System and method for kernel rootkit protection in a hypervisor environment

US 9,069,586 B2
Filed: 10/13/2011
Issued: 06/30/2015
Est. Priority Date: 10/13/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the guest OS has not loaded at least some kernel components;

mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page;

generating a page fault when a process attempts to access the guest kernel page; and

redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page.

291 Citations

19 Claims

1. A method, comprising:
- creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the guest OS has not loaded at least some kernel components;
  
  mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page;
  
  generating a page fault when a process attempts to access the guest kernel page; and
  
  redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the redirecting comprises changing a machine page frame number in a shadow page table of the hypervisor to point to the duplicate page corresponding to the guest kernel page.
  - 3. The method of claim 1, further comprising:
    - if the page fault is a data page fault;
      
      fixing the page fault; and
      
      marking a page table entry corresponding to the guest kernel page as non-executable and writeable.
  - 4. The method of claim 1, further comprising:
    - if the page fault is the instruction page fault, marking a page table entry corresponding to the guest kernel page as read-only.
  - 5. The method of claim 1, further comprising:
    - marking a page table entry of the guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor.
  - 6. The method of claim 1, further comprising:
    - setting a lockdown feature bit in the hypervisor during a domain creation to enable rootkit protection.

7. An apparatus, comprising:
- a memory; and
  
  a processor configured to create a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page,the processor is further configured to map a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page, the guest OS has not loaded at least some kernel components, andthe processor is further configured to generate a page fault when a process attempts to access the guest kernel page, and to redirect the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The apparatus of claim 7, wherein the processor redirects the process by changing a machine page frame number in a shadow page table of the hypervisor to point to the duplicate page corresponding to the guest kernel page.
  - 9. The apparatus of claim 7, wherein the processor is further configured to,if the page fault is a data page fault,fix the page fault, andmark a page table entry corresponding to the guest kernel page as non-executable and writeable.
  - 10. The apparatus of claim 7, wherein the processor is further configured to, if the page fault is the instruction page fault, mark a page table entry corresponding to the guest kernel page as read-only.
  - 11. The apparatus of claim 7, wherein the processor is further configured to mark a page table entry of the guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor.

12. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
- creating a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page;
  
  mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page, wherein the guest OS has not loaded at least some kernel components;
  
  generating a page fault when a process attempts to access the guest kernel page; and
  
  redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The logic of claim 12, wherein the redirecting comprises changing a machine page frame number in a shadow page table of the hypervisor to point to the duplicate page corresponding to the guest kernel page.
  - 14. The logic of claim 12, the operations further comprising:
    - if the page fault is a data page fault;
      
      fixing the page fault; and
      
      marking a page table entry corresponding to the guest kernel page as non-executable and writeable.
  - 15. The logic of claim 12, the operations further comprising:
    - if the page fault is the instruction page fault, marking a page table entry corresponding to the guest kernel page as read-only.
  - 16. The logic of claim 12, the operations further comprising:
    - marking a page table entry of the guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor.
  - 17. The logic of claim 12, the operations further comprising:
    - setting a lockdown feature bit in the hypervisor during a domain creation to enable rootkit protection.

18. A method, comprising:
- creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the creating the soft whitelist is performed after the guest OS has loaded kernel components at boot;
  
  walking a shadow page table of the hypervisor;
  
  mapping a virtual address of the guest kernel page to a machine page frame number of the corresponding duplicate page;
  
  generating a page fault when a process attempts to access the guest kernel page; and
  
  redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.

19. Logic encoded in non-transitory media that includes code for execution and, when executed by a processor, is operable to perform operations comprising:
- creating a soft whitelist having an entry corresponding to a guest kernel page of a guest OS in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the creating soft whitelist is performed after the guest OS has loaded a plurality of kernel components at boot;
  
  walking a shadow page table of the hypervisor;
  
  mapping a virtual address of the guest kernel page to a machine page frame number of the corresponding duplicate page;
  
  generating a page fault when a process attempts to access the guest kernel page; and
  
  redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Dang, Amit, Mohinder, Preet, Srivastava, Vivek
Primary Examiner(s)
Puente, Emerson
Assistant Examiner(s)
Sun, Charlie

Application Number

US13/273,002
Publication Number

US 20130097356A1
Time in Patent Office

1,356 Days
Field of Search

718/1, 726/27, 711/203, 711/206
US Class Current

1/1
CPC Class Codes

G06F 2009/45583   Memory management, e.g. acc...

G06F 2009/45587   Isolation or security of vi...

G06F 21/00   Security arrangements for p...

G06F 21/53   by executing in a restricte...

G06F 21/57   Certifying or maintaining t...

G06F 2221/034   Test or assess a computer o...

G06F 9/455   Emulation; Interpretation; ...

G06F 9/45558   Hypervisor-specific managem...

System and method for kernel rootkit protection in a hypervisor environment

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

291 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for kernel rootkit protection in a hypervisor environment

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

291 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links