Trusted threat-aware microvisor
First Claim
1. A system comprising:
- a central processing unit (CPU) adapted to execute a module, a virtual machine monitor (VMM), and a trusted microvisor; and
a memory configured to store the trusted microvisor as a trusted computing base (TCB), the trusted microvisor configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by the module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor, and wherein the trusted microvisor is configured to generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor such that the first instruction is prevented from execution by the trusted microvisor, the memory further storing the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a micro virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support a determination of whether the module is malicious.
5 Assignments
0 Petitions
Accused Products
Abstract
A trusted threat-aware microvisor may be deployed as a module of a trusted computing base (TCB) that also includes a root task module configured to cooperate with the microvisor to load and initialize one or more other modules executing on a node of a network environment. The root task may cooperate with the microvisor to allocate one or more kernel resources of the node to those other modules. As a trusted module of the TCB, the microvisor may be configured to enforce a security policy of the TCB that, e.g., prevents alteration of a state related to security of the microvisor by a module of or external to the TCB. The security policy of the TCB may be implemented by a plurality of security properties of the microvisor. Trusted (or trustedness) may therefore denote a predetermined level of confidence that the security property is demonstrated by the microvisor.
163 Citations
30 Claims
-
1. A system comprising:
-
a central processing unit (CPU) adapted to execute a module, a virtual machine monitor (VMM), and a trusted microvisor; and a memory configured to store the trusted microvisor as a trusted computing base (TCB), the trusted microvisor configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by the module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor, and wherein the trusted microvisor is configured to generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor such that the first instruction is prevented from execution by the trusted microvisor, the memory further storing the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a micro virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support a determination of whether the module is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
enforcing, by a trusted microvisor executing on an endpoint of a network, a first security property that prevents alteration of a first state related to the first security property of the trusted microvisor by a module, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor; generating, by the trusted microvisor, a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor; preventing, by the trusted microvisor, execution of the first instruction; and in response to determining that the first instruction is suspicious, spawning, by a virtual machine monitor (VMM) executing on the endpoint, a micro-virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support determination of whether the module is malicious. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A non-transitory computer readable medium including program instructions for execution on a processor of an endpoint on a network, the program instructions configured to:
-
enforce a first security property that prevents alteration of a first state related to the first security property of a trusted microvisor of the endpoint by a module of the endpoint, wherein trustedness of the trusted microvisor provides a predetermined level of confidence that the first security property is implemented by the trusted microvisor; generate a capability violation in response to the module issuing a first instruction having an argument configured to alter the first state related to the first security property of the trusted microvisor; prevent execution of the first instruction; and in response to determining that the first instruction is suspicious, spawn a micro-virtual machine (micro-VM) that executes the first instruction, the micro-VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted microvisor and ii) support determining whether the module is malicious.
-
-
19. A system comprising:
-
a central processing unit (CPU) adapted to execute a trusted virtualization layer and a virtual machine monitor (VMM), the trusted virtualization layer disposed directly on hardware of the system to operate at a highest privilege level of the CPU; and a memory configured to store the trusted virtualization layer as a trusted computing base (TCB), the trusted virtualization layer configured to enforce a first security property that prevents alteration of a first state related to the first security property of the trusted virtualization layer by a module external to the TCB, wherein trustedness of the trusted virtualization layer provides a predetermined level of confidence that the first security property is implemented by the trusted virtualization layer, and wherein the trusted virtualization layer is configured to generate a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the trusted virtualization layer such that the first instruction is prevented from execution by the trusted virtualization layer, the memory further configured to store the VMM that, in response to determining that the first instruction is suspicious, is configured to spawn a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted virtualization layer and ii) support a determination of whether the module is malicious. - View Dependent Claims (20, 21, 22, 23, 24, 25)
-
-
26. A method comprising:
-
enforcing, by a virtualization layer disposed directly on hardware of an endpoint of a network, a first security property that prevents alteration of a first state related to the first security property of the virtualization layer by a module, wherein the first security property is implemented by the virtualization layer to a predetermined level of confidence; generating, by the virtualization layer, a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the virtualization layer; preventing, by the virtualization layer, execution of the first instruction; and in response to determining that the first instruction is suspicious, spawning, by a virtual machine monitor (VMM) of the endpoint, a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the virtualization layer and ii) support a determination of whether the module is malicious. - View Dependent Claims (27, 28, 29)
-
-
30. A non-transitory computer readable medium including program instructions for execution on a processor of an endpoint on a network, the program instructions configured to:
-
enforce a first security property that prevents alteration of a first state related to the first security property of a trusted virtualization layer of the endpoint by a module of the endpoint, wherein trustedness of the trusted virtualization layer provides a predetermined level of confidence that the first security property is implemented by the trusted virtualization layer; generate a capability violation in response to the module issuing a first instruction configured to alter the first state related to the first security property of the trusted virtualization layer; prevent execution of the first instruction; and in response to determining that the first instruction is suspicious, spawn a virtual machine (VM) that executes the first instruction, the VM configured to i) monitor a second instruction that attempts to alter a second state related to the first security property of the trusted virtualization layer and ii) support determining whether the module is malicious.
-
Specification