System and method for kernel rootkit protection in a hypervisor environment

US 9,465,700 B2
Filed: 02/24/2015
Issued: 10/11/2016
Est. Priority Date: 10/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;

generating a page fault when an access attempt is made to a second guest kernel page;

fixing the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and

denying the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.

312 Citations

20 Claims

1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
  
  generating a page fault when an access attempt is made to a second guest kernel page;
  
  fixing the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  denying the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, further comprising:
    - if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist;
      
      fixing the page fault; and
      
      marking the second guest kernel page as non-executable.
  - 3. The method of claim 1, wherein the creating the soft whitelist comprises adding a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 4. The method of claim 3, further comprising:
    - determining if a MFN corresponding to a virtual address of the page fault is present in the hash.
  - 5. The method of claim 1, wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.

6. An apparatus, comprising:
- a memory;
  
  a processor; and
  
  a hypervisor, wherein the processor is configured tocreate a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising the hypervisor;
  
  generate a page fault when an access attempt is made to a second guest kernel page;
  
  fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The apparatus of claim 6, wherein the processor is further configured to mark the second guest kernel page as read-only and executable, if the page fault is the instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
  - 8. The apparatus of claim 6, wherein the processor is further configured to, if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist, both fix the page fault and mark the second guest kernel page as non-executable.
  - 9. The apparatus of claim 6, wherein the processor is further configured to add a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 10. The apparatus of claim 9, wherein the processor is further configured to determine if a MFN corresponding to a virtual address of the page fault is present in the hash.
  - 11. The apparatus of claim 6, wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.

12. Logic, encoded in non-transitory media, that includes code for execution and comprising:
- instructions to create a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
  
  instructions to generate a page fault when an access attempt is made to a second guest kernel page;
  
  instructions to fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and
  
  instructions to deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The logic of claim 12, further comprising:
    - instructions to mark the second guest kernel page as read-only and executable if the page fault is the instruction page fault and the second guest kernel page corresponds to the entry in the soft whitelist.
  - 14. The logic of claim 12, further comprising:
    - instructions to, if the page fault is a data page fault and the second guest kernel page does not correspond to the entry in the soft whitelist;
      
      fix the page fault; and
      
      mark the second guest kernel page as non-executable.
  - 15. The logic of claim 12, wherein the instructions to create the soft whitelist comprise instructions to add a machine page frame number (MFN) corresponding to a virtual address of the first guest kernel page into a hash.
  - 16. The logic of claim 15, further comprising:
    - instructions to determine if a MFN corresponding to a virtual address of the page fault is present in the hash.
  - 17. The logic of claim 12, wherein the first guest kernel page corresponds to a page table entry (PTE) in a shadow page table of the hypervisor.
  - 18. The logic of claim 12, wherein the soft whitelist is created after the guest OS has loaded a process scheduler, a memory manager, and a file system at boot.
  - 19. The logic of claim 12, wherein the soft whitelist is created before the guest OS has loaded a process scheduler, a memory manager, and a file system, and the first guest kernel page is from a paged pool range or a non-paged pool range.
  - 20. The logic of claim 12, further comprising:
    - instructions to set a lockdown feature bit in the hypervisor during domain creation to enable rootkit protection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dang, Amit, Mohinder, Preet, Srivastava, Vivek
Primary Examiner(s)
SHOLEMAN, ABU S

Application Number

US14/629,574
Publication Number

US 20150234718A1
Time in Patent Office

595 Days
Field of Search

713/189, 726/1, 726/24, 726/27, 718/1
US Class Current

1/1
CPC Class Codes

G06F 11/1484   involving virtual machines

G06F 12/1018   involving hashing technique...

G06F 12/121   using replacement algorithms

G06F 12/145   the protection being virtua...

G06F 2009/45591   Monitoring or debugging sup...

G06F 21/55   Detecting local intrusion o...

G06F 2201/815   Virtual middleware or OS fu...

G06F 2212/657   Virtual address space manag...

G06F 9/45558   Hypervisor-specific managem...

System and method for kernel rootkit protection in a hypervisor environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

312 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for kernel rootkit protection in a hypervisor environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

312 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links