Method and apparatus to detect kernel mode rootkit events through virtualization traps

US 7,845,009 B2
Filed: 05/16/2006
Issued: 11/30/2010
Est. Priority Date: 05/16/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method of comprising:

detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and

analyzing the virtualization trap to detect the presence of the rootkit in the computing system,wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting a rootkit in a computing system may be achieved by detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and analyzing the virtualization trap to detect the presence of the rootkit in the computing system. Action may then be taken to block the rootkit activity to safeguard the computing system.

60 Citations

View as Search Results

27 Claims

1. A method of comprising:
- detecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
  
  analyzing the virtualization trap to detect the presence of the rootkit in the computing system,wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - receiving registration from an anti-rootkit security monitor to be notified of the occurrence of selected virtualization traps;
      
      sending information relating to the virtualization trap to the anti-rootkit security monitor when the virtualization trap matches the registration; and
      
      wherein analyzing the virtualization trap to detect the presence of the rootkit in the computing system includes analyzing the trap information by the anti-rootkit security monitor.
  - 3. The method of claim 2, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.
  - 4. The method of claim 1, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 5. The method of claim 4, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 6. The method of claim 5, further comprising launching the security partition before launching the user partition.
  - 7. The method of claim 5, further comprising taking action against the rootkit when the rootkit is detected.
  - 8. The method of claim 7, wherein the action comprises at least one of halting execution of the user partition, blocking execution of an instruction of the rootkit by a processor of the computing system, logging the rootkit action, and sending an alert to a system administrator console of the computing system.
  - 9. The method of claim 4, wherein the partitions are implemented as virtual machines.
  - 10. The method of claim 1, wherein the rootkit action comprises modifying a control register of a processor of the computing system or accessing an Interrupt Descriptor Table (IDT) of the computing system.

11. An article comprising:
- a storage device to store instructions, which when executed by a processor, result indetecting, by a virtual machine monitor, a virtualization trap occurring as a result of an action by a rootkit executing in a computing system; and
  
  analyzing the virtualization trap to detect the presence of the rootkit in the computing System,wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the virtual machine monitor.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The article of claim 11, further comprising instructions toreceive registration from an anti-rootkit security monitor to be notified of the occurrence of selected virtualization traps;
    - send information relating to the virtualization trap to the anti-rootkit security monitor when the virtualization trap matches the registration; and
      
      wherein analyzing the virtualization trap to detect the presence of the rootkit in the computing system includes analyzing the trap information by the anti-rootkit security monitor.
  - 13. The article of claim 12, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.
  - 14. The article of claim 11, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 15. The article of claim 14, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 16. The article of claim 15, further comprising launching the security partition before launching the user partition.
  - 17. The article of claim 15, further comprising instructions for taking action against the rootkit when the rootkit is detected.
  - 18. The article of claim 17, wherein the action comprises at least one of halting execution of the user partition, blocking execution of an instruction of the rootkit by a processor of the computing system, logging the rootkit action, and sending an alert to a system administrator console of the computing system.
  - 19. The article of claim 14, wherein the partitions are implemented as virtual machines.
  - 20. The article of claim 11, wherein the rootkit action comprises modifying a control register of a processor of the computing system or accessing an Interrupt Descriptor Table (IDT) of the computing system.

21. A computing system comprising:
- a virtual machine monitor adapted to detect a virtualization trap occurring as a result of an action by a rootkit, to receive a registration for notification of occurrence of selected virtualization traps, and to send information relating to the virtualization trap when the virtualization trap matches the registration; and
  
  an anti-rootkit security monitor adapted to register to be notified of the occurrence of selection virtualization traps, to receive the trap information, and to analyze the trap information to detect the presence of the rootkit in the computing system,wherein the virtual machine monitor is to execute at a higher privilege level, in cooperation with a separate partition, than the rootkit to prevent the rootkit from hiding by executing at a same privilege level as the anti-rootkit security monitor.
- View Dependent Claims (22, 23, 24, 25, 26, 27)
- - 22. The computing system of claim 21, wherein the anti-rootkit security monitor and the rootkit execute in different partitions of the computing system.
  - 23. The computing system of claim 22, wherein the rootkit executes in a user partition, the anti-rootkit security monitor executes in a security partition, and the rootkit cannot affect operation of the anti-rootkit security monitor.
  - 24. The computing system of claim 23, wherein the virtual machine monitor is adapted to launch the security partition before launching the user partition.
  - 25. The computing system of claim 23, wherein the anti-rootkit security monitor takes action against the rootkit when the rootkit is detected.
  - 26. The computing system of claim 22, wherein the partitions are implemented as virtual machines supported by the virtual machine monitor.
  - 27. The computing system of claim 22, wherein the anti-rootkit security monitor executes at a higher privilege level than the rootkit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Grobman, Steven
Primary Examiner(s)
Revak; Christopher A

Application Number

US11/435,463
Publication Number

US 20070271610A1
Time in Patent Office

1,659 Days
Field of Search

None
US Class Current

726/24
CPC Class Codes

G06F 21/53   by executing in a restricte...

G06F 21/554   involving event detection a...

G06F 21/56   Computer malware detection ...

Method and apparatus to detect kernel mode rootkit events through virtualization traps

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus to detect kernel mode rootkit events through virtualization traps

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links