Trusted threat-aware microvisor

US 9,680,862 B2
Filed: 01/21/2015
Issued: 06/13/2017
Est. Priority Date: 07/01/2014
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a central processing unit (CPU) adapted to execute a module, a virtual machine monitor (VMM), and a trusted microvisor; and

a memory configured to store the trusted microvisor as a trusted computing base (TCB), the trusted microvisor configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by the module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor, and wherein the trusted microvisor is configured to generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor such that the first instruction is prevented from execution by the trusted microvisor, the memory further storing the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a micro virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support a determination of whether the module is malicious.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB) that also includes a root task module configured to cooperate with the microvisor to load and initialize one or more other modules executing on a node of a network environment. The root task may cooperate with the microvisor to allocate one or more kernel resources of the node to those other modules. As a trusted module of the TCB, the microvisor may be configured to enforce a security policy of the TCB that, e.g., prevents alteration of a state related to security of the microvisor by a module of or external to the TCB. The security policy of the TCB may be implemented by a plurality of security properties of the microvisor. Trusted (or trustedness) may therefore denote a predetermined level of confidence that the security property is demonstrated by the microvisor.

163 Citations

30 Claims

1. A system comprising:
- a central processing unit (CPU) adapted to execute a module, a virtual machine monitor (VMM), and a trusted microvisor; and
  
  a memory configured to store the trusted microvisor as a trusted computing base (TCB), the trusted microvisor configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by the module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor, and wherein the trusted microvisor is configured to generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor such that the first instruction is prevented from execution by the trusted microvisor, the memory further storing the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a micro virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support a determination of whether the module is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system of claim 1 wherein the trusted microvisor is configured to enforce the second security property different from the first security property, and wherein trustedness of the trusted microvisor provides the predetermined level of confidence that the second security property is implemented by the trusted microvisor.
  - 3. The system of claim 2 wherein the CPU is further adapted to execute the VMM to, in response to the determination that the module is malicious, send an alert.
  - 4. The system of claim 1 wherein the module is external to the TCB.
  - 5. The system of claim 1 wherein the CPU is further adapted to execute a root task stored in the memory, wherein the root task is configured to cooperate with the trusted microvisor to load and initialize the module, wherein the module is external to the TCB, and wherein the trusted microvisor is a first software entity loaded during a boot process.
  - 6. The system of claim 1 wherein the CPU is further adapted to execute a root task stored in the memory, wherein the module is external to the TCB, wherein the root task is configured to cooperate with the microvisor to shift a privilege level of the module such that the module executes under control of the trusted microvisor, wherein during a chain of loading the module is loaded prior to the trusted microvisor, and wherein the trusted microvisor is authenticated prior to launch.
  - 7. The system of claim 1 wherein the trusted microvisor is configured to implement the first security property such that no module external to the TCB modifies a state related to security of the trusted microvisor without authorization.
  - 8. The system of claim 2 wherein the trusted microvisor is configured to implement the second security property such that no module of the TCB modifies a state related to security of the trusted microvisor without authorization.
  - 9. The system of claim 1 wherein the first security property enforces a security policy, and wherein the security policy provides that components of the TCB are immutable.

10. A method comprising:
- enforcing, by a trusted microvisor executing on an endpoint of a network, a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by a module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor;
  
  generating, by the trusted microvisor, a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor;
  
  preventing, by the trusted microvisor, execution of the first instruction; and
  
  in response to determining that the first instruction is suspicious, spawning, by a virtual machine monitor (VMM) executing on the endpoint, a micro-virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support determination of whether the module is malicious.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The method of claim 10 wherein the trusted microvisor is configured to enforce the second security property different from the first security property, and wherein trustedness of the trusted microvisor provides the predetermined level of confidence that the second security property is implemented by the trusted microvisor.
  - 12. The method of claim 11 further comprising:
    - in response to the determination that the module is malicious, sending, by the VMM, an alert.
  - 13. The method of claim 10 wherein the module is external to the TCB.
  - 14. The method of claim 10 further comprising:
    - loading and initializing, by a root task executing on the endpoint, the module, wherein the module is external to the TCB, and wherein the trusted microvisor is a first software entity loaded during a boot process.
  - 15. The method of claim 10 further comprising:
    - loading and initializing, by a root task executing on the endpoint, the module, wherein the module is external to the TCB, wherein during a chain of loading the module is loaded prior to the trusted microvisor, wherein the trusted microvisor is authenticated prior to launch; and
      
      shifting a privilege level of the module such that the module executes under control of the trusted microvisor.
  - 16. The method of claim 10 wherein the trusted microvisor is configured to implement the first security property such that no module external to the TCB modifies a state related to security of the trusted microvisor without authorization.
  - 17. The method of claim 10 wherein the trusted microvisor is configured to implement the second security property such that no module of the TCB modifies a state related to security of the trusted microvisor without authorization.

