virtual motherboard including a virtual CPU and memory by the VAL.
  - 16. The method of claim 1, further comprising:
    - hosting a mechanism to map physical memory pages as non-executable.
  - 17. The method of claim 1, further comprising:
    - processing exceptions to non-executable page execution attempts by the associated virtual machine.
  - 18. The method of claim 1, further comprising:
    - hosting another mechanism to determine whether the physical memory locations are accessed.
  - 19. The method of claim 1, further comprising:
    - pausing or resuming execution of the virtual machine.
  - 20. The method of claim 1, further comprising:
    - sending a notification of memory access and the specification to a requesting guest.

5. A method for processing information securely, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and
  
  isolating and/or securing the domains in time and/or space from each other.
- View Dependent Claims (6, 8, 9)
- - 6. The method of claim 5, further comprising one or more of:
    - hosting/processing at least one detection mechanism, each which may be different from each other, that executes within one or more of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
      
      implementing at least one routine and/or component to prohibit the guest operating system virtual machine protection domains from tampering with, corrupting, and/or bypassing the detection mechanism; and
      
      /orexecuting the detection mechanism while preventing interference and/or bypassing/corrupting/tampering by the plurality of guest operating system virtual machine protection domains;
      
      providing a list of memory locations of an authorized guest to another guest; and
      
      associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations.
  - 8. The method of claim 6, further comprising one or more of:
    - hosting an unmapping mechanism to unmap the page; and
      
      unmapping, via the unmapping mechanism, the page.
  - 9. The method of claim 8, further comprising one or more of:
    - hosting a remapping mechanism to remap unmapped pages;
      
      transitioning execution to the remapping mechanism;
      
      remapping, via the remapping mechanism, the unmapped pages as accessible; and
      
      transitioning, via the remapping mechanism;
      
      execution to the detection mechanism.

21. A method for processing information securely, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
  
  isolating the domains in time and space from each other;
  
  providing a list of memory locations of an authorized guest to another guest;
  
  associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations;
  
  providing a message of the specification to the another guest; and
  
  providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest.
- View Dependent Claims (22, 23, 24)
- - 22. The method of claim 21, wherein the virtual representation of the hardware platform is a virtual machine comprising a virtual motherboard including a virtual CPU and memory by the VAL.
  - 23. The method of claim 22, the method further comprising:
    - hosting a mechanism to map physical memory pages as non-executable;
      
      processing exceptions to non-executable page execution attempts by the associated virtual machine;
      
      hosting another mechanism to determine whether the physical memory locations are accessed;
      
      pausing or resuming execution of the virtual machine; and
      
      sending a notification of memory access and the specification to a requesting guest.
  - 24. The method of claim 22, further comprising;
    - hosting a mechanism to copy the contents of the physical memory address into a private memory location;
      
      hosting a mechanism to overwrite the address with an instruction that will trap into the separation kernel hypervisor;
      
      processing exceptions due to execution attempts of the overwritten address by the associated virtual machine;
      
      hosting another mechanism to determine whether the physical memory locations are accessed;
      
      pausing or resuming execution of the virtual machine; and
      
      ?replacing the over written instruction with the stored copy;
      
      allowing the virtual machine to execute the original instruction;
      
      trapping back into the virtualization assistance layer;
      
      overwriting the original instruction with the trapping instruction;
      
      sending a notification of memory access and the specification to a requesting guest.

25-59. -59. (canceled)

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lynx Software Technologies Inc.
Original Assignee
Lynx Software Technologies Inc.
Inventors
MOORING, Edward T., HOWARD, Craig, YANKOVSKY, Phillip

Granted Patent

US 9,213,840 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/567   using dedicated hardware

G06F 21/6281   at program execution time, ...

G06F 2221/032   Protect output to user by s...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/4555   Para-virtualisation, i.e. g...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/5077   Logical partitioning of res...

H04L 69/00   Network arrangements, proto...

Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

111 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

111 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links