System and method for hypervisor breakpoints

US 9,292,417 B2
Filed: 08/07/2013
Issued: 03/22/2016
Est. Priority Date: 08/07/2013
Status: Active Grant

First Claim

Patent Images

1. A method for debugging a computer program comprising:

selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;

determining, in the virtual machine, a first memory page that contains the guest memory location;

replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;

translating virtual memory to physical memory; and

in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems allow the use of hypervisors to use software breakpoints in the same manner as hardware breakpoints. A program to be tested is executed by a hypervisor running a virtual machine. A memory page containing the location of a breakpoint is copied to a temporary memory page. Then a new page is written containing breakpoint instructions at specified memory locations. The new page is tagged as execute only, so the program to be tested is unaware of any changes to the program. If the program attempts to read from the changed memory page, it will read from the temporary memory page instead. Such a method can be used to search websites for malware in relative safety because of the inability of the malware to write to memory locations that are located on a page that is execute only.

Citations

23 Claims

1. A method for debugging a computer program comprising:
- selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;
  
  determining, in the virtual machine, a first memory page that contains the guest memory location;
  
  replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
  
  translating virtual memory to physical memory; and
  
  in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1 further comprising:
    - copying contents of the first memory page to a temporary memory page.
  - 3. The method of claim 2 further comprising:
    - when the computer program attempts to read from the guest memory location, sending the computer program data from the temporary memory page.
  - 4. The method of claim 2 further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 5. The method of claim 4 further comprising:
    - during an execution of the computer program, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.
  - 6. The method of claim 1 wherein the breakpoint instruction is an INT 3 instruction.

7. A non-transitory machine-readable medium that stores instructions which, when executed by a machine, causes the machine to perform operations comprising:
- selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;
  
  determining, in the virtual machine, a first memory page that contains the guest memory location;
  
  replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
  
  translating virtual memory to physical memory; and
  
  in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory machine-readable medium of claim 7 further comprising instructions that cause the machine to perform operations further comprising:
    - copying the contents of the first memory page to a temporary memory page.
  - 9. The non-transitory machine-readable medium of claim 8 further comprising instructions that cause the machine to perform operations further comprising:
    - when a computer program being debugged attempts to read from the guest memory location, sending the computer program data from the temporary memory page.
  - 10. The non-transitory machine-readable medium of claim 8 further comprising instructions that cause the machine to perform operations further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 11. The non-transitory machine-readable medium of claim 8 further comprising instructions that cause the machine to further perform operations further comprising:
    - during an execution of a computer program being debugged, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.

12. A system for debugging a computer program comprising:
- memory, divided into pages including at least a first memory page;
  
  a processor coupled to the memory;
  
  wherein the processor is arranged to;
  
  select, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;
  
  determine, in the virtual machine, the first memory page that contains the guest memory location;
  
  replace, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
  
  translate virtual memory to physical memory; and
  
  in response to the replace, set the permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The system of claim 12 wherein the processor is further arranged to:
    - copy the contents of the first memory page to a temporary memory page.
  - 14. The system of claim 13 wherein the processor is further arranged to:
    - when the computer program attempts to read from the guest memory location, send the computer program data from the temporary memory page.
  - 15. The system of claim 13 wherein the processor is further arranged to:
    - replace at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      set the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the computer program are prevented.
  - 16. The system of claim 15 wherein the processor is further arranged to:
    - during an execution of the computer program, redirect attempts to execute instructions located in the first memory page to the temporary memory page.
  - 17. The system of claim 12 wherein the breakpoint instruction is an INT 3 instruction.

18. A method for determining the existence of malware on websites comprising:
- using a browser that is executing on a virtual machine to load a website into a browser;
  
  setting a breakpoint to detect indicia of malware; and
  
  logging any detected indicia of malware;
  
  wherein setting the breakpoint comprises;
  
  selecting, in a virtual machine controlled by a hypervisor in a host operating system, a guest memory location as a breakpoint location;
  
  determining, in the virtual machine, a first memory page that contains the guest memory location;
  
  replacing, by the hypervisor without knowledge by a computer program executed by the virtual machine, at least a portion of the first memory page with new content, the new content including a breakpoint instruction;
  
  translating virtual memory to physical memory; and
  
  in response to the replacing, setting a permission of the first memory page to execute only, such that attempts to read to or write from the first memory page by the computer program are intercepted by the hypervisor.
- View Dependent Claims (19, 20, 21, 22, 23)
- - 19. The method of claim 18 further comprising:
    - copying the contents of the first memory page to a temporary memory page.
  - 20. The method of claim 19 further comprising:
    - when the website attempts to read from the guest memory location, sending data from the temporary memory page to the website.
  - 21. The method of claim 19 further comprising:
    - replacing at least a portion of the temporary memory page with new content, the new content including a breakpoint instruction; and
      
      setting the permission of the temporary memory page to execute only, such that attempts to read to or write from the temporary memory page by the website are prevented.
  - 22. The method of claim 21 further comprising:
    - during a visit to the website, redirecting attempts to execute instructions located in the first memory page to the temporary memory page.
  - 23. The method of claim 18 wherein indicia of malware include an attempt to write to a registry;
    - an attempt to load a Dynamic Link Library;
      
      an attempt to create a process; and
      
      an attempt to read or write to specific memory locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nightwing Group LLC
Original Assignee
Raytheon Cyber Products, LLC (Everfox Holdings LLC)
Inventors
Salsamendi, Ryan C.
Primary Examiner(s)
Aguilera, Todd

Application Number

US13/961,190
Publication Number

US 20150046908A1
Time in Patent Office

958 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06F 11/3636   by tracing the execution of...

G06F 11/3644   by instrumenting at runtime

G06F 11/3664   Environments for testing or...

G06F 12/145   the protection being virtua...

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/52   during program execution, e...

G06F 21/566   Dynamic detection, i.e. det...

G06F 9/45533   Hypervisors; Virtual machin...

System and method for hypervisor breakpoints

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for hypervisor breakpoints

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links