SECURING CODE LOADING IN A VIRTUAL ENVIRONMENT

US 20170242719A1
Filed: 02/23/2016
Published: 08/24/2017
Est. Priority Date: 02/23/2016
Status: Active Grant

First Claim

Patent Images

1. A method for code loading, the method comprising:

providing, by a hypervisor, a virtual machine that includes a guest operating system;

sending, by the guest operating system, one or more symbol entries, a signed code module and one or more relocation entries corresponding to the signed code module;

receiving, at the hypervisor, the one or more symbol entries, the signed code module and the one or more relocation entries;

verifying, by the hypervisor, the signed code module;

applying, using the one or more symbol entries, one or more relocations of the one or more relocation entries to the signed code module; and

after verifying the signed code module, allowing the guest operating system to execute the signed code module.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products are included for loading a code module. A method includes providing, by a hypervisor, a virtual machine that includes a guest operating system. The code module and a signature corresponding to the code module are sent by the guest operating system to the hypervisor. One or more relocations are applied to the code module. The hypervisor verifies the signature corresponding to the code module. After verifying the signature, the hypervisor allows the guest operating system to execute the code module.

Citations

20 Claims

1. A method for code loading, the method comprising:
- providing, by a hypervisor, a virtual machine that includes a guest operating system;
  
  sending, by the guest operating system, one or more symbol entries, a signed code module and one or more relocation entries corresponding to the signed code module;
  
  receiving, at the hypervisor, the one or more symbol entries, the signed code module and the one or more relocation entries;
  
  verifying, by the hypervisor, the signed code module;
  
  applying, using the one or more symbol entries, one or more relocations of the one or more relocation entries to the signed code module; and
  
  after verifying the signed code module, allowing the guest operating system to execute the signed code module.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein receiving the signed code module comprises:
    - receiving an address that references a location of the signed code module.
  - 3. The method of claim 1, wherein receiving the signed code module comprises:
    - copying the signed code module from a first location to a second memory location.
  - 4. The method of claim 1, wherein the signed code module comprises a code module and a signature corresponding to the code module.
  - 5. The method of claim 4, wherein the signature is generated based on an input of the code module and an encryption key into a signature generation module, wherein the encryption key is a member of a key pair with a decryption key.
  - 6. The method of claim 5, wherein the decryption key and the one or more symbol entries are provided to the hypervisor by the guest operating system during a boot sequence of the guest operating system, and wherein after the boot sequence is completed the decryption key and the one or more symbol entries are protected from modification until a next boot sequence of the guest operating system.
  - 7. The method of claim 1, wherein the hypervisor stores the signed code module in one or more memory pages that are non-writable by the guest operating system.
  - 8. The method of claim 1, wherein allowing the guest operating system to execute the signed code module comprises:
    - marking, by the hypervisor, one or more memory pages corresponding to the signed code module as executable.
  - 9. The method of claim 1, wherein allowing the guest operating system to execute the signed code module comprises:
    - copying, by the hypervisor, the signed code module to one or more memory pages that are executable by the guest operating system.
  - 10. The method of claim 1, wherein the guest operating system comprises a kernel.
  - 11. The method of claim 1, further comprising:
    - receiving, at the hypervisor, a symbol entry from the guest operating system;
      
      matching a symbol string corresponding to the symbol entry with one or more symbol strings of the one or more symbol entries; and
      
      based on the matching, rejecting the symbol entry.
  - 12. The method of claim 1, further comprising:
    - receiving, at the hypervisor, a symbol entry from the guest operating system;
      
      determining that a symbol string corresponding to the symbol entry does not match any symbol strings of the one or more symbol entries; and
      
      based on the determining, accepting the symbol entry.
  - 13. The method of claim 1, wherein the guest operating system applies the one or more relocations to the signed code module,wherein the one or more relocations are applied prior to verifying the signed code module, andwherein verifying the signed code module comprises:
    - copying the signed code module;
      
      reversing the applying of the one or more relocations from the copy of the signed code module; and
      
      verifying the copy of the signed code module.
  - 14. The method of claim 1, wherein applying the one or more relocations to the signed code module is performed by the hypervisor, and wherein applying the one or more relocations is performed after verifying the signed code module.

15. A non-transitory machine-readable medium having stored thereon machine-readable instructions executable to cause a machine to perform operations comprising:
- providing, by a hypervisor, a virtual machine that includes a guest operating system;
  
  communicating, from the guest operating system to the hypervisor, a code module, a signature corresponding to the code module, a decryption key, and a symbol entry;
  
  verifying, by the hypervisor, the code module;
  
  after verifying the code module, applying a relocation to the code module, wherein the relocation is at least partly based on an address provided by the symbol entry; and
  
  after applying the relocation, allowing the guest operating system to execute the code module.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory machine-readable medium of claim 15, wherein the signature is generated based on an input of the code module and an encryption key into a signature generation module, and wherein the encryption key is a member of a key pair with the decryption key.
  - 17. The non-transitory machine-readable medium of claim 15, wherein the decryption key is received from the guest operating system during a boot sequence of the guest operating system, and wherein after the boot sequence is completed the decryption key is protected from modification until a next boot sequence of the guest operating system.
  - 18. The non-transitory machine-readable medium of claim 15, wherein applying the relocation comprises:
    - incrementing an offset provided by a relocation entry of the code module, wherein the offset is incremented by the address provided by the symbol entry.
  - 19. The non-transitory machine-readable medium of claim 15, wherein the verifying comprises:
    - decrypting the signature using the decryption key to generate a decrypted signature; and
      
      matching the decrypted signature with the code module.

20. A code loading system comprising:
- a non-transitory computer readable medium that stores a signed code module;
  
  a processor that executes a hypervisor to provide a virtual machine that includes a guest operating system;
  
  the guest operating system to send, to the hypervisor, one or more symbol entries, the signed code module, a key corresponding to the signed code module, and one or more relocation entries corresponding to the signed code module;
  
  the hypervisor to;
  
  receive the one or more symbol entries, the signed code module, the key, and the one or more relocation entries;
  
  verify, using the key, the signed code module;
  
  after verifying the signed code module, apply a relocation to the signed code module, wherein the relocation corresponds at least in part to an address provided by the one or more symbol entries; and
  
  after applying the relocation, provide the guest operating system with access to execute the code module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Original Assignee
Red Hat Israel Ltd. (International Business Machines Corporation)
Inventors
Tsirkin, Michael, Bonzini, Paolo

Granted Patent

US 9,898,326 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/51   at application loading time...

G06F 21/602   Providing cryptographic fac...

G06F 9/4403   Processor initialisation

G06F 9/45558   Hypervisor-specific managem...

SECURING CODE LOADING IN A VIRTUAL ENVIRONMENT

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING CODE LOADING IN A VIRTUAL ENVIRONMENT

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links