Systems and methods involving features of hardware virtualization such as separation kernel hypervisors, hypervisors, hypervisor guest context, hypervisor contest, rootkit detection/prevention, and/or other features
First Claim
1. A method for processing information securely, the method comprising:
- partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; and
isolating the domains in time and/or space from each other;
hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;
providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor;
hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor;
upon detection of a disk sector access attempt, securely transition execution to the malicious code defense mechanism within the VAL in a manner isolated from the quest operating system;
securely determining, via the malicious code defense mechanism, a policy decision regarding the disk sector access attempt; and
transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision.
3 Assignments
0 Petitions
Accused Products
Abstract
Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation. According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or a rootkit defense mechanism (which may be proximate in temporal and/or spatial locality to malicious code, but isolated from it), inter alia, for detection and/or prevention of malicious code, for example, in a manner/context that is isolated and not able to be corrupted, detected, prevented, bypassed, and/or otherwise affected by the malicious code.
32 Citations
19 Claims
-
1. A method for processing information securely, the method comprising:
-
partitioning hardware platform resources via a separation kernel hypervisor into a plurality of guest operating system virtual machine protection domains; and isolating the domains in time and/or space from each other;
hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor; hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor; upon detection of a disk sector access attempt, securely transition execution to the malicious code defense mechanism within the VAL in a manner isolated from the quest operating system; securely determining, via the malicious code defense mechanism, a policy decision regarding the disk sector access attempt; and transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method for processing information securely involving a separation kernel hypervisor, the method comprising:
-
partitioning hardware platform resources to isolate in time and space a plurality of guest operating system virtual machine protection domains; and
executing the guest operating system virtual machine protection domains to provide an isolated and secure software execution environment;hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor; providing a dedicated virtualization assistance layer (VAL) including a virtual representation of the hardware platform in each of the quest operating system virtual machine protection domains such that the dedicated VAL security processing is not performed in the separation kernel hypervisor; hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor; upon detection of a disk sector access attempt, securely transition execution to the malicious code defense mechanism within the VAL in a manner isolated from the quest operating system; securely determining, via the malicious code defense mechanism, a policy decision regarding the disk sector access attempt; and transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision. - View Dependent Claims (14, 15, 16)
-
-
17. A method for processing information securely involving a separation kernel hypervisor, the method comprising:
-
partitioning hardware platform resources to isolate in time and space a plurality of guest operating system virtual machine protection domains; executing the guest operating system virtual machine protection domains to provide an isolated and secure software execution environment, wherein each of the guest operating system virtual machine protection domains include a guest operating system, virtualization assistance layer (VAL) and a malicious code defense mechanism;
hosting the plurality of quest operating system virtual machine protection domains by the separation kernel hypervisor;hosting at least one malicious code defense mechanism that executes within the virtual hardware platform in each of the plurality of quest operating system virtual machine protection domains via the separation kernel hypervisor; upon detection of a disk sector access attempt, securely transition execution to the malicious code defense mechanism within the VAL in a manner isolated from the quest operating system; securely determining, via the malicious code defense mechanism, a policy decision regarding the disk sector access attempt; and transitioning execution back to the separation kernel hypervisor to continue processing regarding enforcement of or taking action in connection with the policy decision. - View Dependent Claims (18, 19)
-
Specification