Method and system for providing user space address protection from writable memory area in a virtual environment

US 8,341,627 B2
Filed: 08/21/2009
Issued: 12/25/2012
Est. Priority Date: 08/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by a processor;

generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system;

intercepting the page fault; and

evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes identifying an address space in a memory element of a system configured to operate in a virtual environment. The address space includes at least one system address, and the address space is provided to a virtual machine monitor. The method also includes generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process. The page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system. In more specific embodiments, the method may include evaluating a page fault to determine access to the address space, where access to a writeable area of the memory element is denied.

188 Citations

17 Claims

1. A method, comprising:
- identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by a processor;
  
  generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system;
  
  intercepting the page fault; and
  
  evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1,wherein if the attempt to access is from a non-writable area of the memory element, the access is allowed, the processor is put into a single step execution mode, and the page table entry is again marked as not present after the access is completed.
  - 3. The method of claim 1, further comprising:
    - maintaining the shadow page table for one or more guest operating systems; and
      
      updating the shadow page table as additional processes are initiated by the guest operating system.
  - 4. The method of claim 1, wherein when the guest operating system initiates the process, the critical address is converted to a physical address.
  - 5. The method of claim 1, further comprising:
    - intercepting a processor execution request from the guest operating system; and
      
      using a page fault handler to permit or deny access to the critical address.
  - 6. The method of claim 1, wherein a single step flag is marked in a processor flag for the processor to identify.

7. Logic encoded in one or more tangible non-transitory computer readable storage media that includes code for execution and when executed by a processor is operable to perform operations comprising:
- identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by the processor;
  
  generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system;
  
  intercepting the page fault; and
  
  evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The logic of claim 7,wherein if the attempt to access is from a non-writable area of the memory element, the access is allowed, the processor is put into a single step execution mode, and the page table entry is again marked as not present after the access is completed.
  - 9. The logic of claim 7, the processor being operable to perform operations comprising:
    - maintaining the shadow page table for one or more guest operating systems; and
      
      updating the shadow page table as additional processes are initiated by the guest operating system.
  - 10. The logic of claim 7, wherein when the guest operating system initiates the process, the critical address is converted to a physical address.
  - 11. The logic of claim 7, wherein a single step flag is marked in a processor flag for the processor to identify.
  - 12. The logic of claim 7, the processor being operable to perform operations comprising:
    - intercepting a processor execution request from the guest operating system; and
      
      using a page fault handler to permit or deny access to the critical address.

13. An apparatus, comprising:
- a virtual machine monitor;
  
  a memory element configured to store data; and
  
  a processor operable to execute instructions associated with the data, wherein the virtual machine monitor includes an address protection module configured to;
  
  identify an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to the virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by the processor;
  
  generate a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system;
  
  intercept the page fault; and
  
  evaluate the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The apparatus of claim 13,wherein if the attempt to access is from a non-writable area of the memory element, the access is allowed, the processor is put into a single step execution mode, and the page table entry is again marked as not present after the access is completed.
  - 15. The apparatus of claim 13, wherein the virtual machine monitor is configured to:
    - maintain the shadow page table for one or more guest operating systems; and
      
      update the shadow page table as additional processes are initiated by the guest operating system.
  - 16. The apparatus of claim 13, wherein when the guest operating system initiates the process, the critical address is converted to a physical address.
  - 17. The apparatus of claim 13, further comprising:
    - a page fault handler, wherein a processor execution request is intercepted from the guest operating system and the page fault handler is configured to permit or deny access to the critical address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohinder, Preet
Primary Examiner(s)
An, Meng
Assistant Examiner(s)
Zhao, Bing

Application Number

US12/545,745
Publication Number

US 20110047543A1
Time in Patent Office

1,222 Days
Field of Search

None
US Class Current

718/1
CPC Class Codes

G06F 12/145   the protection being virtua...

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/53   by executing in a restricte...

G06F 9/45558   Hypervisor-specific managem...

Method and system for providing user space address protection from writable memory area in a virtual environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

188 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for providing user space address protection from writable memory area in a virtual environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

188 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links