Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features

US 9,607,151 B2
Filed: 12/26/2014
Issued: 03/28/2017
Est. Priority Date: 06/26/2012
Status: Active Grant

First Claim

Patent Images

1. A method of processing information involving a separation kernel hypervisor, the method comprising:

partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;

isolating the domains in time and space from each other;

hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;

providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;

hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor;

triggering entry into the separation kernel hypervisor upon execution of code involving an I/O port access attempt in a suspect guest operating system;

transitioning execution of the access attempt from the separation kernel hypervisor to the virtualization assistance layer in a manner isolated from the suspect guest operating system;

transitioning execution of the access attempt from the virtualization assistance layer to a malicious code defense mechanism;

analyzing by the malicious code defense mechanism behavior of the suspect guest operating system and determining a policy decision;

passing the policy decision and transitioning execution of the access attempt from the malicious code defense mechanism to the virtualization assistance layer; and

passing the policy decision and transitioning execution of the access attempt from the virtualization assistance layer to the separation kernel hypervisor, wherein the separation kernel hypervisor performs enforcement or executes an action based on the policy decision.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.

Citations

27 Claims

1. A method of processing information involving a separation kernel hypervisor, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains;
  
  isolating the domains in time and space from each other;
  
  hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;
  
  providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
  
  hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor;
  
  triggering entry into the separation kernel hypervisor upon execution of code involving an I/O port access attempt in a suspect guest operating system;
  
  transitioning execution of the access attempt from the separation kernel hypervisor to the virtualization assistance layer in a manner isolated from the suspect guest operating system;
  
  transitioning execution of the access attempt from the virtualization assistance layer to a malicious code defense mechanism;
  
  analyzing by the malicious code defense mechanism behavior of the suspect guest operating system and determining a policy decision;
  
  passing the policy decision and transitioning execution of the access attempt from the malicious code defense mechanism to the virtualization assistance layer; and
  
  passing the policy decision and transitioning execution of the access attempt from the virtualization assistance layer to the separation kernel hypervisor, wherein the separation kernel hypervisor performs enforcement or executes an action based on the policy decision.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprising:
    - implementing at least one routine or component to prohibit the guest operating system virtual machine protection domains from tampering with, corrupting, or bypassing the malicious code defense mechanism.
  - 3. The method of claim 1, wherein the plurality of guest operating system virtual machine protection domains includes corresponding guest operating systems;
    - andfurther comprising isolating loss of security in one of the guest operating system virtual machine protection domains to the one domain having the loss of security, such that security is not broken in all the domains.
  - 4. The method of claim 1, further comprising:
    - detecting in each of the domains their own suspect code as a function of the isolated domains.
  - 5. The method of claim 1, further comprising:
    - executing one or more malicious code defense mechanisms while preventing interference, corruption, tampering with, or bypassing involving the plurality of guest operating system virtual machine protection domains.
  - 6. The method of claim 1 further comprising:
    - executing the guest operating system virtual machine protection domains to provide an isolated and secure software execution environment, wherein each of the guest operating system virtual machine protection domains include a guest operating system, virtualization assistance layer and a malicious code defense mechanism.
  - 7. The method of claim 1, further comprising:
    - trapping access to an I/O port assigned to the guest operating system;
      
      passing data associated with the trapped access to the virtualization assistance layer and the malicious code defense mechanism.
  - 8. The method of claim 1, further comprising:
    - monitoring patterns of guest operating system I/O port access by at least one of the virtualization assistance layer, malicious code defense mechanism, and separation kernel hypervisor based on a feedback mechanism.
  - 9. The method of claim 1, further comprising:
    - monitoring guest operating system instructions involving access of an I/O port.
  - 10. The method of claim 1, further comprising:
    - trapping access to instructions involving access of an I/O port to the guest operating system;
      
      passing data associated with the trapped access to the virtualization assistance layer or the malicious code defense mechanism.
  - 11. The method of claim 1 further comprising:
    - executing the malicious code defense mechanism while preventing interference, bypassing, corrupting, tampering by the plurality of guest operating system virtual machine protection domains.
  - 12. The method of claim 1, further comprising:
    - providing the guest operating system, the virtualization assistance layer and the malicious code defense mechanism in the guest operating system virtual machine protection domains rather than in the separation kernel hypervisor.
  - 13. The method of claim 1, further comprising:
    - moving virtualization processing to subcomponents within each guest operating system wherein substantially all analysis and security testing is performed within each guest operating system such that the separation kernel hypervisor is of reduced size or complexity.
  - 14. The method of claim 1, further comprising:
    - viewing the virtualization component within each domain as separate hardware by a guest such that bypass is prevented.

