Monitoring a target agent execution pattern on a VT-enabled system

US 7,802,050 B2
Filed: 09/29/2006
Issued: 09/21/2010
Est. Priority Date: 09/29/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method comprising:

receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference;

observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced by the target process during the execution;

comparing, by the virtual machine manager, the observed virtual address references with the expected virtual address references identified by the integrity manifest;

determining, by the virtual machine manager, whether the target process is compromised based at least in part on said comparing; and

issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses, articles, and systems for observing, by a virtual machine manager of a physical device, execution of a target process of a virtual machine of the physical device, including virtual addresses of the virtual machine referenced during the execution, are described herein. The virtual machine manager further determines whether the target process is executing in an expected manner based at least in part on the observed virtual address references and expected virtual address references.

97 Citations

View as Search Results

29 Claims

1. A method comprising:
- receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference;
  
  observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced by the target process during the execution;
  
  comparing, by the virtual machine manager, the observed virtual address references with the expected virtual address references identified by the integrity manifest;
  
  determining, by the virtual machine manager, whether the target process is compromised based at least in part on said comparing; and
  
  issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the observing is performed by a memory manager of the virtual machine manager, and the method further comprises modifying by the memory manager active page tables of the virtual machine manager, so that said references to virtual addresses are trapped for processing by the memory manager.
  - 3. The method of claim 2, wherein said modifying, by the memory manager, comprises modifying the active page tables of the virtual machine manager so that said references to virtual addresses cause page faults to the memory manager.
  - 4. The method of claim 1, wherein the observing is performed by a memory manager of the virtual machine manager, and the method further comprises modifying by the memory manager nested and extended page tables of the virtual machine manager, so that said references to virtual addresses are trapped for processing by the memory manager.
  - 5. The method of claim 1, wherein the observing is performed by a code instrumentation engine of the virtual memory manager, and the method further comprises modifying the target process, by the code instrumentation engine, so that said references to the virtual addresses are trapped for processing by the code instrumentation engine.
  - 6. The method of claim 5, wherein the modification comprises modifying the target process to call the code instrumentation engine when the virtual addresses are to be referenced, and the method further comprisesfirst, on trapping of a reference, restoring, by the code instrumentation engine, replaced instructions of the target process to enable an original function to be executed,second, on trapping of a reference, notifying, by the code instrumentation engine, a verification engine of the trapping, the verification engine noting the reference to the virtual address, andthird, on execution, re-modifying, by the code instrumentation engine, the instruction to enable future reference to the virtual address to be trapped to the code instrumentation engine again.
  - 7. The method of claim 1, wherein the virtual addresses are memory mapped to a computing device register.
  - 8. The method of claim 1, further comprising additionally observing a type of memory access for at least one of the observed virtual address references.
  - 9. The method of claim 1, wherein the target process is an intrusion detection process for protecting the physical device from intrusions of viruses or worms.
  - 10. The method of claim 1, wherein said observing further comprises monitoring at least one of interdependencies and call and return points of the target process and another process virtually referenced by the target process.
  - 11. The method of claim 1, further comprising comparing, by the virtual machine manager, the target process as described in the integrity manifest with the target process loaded in memory.
  - 12. The method of claim 1, wherein the integrity manifest further describes frequencies with which the target process is expected to reference the identified virtual addresses.
  - 13. The method of claim 1, wherein the integrity manifest may include a histogram representing how frequently the target process is expected to reference the identified virtual addresses.

14. A method comprising:
- receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual address the target process is expected to reference;
  
  observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced during the execution;
  
  comparing, by a verification engine, reference statistics of various virtual addresses to corresponding threshold metrics;
  
  determining, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references; and
  
  issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised.

15. A physical device comprising:
- one or more processors; and
  
  a virtual machine manager operated by the one or more processors and adapted to receive an integrity manifest of a target process describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference, observe execution of the target process of a virtual machine of the physical device, including observation of virtual addresses of the virtual machine referenced during the execution, determine whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references, and to issue an alert in response to a determination that the target process is compromised, the virtual machine manager including a memory manager adapted to perform said observing, including modification of active page tables so that references to virtual addresses are trapped for processing by the memory manager; and
  
  wherein the virtual machine manager further comprises a verification engine adapted to perform said determining by comparing the observed virtual address references with the expected virtual address references and to generate reference statistics based on the comparison.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The physical device of claim 15, wherein the virtual machine and the virtual machine manager are operated by the same processor.
  - 17. The physical device of claim 15, wherein said memory manager is adapted to modify the active page tables of the virtual machine manger so that said references to virtual addresses cause page faults to the memory manager.
  - 18. The physical device of claim 15, wherein the virtual machine manager further includes an integrity management module adapted to verify the integrity of the target process using the integrity manifest, wherein the integrity manifest further describes the target process as it is loaded in memory of the physical device.
  - 19. The physical device of claim 15, wherein the verification engine is further adapted to compare the reference statistics of various virtual addresses to corresponding threshold metrics.
  - 20. The physical device of claim 15, wherein the target process is an intrusion detection process.