18. A non-transitory computer readable medium including program instructions for execution on a processor of an endpoint on a network, the program instructions configured to:
- enforce a first security property that prevents alteration of a first state related to the first security property of a trusted microvisor of the endpoint by a module of the endpoint, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor;
  
  generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor;
  
  prevent execution of the first instruction; and
  
  in response to determining that the first instruction is suspicious, spawn a micro-virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support determining whether the module is malicious.

19. A system comprising:
- a central processing unit (CPU) adapted to execute a trusted virtualization layer and a virtual machine monitor (VMM), the trusted virtualization layer disposed directly on hardware of the system to operate at a highest privilege level of the CPU; and
  
  a memory configured to store the trusted virtualization layer as a trusted computing base (TCB), the trusted virtualization layer configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted virtualization layer by a module external to the TCB, wherein trustedness of the trusted virtualization layer provides a predetermined level of confidence that the first security property is implemented by the trusted virtualization layer, and wherein the trusted virtualization layer is configured to generate a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the trusted virtualization layer such that the first instruction is prevented from execution by the trusted virtualization layer, the memory further configured to store the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted virtualization layer and ii) support a determination of whether the module is malicious.
- View Dependent Claims (20, 21, 22, 23, 24, 25)
- - 20. The system of claim 19 wherein the VM serves as a container that is restricted to an operating system process exclusive of an operating system.
  - 21. The system of claim 20 wherein the VM is configured to restrict access to a kernel resource by the operating system process.
  - 22. The system of claim 21 wherein the kernel resource comprises a memory region having associated access permissions defined by capabilities bound to the VM.
  - 23. The system of claim 22 wherein the VM is configured to one of enlarge and shrink the memory region to enable access to memory pages with the memory region.
  - 24. The system of claim 19 wherein the VM comprises a container associated with an allocation of a portion of the memory for execution of an operating system process.
  - 25. The system of claim 19 wherein the trusted virtualization layer is further configured to virtualize hardware resources of the system.

26. A method comprising:
- enforcing, by a virtualization layer disposed directly on hardware of an endpoint of a network, a first security property that prevents alteration of a first state related to the first security property of the virtualization layer by a module, wherein the first security property is implemented by the virtualization layer to a predetermined level of confidence;
  
  generating, by the virtualization layer, a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the virtualization layer;
  
  preventing, by the virtualization layer, execution of the first instruction; and
  
  in response to determining that the first instruction is suspicious, spawning, by a virtual machine monitor (VMM) of the endpoint, a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the virtualization layer and ii) support a determination of whether the module is malicious.
- View Dependent Claims (27, 28, 29)
- - 27. The method of claim 26 wherein the VM serves as a container that is restricted to an operating system process exclusive of an operating system.
  - 28. The method of claim 26 wherein the VM is a container configured to restrict access to kernel resources by an operating system process.
  - 29. The method of claim 26 further comprising virtualizing, by the virtualization layer, hardware resources of the system.

30. A non-transitory computer readable medium including program instructions for execution on a processor of an endpoint on a network, the program instructions configured to:
- enforce a first security property that prevents alteration of a first state related to the first security property of a trusted virtualization layer of the endpoint by a module of the endpoint, wherein trustedness of the trusted virtualization layer provides a predetermined level of confidence that the first security property is implemented by the trusted virtualization layer;
  
  generate a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the trusted virtualization layer;
  
  prevent execution of the first instruction; and
  
  in response to determining that the first instruction is suspicious, spawn a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted virtualization layer and ii) support determining whether the module is malicious.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Ismael, Osman Abdoul, Aziz, Ashar
Primary Examiner(s)
Armouche, Hadi
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US14/602,023
Publication Number

US 20160006756A1
Time in Patent Office

874 Days
Field of Search

726 22
US Class Current
CPC Class Codes

G06F 21/50   Monitoring users, programs ...

G06F 21/57   Certifying or maintaining t...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/60   Protecting data

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

Trusted threat-aware microvisor

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Trusted threat-aware microvisor

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others