Monitoring a target agent execution pattern on a VT-enabled system
First Claim
Patent Images
1. A method comprising:
- receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference;
observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced by the target process during the execution;
comparing, by the virtual machine manager, the observed virtual address references with the expected virtual address references identified by the integrity manifest;
determining, by the virtual machine manager, whether the target process is compromised based at least in part on said comparing; and
issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, apparatuses, articles, and systems for observing, by a virtual machine manager of a physical device, execution of a target process of a virtual machine of the physical device, including virtual addresses of the virtual machine referenced during the execution, are described herein. The virtual machine manager further determines whether the target process is executing in an expected manner based at least in part on the observed virtual address references and expected virtual address references.
97 Citations
29 Claims
-
1. A method comprising:
-
receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference; observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced by the target process during the execution; comparing, by the virtual machine manager, the observed virtual address references with the expected virtual address references identified by the integrity manifest; determining, by the virtual machine manager, whether the target process is compromised based at least in part on said comparing; and issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method comprising:
-
receiving, by a virtual machine manager of a physical device, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual address the target process is expected to reference; observing, by the virtual machine manager, execution of the target process of the virtual machine, including virtual addresses of the virtual machine referenced during the execution; comparing, by a verification engine, reference statistics of various virtual addresses to corresponding threshold metrics; determining, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references; and issuing, by the virtual machine manager, an alert in response to a determination that the target process is compromised.
-
-
15. A physical device comprising:
-
one or more processors; and a virtual machine manager operated by the one or more processors and adapted to receive an integrity manifest of a target process describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference, observe execution of the target process of a virtual machine of the physical device, including observation of virtual addresses of the virtual machine referenced during the execution, determine whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references, and to issue an alert in response to a determination that the target process is compromised, the virtual machine manager including a memory manager adapted to perform said observing, including modification of active page tables so that references to virtual addresses are trapped for processing by the memory manager; and wherein the virtual machine manager further comprises a verification engine adapted to perform said determining by comparing the observed virtual address references with the expected virtual address references and to generate reference statistics based on the comparison. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. An article of manufacture comprising:
-
a non-transitory tangible computer-readable storage medium; and a plurality of programming instructions stored thereon designed to program a physical device to provide a virtual machine manager including a code instrumentation engine to the physical device, to enable the physical device to receive, by the virtual machine manager, an integrity manifest of a target process of a virtual machine of the physical device, the integrity manifest describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference, modify, using the code instrumentation engine, the target process of the virtual machine of the physical device, so that said references to virtual addresses of the virtual machine are trapped for processing by the code instrumentation engine, observe, using the code instrumentation engine of the virtual machine manager of the physical device, execution of the target process, including virtual addresses of the virtual machine referenced during the execution, compare, by the virtual machine manager, the observed virtual address references with the expected virtual address references, determine, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references, and issue, by the virtual machine manager, an alert in response to a determination that the target process is compromised. - View Dependent Claims (22)
-
-
23. An article of manufacture comprising:
-
a non-transitory computer-readable storage medium; and a plurality of programming instructions stored thereon designed to program a physical device to provide a virtual machine manager including a code instrumentation engine to the physical device, to enable the physical device to modify, using the code instrumentation engine, a target process of a virtual machine of the physical device, so that said references to virtual addresses of the virtual machine are trapped for processing by the code instrumentation engine, observe, using the code instrumentation engine of the virtual machine manager of the physical device, execution of the target process, including virtual addresses of the virtual machine referenced during the execution, and determine, by the virtual machine manager, whether the target process is executing in an expected manner based at least in part on the observed virtual address references and expected virtual address references; and modify the target process, using the code instrumentation engine, so the target process calls the code instrumentation engine when the virtual addresses are to be referenced, and restore the target process on trapping of a reference, using the code instrumentation engine, replacing instructions of the target process to enable an original function to be executed, and to re-modify the process on execution, to enable future reference to the virtual address to be trapped to the code instrumentation engine again. - View Dependent Claims (24, 25)
-
-
26. A system comprising:
-
one or more processors; volatile memory coupled to the one or more processors, and capable of storing observed virtual addresses referenced during execution of a target process of a virtual machine of the system and expected virtual address references for comparison; and a mass storage coupled to the one or more processors, and having stored therein instructions implementing a virtual machine manager operated by one of the one or more processors and adapted to receive, by the virtual machine manager, an integrity manifest of the target process describing a statistical execution profile of the target process identifying virtual addresses the target process is expected to reference; observe, by the virtual machine manager, the execution of the target process, including the virtual addresses referenced during the execution; compare, by a verification engine, the observed virtual addresss references with the expected virtual address references; generate, by the virtual machine manager, reference statistics based on the comparison; determine, by the virtual machine manager, whether the target process is compromised based at least in part on the observed virtual address references and expected virtual address references; and issue, by the virtual machine manager, an alert in response to a determination that the target process is compromised. - View Dependent Claims (27, 28, 29)
-
Specification