Using a hypervisor to provide computer security
First Claim
1. A system for providing security in a computer having a virtual machine controlled by a hypervisor, the virtual machine having an operating system with an operating system kernel and an operating system protection module that detects modifications to the operating system kernel, the system comprising:
- a computer processor; and
a non-transitory computer-readable storage medium storing computer program modules configured to execute on the computer processor, the computer program modules comprising;
a security initialization module for modifying the operating system kernel of the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a system call issued by a process executing within the virtual machine, wherein modifying the operating system kernel comprises;
setting a breakpoint in the operating system kernel to cause an interrupt upon the system call being issued by the process andsetting an exception bitmap in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to the interrupt;
a disabling module for setting a state in the virtual machine to pass control to the hypervisor during execution of the operating system protection module and for altering functioning of the operating system protection module to prevent the operating system protection module from detecting the modification of the operating system kernel; and
a security module activated responsive to execution being passed to the hypervisor due to the modification by the security initialization module and for analyzing the process to determine whether the process poses a security threat.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer includes a virtual machine controlled by a hypervisor. The virtual machine runs a virtualized operating system with running processes. A security initialization module sets the state in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a process making a system call in the virtualized operating system. Responsive to execution being passed from the virtual machine to the hypervisor, a security module analyzes the process making the system call to determine whether it poses a security threat. If a security threat is found, the security module takes remedial action to address the threat.
467 Citations
12 Claims
-
1. A system for providing security in a computer having a virtual machine controlled by a hypervisor, the virtual machine having an operating system with an operating system kernel and an operating system protection module that detects modifications to the operating system kernel, the system comprising:
-
a computer processor; and a non-transitory computer-readable storage medium storing computer program modules configured to execute on the computer processor, the computer program modules comprising; a security initialization module for modifying the operating system kernel of the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a system call issued by a process executing within the virtual machine, wherein modifying the operating system kernel comprises; setting a breakpoint in the operating system kernel to cause an interrupt upon the system call being issued by the process and setting an exception bitmap in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to the interrupt; a disabling module for setting a state in the virtual machine to pass control to the hypervisor during execution of the operating system protection module and for altering functioning of the operating system protection module to prevent the operating system protection module from detecting the modification of the operating system kernel; and a security module activated responsive to execution being passed to the hypervisor due to the modification by the security initialization module and for analyzing the process to determine whether the process poses a security threat. - View Dependent Claims (2, 3, 4)
-
-
5. A computer program product having a non-transitory computer-readable medium having computer program instructions recorded thereon for providing security in a computer having a virtual machine controlled by a hypervisor, the virtual machine having an operating system with an operating system kernel and an operating system protection module that detects modifications to the operating system kernel, the computer program product comprising:
-
a security initialization module for modifying the operating system kernel of the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a system call issued by a process executing within the virtual machine, wherein modifying the operating system kernel comprises; setting a breakpoint in the operating system kernel to cause an interrupt upon the system call being issued by the process; and setting an exception bitmap in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to the interrupt; a disabling module for setting a state in the virtual machine to pass control to the hypervisor during execution of the operating system protection module and for altering functioning of the operating system protection module to prevent the operating system protection module from detecting the modification of the operating system kernel; and a security module activated responsive to execution being passed to the hypervisor due to the modification by the security initialization module and for analyzing the process to determine whether the process poses a security threat. - View Dependent Claims (6, 7, 8)
-
-
9. A computer-implemented method of providing security in a computer having a virtual machine controlled by a hypervisor, the virtual machine having an operating system with an operating system kernel and an operating system protection module that detects modifications to the operating system kernel, the method comprising:
-
modifying an operating system kernel of the virtual machine to pass execution from the virtual machine to the hypervisor responsive to a system call issued by a process executing within the virtual machine, wherein modifying the operating system kernel comprises; setting a breakpoint in the operating system kernel to cause an interrupt upon the system call being issued by the process; and setting an exception bitmap in the virtual machine to pass execution from the virtual machine to the hypervisor responsive to the interrupt; setting a state in the virtual machine to pass control to the hypervisor during execution of the operating system protection module; responsive to control being passed to the hypervisor due to the state set, altering function of the operating system protection module to prevent the operating system protection module from detecting the modification of the operating system kernel; and responsive to execution being passed to the hypervisor due to the modification of the operating system kernel, analyzing the process to determine whether the process is a security threat. - View Dependent Claims (10, 11, 12)
-
Specification