Systems and Methods Involving Features of Hardware Virtualization, Hypervisor, APIs of Interest, and/or Other Features
First Claim
1. A method for processing information securely, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform that is a virtual machine in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
processing the virtual machine via another guest;
hosting at least one detection mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor;
upon detection of suspect behavior, securely transitioning execution to the detection mechanism within the VAL in a manner isolated from the guest operating system;
securely determining, via the detection mechanism, a policy decision regarding the suspect behavior; and
transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.
2 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or memory access. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a detection mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or notification of, and action by a monitoring guest upon access by a monitored guest to predetermined physical memory locations.
111 Citations
25 Claims
-
1. A method for processing information securely, the method comprising:
-
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform that is a virtual machine in each of the guest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor; processing the virtual machine via another guest; hosting at least one detection mechanism that executes within the virtual hardware platform in each of the plurality of guest operating system virtual machine protection domains via the separation kernel hypervisor; upon detection of suspect behavior, securely transitioning execution to the detection mechanism within the VAL in a manner isolated from the guest operating system; securely determining, via the detection mechanism, a policy decision regarding the suspect behavior; and transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision. - View Dependent Claims (2, 3, 4, 7, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
5. A method for processing information securely, the method comprising:
-
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains each including a virtual machine; and isolating and/or securing the domains in time and/or space from each other. - View Dependent Claims (6, 8, 9)
-
-
21. A method for processing information securely, the method comprising:
-
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; isolating the domains in time and space from each other; providing a list of memory locations of an authorized guest to another guest; associating each of a plurality of physical memory locations with a respective specification of execution context information upon access to the each of the plurality of physical memory locations; providing a message of the specification to the another guest; and providing a virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the guest operating system virtual machine protection domains such that the VAL is not directly accessible by the authorized guest. - View Dependent Claims (22, 23, 24)
-
-
25-59. -59. (canceled)
Specification