Method and system for providing user space address protection from writable memory area in a virtual environment
First Claim
1. A method, comprising:
- identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by a processor;
generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system;
intercepting the page fault; and
evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing.
10 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes identifying an address space in a memory element of a system configured to operate in a virtual environment. The address space includes at least one system address, and the address space is provided to a virtual machine monitor. The method also includes generating a page table entry for the system address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process. The page table entry is marked as a page not being present in order to trigger a page fault for a system address access from the guest operating system. In more specific embodiments, the method may include evaluating a page fault to determine access to the address space, where access to a writeable area of the memory element is denied.
188 Citations
17 Claims
-
1. A method, comprising:
-
identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by a processor; generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system; intercepting the page fault; and evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. Logic encoded in one or more tangible non-transitory computer readable storage media that includes code for execution and when executed by a processor is operable to perform operations comprising:
-
identifying an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to a virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by the processor; generating a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system; intercepting the page fault; and evaluating the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. An apparatus, comprising:
-
a virtual machine monitor; a memory element configured to store data; and a processor operable to execute instructions associated with the data, wherein the virtual machine monitor includes an address protection module configured to; identify an address space in a memory element of a system configured to operate in a virtual environment, wherein the address space includes at least one critical address in user space memory to be protected from unauthorized access, and wherein the critical address is provided to the virtual machine monitor via a hypercall from a privileged domain that manages the virtual machine monitor, and wherein the virtual machine monitor is configured to intercept a single step execution by the processor; generate a page table entry for the critical address in a shadow page table stored in the virtual machine monitor in response to a guest operating system initiating a process, wherein the page table entry is marked as a page not being present in order to trigger a page fault upon an attempt by the process to access the critical address from the guest operating system; intercept the page fault; and evaluate the page fault to determine if the attempt to access the critical address is from a writable area of the memory element, wherein if the attempt to access is from a writable area of the memory element, the access is denied, such that an application executing the process can be prevented from executing. - View Dependent Claims (14, 15, 16, 17)
-
Specification