15. A method of processing information involving a separation kernel hypervisor, the method comprising:
- partitioning hardware platform resources to isolate in time and space a plurality of guest operating system virtual machine protection domains;
  
  executing the guest operating system virtual machine protection domains to provide an isolated and secure software execution environment, wherein each of the guest operating system virtual machine protection domains include a guest operating system, virtualization assistance layer and a malicious code defense mechanism;
  
  hosting the plurality of guest operating system virtual machine protection domains by the separation kernel hypervisor;
  
  hosting, via the separation kernel hypervisor, one or more malicious code defense mechanisms that each execute within a corresponding and respective protection domain of the plurality of guest operating system virtual machine protection domains;
  
  triggering entry into the separation kernel hypervisor upon execution of code involving an I/O port access attempt in a suspect guest operating system;
  
  transitioning execution of the access attempt from the separation kernel hypervisor to the virtualization assistance layer in a manner isolated from the suspect guest operating system;
  
  transitioning execution of the access attempt from the virtualization assistance layer to a malicious code defense mechanism;
  
  analyzing by the malicious code defense mechanism behavior of the suspect guest operating system and determining a policy decision;
  
  passing the policy decision and transitioning execution of the access attempt from the malicious code defense mechanism to the virtualization assistance layer; and
  
  passing the policy decision and transitioning execution of the access attempt from the virtualization assistance layer to the separation kernel hypervisor, wherein the separation kernel hypervisor performs enforcement or executes an action based on the policy decision.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 16. The method of claim 15 further comprising:
    - implementing at least one routine or component to prohibit the guest operating system virtual machine protection domains from tampering with, corrupting, or bypassing the malicious code defense mechanism.
  - 17. The method of claim 15, further comprising isolating loss of security in one of the guest operating system virtual machine protection domains to the one domain having the loss of security, such that security is not broken in all the domains.
  - 18. The method of claim 17, further comprising:
    - providing a dedicated virtualization assistance layer (VAL) in each guest operating system such that the dedicated VAL security processing is not performed in the separation kernel hypervisor.
  - 19. The method of claim 15, further comprising:
    - providing the guest operating system, the virtualization assistance layer and the malicious code defense mechanism in the guest operating system virtual machine protection domains rather than in the separation kernel hypervisor.
  - 20. The method of claim 15, further comprising:
    - moving virtualization processing to subcomponents within each guest operating system wherein substantially all analysis and security testing is performed within each guest operating system such that the separation kernel hypervisor is of reduced size or complexity.
  - 21. The method of claim 15, further comprising:
    - detecting in each of the domains their own suspect code as a function of the isolated domains.
  - 22. The method of claim 15, further comprising:
    - viewing the virtualization component within each domain as separate hardware by a guest such that bypass is prevented.
  - 23. The method of claim 15, further comprising:
    - executing one or more malicious code defense mechanisms while preventing interference, corruption, tampering, bypassing by the plurality of guest operating system virtual machine protection domains.
  - 24. The method of claim 15, further comprising:
    - trapping access to an I/O port assigned to the guest operating system;
      
      passing data associated with the trapped access to the virtualization assistance layer and the malicious code defense mechanism.
  - 25. The method of claim 15, further comprising:
    - monitoring patterns of guest operating system I/O port access by at least one of the virtualization assistance layer, malicious code defense mechanism, and separation kernel hypervisor based on a feedback mechanism.
  - 26. The method of claim 15, further comprising:
    - monitoring guest operating system instructions involving access of an I/O port.
  - 27. The method of claim 15, further comprising:
    - trapping access to instructions involving access of an I/O port to the guest operating system;
      
      passing data associated with the trapped access to the virtualization assistance layer or the malicious code defense mechanism.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lynx Software Technologies Inc.
Original Assignee
Lynx Software Technologies Inc.
Inventors
Mooring, Edward T., Yankovsky, Phillip
Primary Examiner(s)
Kim, Jung
Assistant Examiner(s)
DE JESUS LASSALA, CARLOS MANUEL

Application Number

US14/583,585
Publication Number

US 20150213264A1
Time in Patent Office

823 Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 13/28   using burst mode transfer, ...

G06F 13/4221   being an input/output bus, ...

G06F 2009/45587   Isolation or security of vi...

G06F 21/50   Monitoring users, programs ...

G06F 21/53   by executing in a restricte...

G06F 21/54   by adding security routines...

G06F 21/556   involving covert channels, ...

G06F 21/56   Computer malware detection ...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

G06F 21/60   Protecting data

G06F 21/629   to features or functions of...

G06F 2221/033   Test or assess software

G06F 2221/034   Test or assess a computer o...

G06F 2221/2125   Just-in-time application of...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45545   Guest-host, i.e. hypervisor...

G06F 9/45558   Hypervisor-specific managem...

Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor context, rootkit detection/prevention, and/or other features

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links