21. An article of manufacture comprising:
- a non-transitory tangible computer-readable storage medium; and
  
  a plurality of programming instructions stored thereon designed to program a physical device to provide a virtual machine manager including a code instrumentation engine to the physical device, to enable the physical device toreceive, by the virtual machine manager, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference,modify, using the code instrumentation engine, the target process of the virtual machine of the physical device, so that said references to virtual addresses of the virtual machine are trapped for processing by the code instrumentation engine,observe, using the code instrumentation engine of the virtual machine manager of the physical device, execution of the target process, including virtual addresses of the virtual machine referenced during the execution,compare, by the virtual machine manager, the observed virtual address references with the expected virtual address references,determine, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references, andissue, by the virtual machine manager, an alert in response to a determination that the target process is compromised.
- View Dependent Claims (22)
- - 22. The article of claim 21, wherein the plurality of programming instructions are further designed to provide the virtual machine manager with a verification engine, enabling the physical device to further perform the determining by the verification engine comparing reference statistics of various virtual addresses to corresponding threshold metrics.

23. An article of manufacture comprising:
- a non-transitory computer-readable storage medium; and
  
  a plurality of programming instructions stored thereon designed to program a physical device to provide a virtual machine manager including a code instrumentation engine to the physical device, to enable the physical device tomodify, using the code instrumentation engine, a target process of a virtual machine of the physical device, so that said references to virtual addresses of the virtual machine are trapped for processing by the code instrumentation engine,observe, using the code instrumentation engine of the virtual machine manager of the physical device, execution of the target process, including virtual addresses of the virtual machine referenced during the execution, anddetermine, by the virtual machine manager, whether the target process is executing in an expected manner based at least in part on the observed virtual address references and expected virtual address references; and
  
  modify the target process, using the code instrumentation engine, so the target process calls the code instrumentation engine when the virtual addresses are to be referenced, andrestore the target process on trapping of a reference, using the code instrumentation engine, replacing instructions of the target process to enable an original function to be executed, and to re-modify the process on execution, to enable future reference to the virtual address to be trapped to the code instrumentation engine again.
- View Dependent Claims (24, 25)
- - 24. The article of claim 23, wherein the programming instructions are further adapted to provide the virtual machine manager with a verification engine, and to provide the code instrumentation engine adapted to notify the verification engine, on trapping of a reference, with the verification engine noting the reference to the virtual address.
  - 25. The article of claim 23, wherein the target process is an intrusion detection process.

26. A system comprising:
- one or more processors;
  
  volatile memory coupled to the one or more processors, and capable of storing observed virtual addresses referenced during execution of a target process of a virtual machine of the system and expected virtual address references for comparison; and
  
  a mass storage coupled to the one or more processors, and having stored therein instructions implementing a virtual machine manager operated by one of the one or more processors and adapted toreceive, by the virtual machine manager, an integrity manifest of the target process describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference;
  
  observe, by the virtual machine manager, the execution of the target process, including the virtual addresses referenced during the execution;
  
  compare, by a verification engine, the observed virtual addresss references with the expected virtual address references;
  
  generate, by the virtual machine manager, reference statistics based on the comparison;
  
  determine, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references; and
  
  issue, by the virtual machine manager, an alert in response to a determination that the target process is compromised.
- View Dependent Claims (27, 28, 29)
- - 27. The system of claim 26, wherein the virtual machine manager further comprises a memory manager adapted to perform said observing and to modify active page tables of the virtual machine manger so that said references to virtual addresses cause page faults to the memory manager.
  - 28. The system of claim 26, wherein the virtual machine manager further comprises an integrity management module, the integrity measurement module adapted to verify the integrity of the target process using the integrity manifest, wherein the integrity manifest further describes the target process as it is loaded in the mass storage.
  - 29. The system of claim 26, wherein the target process is an intrusion detection process.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Savagaonkar, Uday, Sahita, Ravi, Durham, David
Primary Examiner(s)
Tran; Denise

Application Number

US11/541,474
Publication Number

US 20080082722A1
Time in Patent Office

1,453 Days
Field of Search

None
US Class Current

711/6
CPC Class Codes

G06F 21/56 Computer malware detection ...

G06F 21/57 Certifying or maintaining t...

Monitoring a target agent execution pattern on a VT-enabled system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

97 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Monitoring a target agent execution pattern on a VT-enabled system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

97 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links