System and method for kernel rootkit protection in a hypervisor environment
First Claim
Patent Images
1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor;
receiving an access attempt to a second guest kernel page;
generating a page fault when the access attempt is made to the second guest kernel page;
determining whether the second guest kernel page corresponds to the entry in the soft whitelist;
fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and
denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.
10 Assignments
0 Petitions
Accused Products
Abstract
A method includes creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment including a hypervisor. The method also includes receiving an access attempt to a second guest kernel page, and generating a page fault when the access attempt is made to the second guest kernel page. In addition, the method includes determining that the second guest kernel page does not correspond to the entry in the soft whitelist, and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist.
290 Citations
20 Claims
-
1. A method, comprising:
-
creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; receiving an access attempt to a second guest kernel page; generating a page fault when the access attempt is made to the second guest kernel page; determining whether the second guest kernel page corresponds to the entry in the soft whitelist; fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. An apparatus, comprising:
-
a memory; a processor; and a hypervisor, such that the apparatus is configured for creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising the hypervisor; receiving an access attempt to a second guest kernel page; generating a page fault when the access attempt is made to the second guest kernel page; determining whether the second guest kernel page corresponds to the entry in the soft whitelist; fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist. - View Dependent Claims (11, 12, 13, 14)
-
-
15. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
-
creating a soft whitelist having an entry corresponding to a first guest kernel page in a guest operating system (OS) in a hypervisor environment comprising a hypervisor; receiving an access attempt to a second guest kernel page; generating a page fault when the access attempt is made to the second guest kernel page; determining whether the second guest kernel page corresponds to the entry in the soft whitelist; fixing the page fault to allow an access and execution of the second guest kernel page if the second guest kernel page corresponds to the entry in the soft whitelist; and denying an execution of the second guest kernel page if the second guest kernel page does not correspond to the entry in the soft whitelist. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification