Micro-virtualization architecture for threat-aware module deployment in a node of a network environment
First Claim
1. A system comprising:
- a central processing unit (CPU) adapted to execute a process, a single instance of an operating system kernel, a virtual machine monitor (VMM) and a virtualization module;
a memory configured to store the process, the operating system kernel, the VMM and the virtualization module,the virtualization module disposed beneath the operating system kernel and configured to communicate with the VMM, the virtualization module further configured to execute at a highest privilege level of the CPU to control access permissions to a plurality of kernel resources accessible by the process, andthe VMM configured as a pass-through module executing at a highest privilege level of the virtualization module to expose the kernel resources to the operating system kernel, the operating system kernel configured to execute at a privilege level lower than the highest privilege level of the virtualization module, the VMM configured to instantiate a virtual machine containing the operating system kernel, the VMM further configured to instantiate a micro-virtual machine restricted to containing the process, wherein access to the kernel resources is controlled by the VMM among the virtual machine and the micro-virtual machine.
5 Assignments
0 Petitions
Accused Products
Abstract
A micro-virtualization architecture deploys a threat-aware microvisor as a module of a virtualization system configured to facilitate real-time security analysis, including exploit detection and threat intelligence, of operating system processes executing in a memory of a node in a network environment. The micro-virtualization architecture organizes the memory as a user space and kernel space, wherein the microvisor executes in the kernel space of the architecture, while the operating system processes, an operating system kernel, a virtual machine monitor (VMM) and its spawned virtual machines (VMs) execute in the user space. Notably, the microvisor executes at the highest privilege level of a central processing unit of the node to virtualize access to kernel resources. The operating system kernel executes under control of the microvisor at a privilege level lower than a highest privilege level of the microvisor. The VMM and its spawned VMs execute at the highest privilege level of the microvisor.
190 Citations
22 Claims
-
1. A system comprising:
-
a central processing unit (CPU) adapted to execute a process, a single instance of an operating system kernel, a virtual machine monitor (VMM) and a virtualization module; a memory configured to store the process, the operating system kernel, the VMM and the virtualization module, the virtualization module disposed beneath the operating system kernel and configured to communicate with the VMM, the virtualization module further configured to execute at a highest privilege level of the CPU to control access permissions to a plurality of kernel resources accessible by the process, and the VMM configured as a pass-through module executing at a highest privilege level of the virtualization module to expose the kernel resources to the operating system kernel, the operating system kernel configured to execute at a privilege level lower than the highest privilege level of the virtualization module, the VMM configured to instantiate a virtual machine containing the operating system kernel, the VMM further configured to instantiate a micro-virtual machine restricted to containing the process, wherein access to the kernel resources is controlled by the VMM among the virtual machine and the micro-virtual machine. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method comprising:
-
storing a process, a single instance of an operating system kernel, a virtual machine monitor (VMM) and a virtualization module in a memory coupled to a central processing unit (CPU) of a node in a computer network; executing the virtualization module at a highest privilege level of the CPU to control access permissions to a plurality of kernel resources accessible by the process; executing the VMM as a pass-through module at a highest privilege level of the virtualization module to expose the kernel resources to the operating system kernel; executing the operating system kernel at a privilege level lower than the highest privilege level of the virtualization module; instantiating a virtual machine containing the operating system kernel; instantiating a micro-virtual machine restricted to containing the process; and controlling access to the kernel resources among the virtual machine and the micro-virtual machine. - View Dependent Claims (14, 15, 16, 17, 18, 19)
-
-
20. A system comprising:
-
a central processing unit (CPU) adapted to execute a plurality of user mode processes, a single instance of an operating system kernel, a type 0 virtual machine monitor (VMM
0) and a virtualization module;a memory configured to store the user mode processes, the operating system kernel, the VMM 0 and the virtualization module; the virtualization module disposed beneath the operating system kernel and configured to communicate with the VMM 0 over a privileged interface, the virtualization module further configured to execute at a highest privilege level of the CPU to control access permissions to a plurality of kernel resources accessible by the user mode processes; the VMM 0 including instrumentation logic configured to analyze a system call issued by a first process to invoke services of the operating system kernel that include accesses to the kernel resources, the VMM 0 configured as a pass-through module executing at a highest privilege level of the virtualization module to expose the kernel resources to the operating system kernel, the VMM 0 configured to instantiate a virtual machine containing the operating system kernel, the VMM 0 further configured to instantiate a plurality of micro-virtual machines, each micro-virtual machine restricted to containing one of the processes, wherein access to the kernel resources is controlled by the VMM 0 among the virtual machine and the micro-virtual machines; and the operating system kernel including an operating system specific VMM 0 extension adapted to communicate with the VMM 0, the operating system kernel configured to execute at a privilege level lower than the highest privilege level of the virtualization module. - View Dependent Claims (21)
-
-
22. A non-transitory computer readable media containing instructions for execution on a processor for a method comprising:
-
storing a plurality of processes, a single instance of an operating system kernel, a virtual machine monitor (VMM) and a virtualization module in a memory coupled to a central processing unit (CPU) of a node in a computer network; executing the virtualization module at a highest privilege level of the CPU to control access permissions to a plurality of kernel resources accessible by the processes; executing the VMM as a pass-through module at a highest privilege level of the virtualization module to expose the kernel resources to the operating system kernel; executing the operating system kernel at a privilege level lower than the highest privilege level of the virtualization module; instantiating a virtual machine containing the operating system kernel; instantiating a plurality of micro-virtual machines, each micro-virtual machine restricted to containing one of the processes; and controlling access to the kernel resources among the virtual machine and the micro-virtual machines.
-
Specification