System and method for kernel rootkit protection in a hypervisor environment
First Claim
1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
generating a page fault when an access attempt is made to a second guest kernel page;
fixing the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and
denying the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault.
9 Assignments
0 Petitions
Accused Products
Abstract
A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.
312 Citations
20 Claims
-
1. A method, comprising:
-
creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; generating a page fault when an access attempt is made to a second guest kernel page; fixing the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and denying the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An apparatus, comprising:
-
a memory; a processor; and a hypervisor, wherein the processor is configured to create a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising the hypervisor; generate a page fault when an access attempt is made to a second guest kernel page; fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. Logic, encoded in non-transitory media, that includes code for execution and comprising:
-
instructions to create a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; instructions to generate a page fault when an access attempt is made to a second guest kernel page; instructions to fix the page fault to allow an execution if the second guest kernel page corresponds to the entry in the soft whitelist; and instructions to deny the execution if the second guest kernel page does not correspond to the entry in the soft whitelist and the page fault is an instruction page fault. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification