Method and system for injecting function calls into a virtual machine
First Claim
Patent Images
1. A computing system implemented process for injecting function calls into a virtual machine comprising:
- implementing a Guest Virtual Machine (GVM) on a host computing system, the GVM including associated CPU registers and at least one memory stack associated with at least one thread implemented, at least in part, by the GVM;
implementing a hypervisor on the host computing system under the control of at least one processor associated with the host computing system;
implementing a Security Virtual Machine (SVM) on the host computing system;
implementing a security API on the host computing system under the control of at least one processor associated with the host computing system, the security API providing a hypercall interface between the hypervisor, the SVM, and the GVM;
defining a SVM invocation point;
suspending a state of the GVM at the SVM invocation point;
saving the state of the GVM at the SVM invocation point;
while the state of the GVM is suspended, using the SVM and the security API to modify the CPU registers and/or the contents of at least one memory stack associated with at least one thread implemented, at least in part, by the GVM to trigger a desired function call invocation when the GVM is resumed, wherein a return address of the desired function call is initially set to a memory location in an active code segment that has no actual code and a hypervisor-enabled execution breakpoint is placed in the memory location;
resuming the GVM;
executing the desired function call in the same manner as the desired function call would be executed if the desired function call had been invoked by the GVM;
suspending the state of the GVM when the function call return address occurs;
restoring the saved GVM state at the SVM invocation point; and
resuming execution of the GVM at the SVM invocation point.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for injecting function calls into a virtual machine whereby a Function Call Injection (FCI) process is employed, through which a Secure Virtual Machine (SVM) is used to trigger desired function call invocations inside a Guest Virtual Machine (GVM) by externally manipulating the GVMs memory and CPU register contents using a security API. Once the triggered function is executed, control is then returned at the originating SVM invocation point. Therefore, the GVM state is manipulated to externally inject function calls, making it possible to create control appliances which do not require an in-GVM agent.
38 Citations
20 Claims
-
1. A computing system implemented process for injecting function calls into a virtual machine comprising:
-
implementing a Guest Virtual Machine (GVM) on a host computing system, the GVM including associated CPU registers and at least one memory stack associated with at least one thread implemented, at least in part, by the GVM; implementing a hypervisor on the host computing system under the control of at least one processor associated with the host computing system; implementing a Security Virtual Machine (SVM) on the host computing system; implementing a security API on the host computing system under the control of at least one processor associated with the host computing system, the security API providing a hypercall interface between the hypervisor, the SVM, and the GVM; defining a SVM invocation point; suspending a state of the GVM at the SVM invocation point; saving the state of the GVM at the SVM invocation point; while the state of the GVM is suspended, using the SVM and the security API to modify the CPU registers and/or the contents of at least one memory stack associated with at least one thread implemented, at least in part, by the GVM to trigger a desired function call invocation when the GVM is resumed, wherein a return address of the desired function call is initially set to a memory location in an active code segment that has no actual code and a hypervisor-enabled execution breakpoint is placed in the memory location; resuming the GVM; executing the desired function call in the same manner as the desired function call would be executed if the desired function call had been invoked by the GVM; suspending the state of the GVM when the function call return address occurs; restoring the saved GVM state at the SVM invocation point; and resuming execution of the GVM at the SVM invocation point. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system for injecting function calls into a virtual machine comprising:
-
a host computing system; a Guest Virtual Machine (GVM) implemented on the host computing system, the GVM including associated CPU registers and at least one memory stack associated with at least one thread implemented, at least in part, by the GVM; a hypervisor implemented on the host computing system; a Security Virtual Machine (SVM) implemented on the host computing system; a security API implemented on the host computing system, the security API providing a hypercall interface between the hypervisor, the SVM, and the GVM; a processor associated with the host computing system, the processor associated with the host computing system implementing at least part of a process for injecting function calls into a virtual machine, the process for injecting function calls into a virtual machine comprising; defining a SVM invocation point; suspending a state of the GVM at the SVM invocation point; saving the state of the GVM at the SVM invocation point; while the state of the GVM is suspended, using the SVM and the security API to modify the CPU registers and/or the contents of at least one memory stack associated with at least one thread implemented, at least in part, by the GVM to trigger a desired function call invocation when the GVM is resumed, wherein a return address of the desired function call is initially set to a memory location in an active code segment that has no actual code and a hypervisor-enabled execution breakpoint is placed in the memory location; resuming the GVM; executing the desired function call in the same manner as the desired function call would be executed if the desired function call had been invoked by the GVM; suspending the state of the GVM when the function call return address occurs; restoring the saved GVM state at the SVM invocation point; and resuming execution of the GVM at the SVM invocation point. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method for injecting function calls into a virtual machine comprising:
-
implementing a Guest Virtual Machine (GVM) on a host computing system, the GVM including associated CPU registers and at least one memory stack associated with at least one thread implemented, at least in part, by the GVM; implementing a hypervisor on the host computing system; implementing a Security Virtual Machine (SVM) on the host computing system; implementing a security API on the host computing system, the security API providing a hypercall interface between the hypervisor, the SVM, and the GVM; defining a SVM invocation point; suspending a state of the GVM at the SVM invocation point; saving the state of the GVM at the SVM invocation point; while the state of the GVM is suspended, using the SVM and the security API to modify the CPU registers and/or the contents of at least one memory stack associated with at least one thread implemented, at least in part, by the GVM to trigger a desired function call invocation when the GVM is resumed, wherein a return address of the desired function call is initially set to a memory location in an active code segment that has no actual code and a hypervisor-enabled execution breakpoint is placed in the memory location; resuming the GVM; executing the desired function call in the same manner as the desired function call would be executed if the desired function call had been invoked by the GVM; suspending the state of the GVM when the function call return address occurs; restoring the saved GVM state at the SVM invocation point; and resuming execution of the GVM at the SVM invocation point. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification