System and method for virtual partition monitoring

US 9,311,126 B2
Filed: 07/27/2011
Issued: 04/12/2016
Est. Priority Date: 07/27/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

identifying a module to be loaded;

determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;

rebasing the module in a virtual partition to load at the fixed address, including;

determining file information for the module;

removing relocation data from the module; and

modifying a header in the module to specify the fixed address;

storing a hash of a page of memory associated with the fixed address after modifying the header;

receiving in an external handler a notification associated with an event affecting the page;

instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and

taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided in one example embodiment that includes rebasing a module in a virtual partition to load at a fixed address and storing a hash of a page of memory associated with the fixed address. An external handler may receive a notification associated with an event affecting the page. An internal agent within the virtual partition can execute a task and return results based on the task to the external handler, and a policy action may be taken based on the results returned by the internal agent. In some embodiments, a code portion and a data portion of the page can be identified and only a hash of the code portion is stored.

27 Citations

View as Search Results

19 Claims

1. A method, comprising:
- identifying a module to be loaded;
  
  determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;
  
  rebasing the module in a virtual partition to load at the fixed address, including;
  
  determining file information for the module;
  
  removing relocation data from the module; and
  
  modifying a header in the module to specify the fixed address;
  
  storing a hash of a page of memory associated with the fixed address after modifying the header;
  
  receiving in an external handler a notification associated with an event affecting the page;
  
  instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and
  
  taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 18)
- - 2. The method of claim 1, wherein the external handler operates in a second virtual partition.
  - 3. The method of claim 1, wherein the external handler operates in a virtualization host.
  - 4. The method of claim 1, wherein:
    - the external handler operates in a first virtualization guest in a virtualized platform; and
      
      the virtual partition is a second virtualization guest in the virtualized platform.
  - 5. The method of claim 1, wherein the event notification is received from a hypervisor extension in a virtualized platform.
  - 6. The method of claim 1, wherein rebasing the module comprises patching a loader in an operating system to load the module at the fixed address.
  - 7. The method of claim 1, wherein the task comprises identifying the module based on a virtual address associated with the page.
  - 8. The method of claim 1, wherein the task comprises identifying the page as a mixed use page.
  - 9. The method of claim 1, wherein storing a hash comprises identifying a code portion and a data portion of the page and storing only a hash of the code portion.
  - 10. The method of claim 1, further comprising:
    - parking a thread associated with the module that caused the event; and
      
      resuming other threads in the virtual partition after parking the thread that caused the event.
  - 18. The method of claim 1, wherein rebasing the module in a virtual partition to load at the fixed address includes forcing the module to load at the same fixed address every time the module is loaded.

11. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- identifying a module to be loaded;
  
  determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;
  
  rebasing the module in a virtual partition to load at the fixed address, including;
  
  determining file information for the module;
  
  removing relocation data from the module; and
  
  modifying a header in the module to specify the fixed address;
  
  storing a hash of a page of memory associated with the fixed address after modifying the header;
  
  receiving in an external handler a notification associated with an event affecting the page;
  
  instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and
  
  taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.
- View Dependent Claims (12, 13, 17)
- - 12. The encoded logic of claim 11, wherein the task comprises identifying the module based on a virtual address associated with the page.
  - 13. The encoded logic of claim 11, wherein the task comprises identifying the page as a mixed use page.
  - 17. The encoded logic of claim 11, wherein the operations further comprise, each time an instance of the module is to be loaded in the virtual partition, rebasing the instance of the module in the virtual partition at the fixed address.

14. An apparatus, comprising:
- a virtual partition;
  
  an internal agent within the virtual partition;
  
  an external handler; and
  
  one or more processors operable to execute instructions associated with the virtual partition, the internal agent, and the external handler such that the apparatus is configured for;
  
  identifying a module to be loaded;
  
  determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;
  
  rebasing the module in a virtual partition to load at the fixed address, including;
  
  determining file information for the module;
  
  removing relocation data from the module; and
  
  modifying a header in the module to specify the fixed address;
  
  storing a hash of a page of memory associated with the fixed address after modifying the header;
  
  receiving in the external handler a notification associated with an event affecting the page;
  
  instructing the internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and
  
  taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.
- View Dependent Claims (15, 16)
- - 15. The apparatus of claim 14, wherein rebasing the module comprises patching a loader in an operating system to load the module at the fixed address.
  - 16. The apparatus of claim 14, wherein the task comprises identifying the module based on a virtual address associated with the page.

19. Logic encoded in one or more non-transitory media that includes code for execution and when executed by one or more processors is operable to perform operations comprising:
- identifying a module to be loaded;
  
  determining a fixed address in the virtual partition wherein a previous instance of the module was loaded at the fixed address;
  
  rebasing the module in a virtual partition to load at the fixed address, including;
  
  patching a loader in an operating system to load the module at the fixed address; and
  
  upon launching the module, causing the loader to select the fixed address to load the module;
  
  storing a hash of a page of memory associated with the fixed address after patching the loader;
  
  receiving in an external handler a notification associated with an event affecting the page;
  
  instructing an internal agent within the virtual partition to execute a task and return results based on the task to the external handler; and
  
  taking a policy action based on the results returned by the internal agent using the hash based at least upon the fixed address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Edwards, Jonathan L., Dalcher, Gregory W., Teddy, John D.
Primary Examiner(s)
Alsip, Michael

Application Number

US13/192,412
Publication Number

US 20130031291A1
Time in Patent Office

1,721 Days
Field of Search

711/6, 711/E12.016
US Class Current

1/1
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

G06F 21/64   Protecting data integrity, ...

G06F 9/45558   Hypervisor-specific managem...

System and method for virtual partition monitoring

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

27 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for virtual partition monitoring

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

27 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links