System and method for kernel rootkit protection in a hypervisor environment
First Claim
1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the guest OS has not loaded at least some kernel components;
mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page;
generating a page fault when a process attempts to access the guest kernel page; and
redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
10 Assignments
0 Petitions
Accused Products
Abstract
A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.
-
Citations
19 Claims
-
1. A method, comprising:
-
creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the guest OS has not loaded at least some kernel components; mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page; generating a page fault when a process attempts to access the guest kernel page; and redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. An apparatus, comprising:
-
a memory; and a processor configured to create a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, the processor is further configured to map a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page, the guest OS has not loaded at least some kernel components, and the processor is further configured to generate a page fault when a process attempts to access the guest kernel page, and to redirect the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault. - View Dependent Claims (8, 9, 10, 11)
-
-
12. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
-
creating a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page; mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page, wherein the guest OS has not loaded at least some kernel components; generating a page fault when a process attempts to access the guest kernel page; and redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method, comprising:
-
creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the creating the soft whitelist is performed after the guest OS has loaded kernel components at boot; walking a shadow page table of the hypervisor; mapping a virtual address of the guest kernel page to a machine page frame number of the corresponding duplicate page; generating a page fault when a process attempts to access the guest kernel page; and redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
-
-
19. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
-
creating a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the creating soft whitelist is performed after the guest OS has loaded a plurality of kernel components at boot; walking a shadow page table of the hypervisor; mapping a virtual address of the guest kernel page to a machine page frame number of the corresponding duplicate page; generating a page fault when a process attempts to access the guest kernel page; and redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
-
Specification