System and method for enforcing security policies in a virtual environment
First Claim
1. A method, comprising:
- inserting a security layer in a privileged domain of a computer configured to perform virtualization, wherein;
the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and
the privileged domain of the computer manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;
storing an indication of authorized objects, the authorized objects in a user space of the privileged domain;
intercepting, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;
verifying the request for execution of the object by evaluating the indication of authorized objects; and
allowing or denying the execution of the object based upon the verification of the request.
9 Assignments
0 Petitions
Accused Products
Abstract
A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.
-
Citations
20 Claims
-
1. A method, comprising:
-
inserting a security layer in a privileged domain of a computer configured to perform virtualization, wherein; the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and the privileged domain of the computer manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems; storing an indication of authorized objects, the authorized objects in a user space of the privileged domain; intercepting, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain; verifying the request for execution of the object by evaluating the indication of authorized objects; and allowing or denying the execution of the object based upon the verification of the request. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A logic encoded in one or more tangible non-transitory media that includes code for execution and when executed by a processor is operable to:
-
insert a security layer in a privileged domain of a computer, wherein; the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and the privileged domain is configured to manage a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems; store an indication of authorized objects in a user space of the privileged domain; intercept, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain; verify the request for execution of the object by evaluating the indication of authorized objects; and allow or deny the execution of the object based upon the verification of the request. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. An apparatus, comprising:
-
a virtual machine element comprising instructions in a memory; and a processor operable to execute the instructions in the memory to operate the virtual machine element; wherein the virtual machine element is configured to; insert a security layer in a privileged domain of the apparatus, wherein; the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and the privileged domain of the apparatus manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems; and store an indication of authorized objects in a user space of the privileged domain; wherein the security layer is configured to intercept a request for an execution of an object in the computer from the user space of the privileged domain; and wherein the virtual machine element is further configured to; verify the request for execution of the object by evaluating the indication of authorized objects; allow or deny the execution of the object based upon the verification of the request. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification