System and method for kernel rootkit protection in a hypervisor environment

US 8,973,144 B2
Filed: 10/13/2011
Issued: 03/03/2015
Est. Priority Date: 10/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;

receiving an access attempt to a second guest kernel page;

generating a page fault when the access attempt is made to the second guest kernel page;

determining whether the second guest kernel page corresponds to the entry in the soft whitelist;

fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and

denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment including a hypervisor. The method also includes receiving an access attempt to a second guest kernel page, and generating a page fault when the access attempt is made to the second guest kernel page. In addition, the method includes determining that the second guest kernel page does not correspond to the entry in the soft whitelist, and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.

290 Citations

20 Claims

1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
  
  receiving an access attempt to a second guest kernel page;
  
  generating a page fault when the access attempt is made to the second guest kernel page;
  
  determining whether the second guest kernel page corresponds to the entry in the soft whitelist;
  
  fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - marking the first guest kernel page as read-only and executable if the page fault is an instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
  - 3. The method of claim 1, further comprising:
    - if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist;
      
      fixing the page fault; and
      
      marking the second guest kernel page as non-executable.
  - 4. The method of claim 1, wherein the creating the soft whitelist comprises adding a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 5. The method of claim 1, further comprising:
    - marking a page table entry (PTE) corresponding to the first guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor.
  - 6. The method of claim 5, whereinthe denying the execution comprises one of:
    - causing the guest OS to loop;
      
      injecting an exception in the guest OS;
      
      orfixing the page fault and pointing a corresponding PTE in the shadow page table to a crafted page instead of the second guest kernel page, wherein the crafted page comprises code that either causes the guest OS to crash or executes a set of No Operations (NOP) instructions.
  - 7. The method of claim 1, wherein the creating the soft whitelist is performed after the guest OS has loaded substantially all its kernel components at boot.
  - 8. The method of claim 1, wherein the creating the soft whitelist is performed before the guest OS has loaded substantially all its kernel components, and the first guest kernel page is from a paged pool range or a non-paged pool range.
  - 9. The method of claim 1, further comprising:
    - setting a lockdown feature bit in the hypervisor during domain creation to enable rootkit protection.

10. An apparatus, comprising:
- a memory;
  
  a processor; and
  
  a hypervisor, such that the apparatus is configured forcreating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising the hypervisor;
  
  receiving an access attempt to a second guest kernel page;
  
  generating a page fault when the access attempt is made to the second guest kernel page;
  
  determining whether the second guest kernel page corresponds to the entry in the soft whitelist;
  
  fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The apparatus of claim 10, wherein the apparatus is further configured for:
    - marking the first guest kernel page as read-only and executable if the page fault is an instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
  - 12. The apparatus of claim 10, wherein the apparatus is further configured for:
    - if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist;
      
      fixing the page fault; and
      
      marking the second guest kernel page as non-executable.
  - 13. The apparatus of claim 10, wherein the creating the soft whitelist comprises adding a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 14. The apparatus of claim 10, whereinthe denying the execution comprises one of:
    - causing the guest OS to loop;
      
      injecting an exception in the guest OS;
      
      orfixing the page fault and pointing a corresponding PTE in a shadow page table of the hypervisor to a crafted page instead of the second guest kernel page, wherein the crafted page comprises code that either causes the guest OS to crash or executes a set of No Operations (NOP) instructions.

15. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
- creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
  
  receiving an access attempt to a second guest kernel page;
  
  generating a page fault when the access attempt is made to the second guest kernel page;
  
  determining whether the second guest kernel page corresponds to the entry in the soft whitelist;
  
  fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The logic of claim 15, the operations further comprising:
    - marking the first guest kernel page as read-only and executable if the page fault is an instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
  - 17. The logic of claim 15, the operations further comprising:
    - if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist;
      
      fixing the page fault; and
      
      marking the second guest kernel page as non-executable.
  - 18. The logic of claim 15, wherein the creating the soft whitelist comprises adding a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 19. The logic of claim 15, the operations further comprising:
    - marking a PTE corresponding to the first guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor.
  - 20. The logic of claim 19, whereinthe denying the execution comprises one of:
    - causing the guest OS to loop;
      
      injecting an exception in the guest OS;
      
      orfixing the page fault and pointing a corresponding PTE in the shadow page table to a crafted page instead of the second guest kernel page, wherein the crafted page comprises code that either causes the guest OS to crash or execute a set of No Operations (NOP) instructions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohinder, Preet, Dang, Amit, Srivastava, Vivek
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US13/272,830
Publication Number

US 20130097355A1
Time in Patent Office

1,237 Days
Field of Search

713/165, 713/163, 713/166, 726/24, 726/21, 726/26, 726/27, 726/28, 711/6, 711/170, 711/173, 711/202, 711/203, 709/223
US Class Current

726/24
CPC Class Codes

G06F 11/1484   involving virtual machines

G06F 12/1018   involving hashing technique...

G06F 12/121   using replacement algorithms

G06F 12/145   the protection being virtua...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/55   Detecting local intrusion o...

G06F 2201/815   Virtual middleware or OS fu...

G06F 2212/657   Virtual address space manag...

G06F 9/45558   Hypervisor-specific managem...

System and method for kernel rootkit protection in a hypervisor environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

290 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for kernel rootkit protection in a hypervisor environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

290 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links