System and method for enforcing security policies in a virtual environment

US 9,652,607 B2
Filed: 10/03/2014
Issued: 05/16/2017
Est. Priority Date: 08/21/2009
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

inserting a security layer in a privileged domain of a computer configured to perform virtualization, wherein;

the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and

the privileged domain of the computer manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;

storing an indication of authorized objects, the authorized objects in a user space of the privileged domain;

intercepting, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;

verifying the request for execution of the object by evaluating the indication of authorized objects; and

allowing or denying the execution of the object based upon the verification of the request.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary.

302 Citations

20 Claims

1. A method, comprising:
- inserting a security layer in a privileged domain of a computer configured to perform virtualization, wherein;
  
  the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and
  
  the privileged domain of the computer manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;
  
  storing an indication of authorized objects, the authorized objects in a user space of the privileged domain;
  
  intercepting, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;
  
  verifying the request for execution of the object by evaluating the indication of authorized objects; and
  
  allowing or denying the execution of the object based upon the verification of the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein evaluating the indication of authorized objects includes evaluating authorized binaries and kernel modules.
  - 3. The method of claim 1, further comprising:
    - intercepting an attempt to execute code from a previously authorized binary; and
      
      evaluating an origination address of a hypercall associated with the code before executing the code.
  - 4. The method of claim 1, wherein evaluating the indication of authorized objects includes comparing the object to an inventory of authorized objects stored in a user space of the computer.
  - 5. The method of claim 4, further comprising populating a log based on a determination that the execution of the object is not authorized.
  - 6. The method of claim 1, wherein:
    - the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; and
      
      evaluating the indication of authorized objects includes evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  - 7. The method of claim 1, wherein:
    - the attempted execution of the object is an attempted modification of a virtual machine state; and
      
      evaluating the indication of authorized objects includes evaluating whether the attempted modification of the virtual machine state is authorized.

8. A logic encoded in one or more tangible non-transitory media that includes code for execution and when executed by a processor is operable to:
- insert a security layer in a privileged domain of a computer, wherein;
  
  the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and
  
  the privileged domain is configured to manage a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems;
  
  store an indication of authorized objects in a user space of the privileged domain;
  
  intercept, by the security layer, a request for an execution of an object in the computer from the user space of the privileged domain;
  
  verify the request for execution of the object by evaluating the indication of authorized objects; and
  
  allow or deny the execution of the object based upon the verification of the request.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to evaluate the indication of authorized objects by evaluating whether the object is included in authorized binaries and kernel modules.
  - 10. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to:
    - intercept, by the security layer, an attempt to execute code from a previously authorized binary; and
      
      evaluate an origination address of a hypercall associated with the code before executing the code.
  - 11. The logic encoded in tangible non-transitory media of claim 8, wherein the processor is further operable to evaluate the indication of authorized objects by comparing the object to an inventory of authorized objects stored in a user space of the computer.
  - 12. The logic encoded in tangible non-transitory media of claim 11, wherein the processor is further operable to populate a log based on a determination that the execution of the object is not authorized.
  - 13. The logic encoded in tangible non-transitory media of claim 8, wherein:
    - the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; and
      
      the processor is further operable to evaluate the indication of authorized objects by evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  - 14. The logic encoded in tangible non-transitory media of claim 8, wherein:
    - the attempted execution of the object is an attempted modification of a virtual machine state; and
      
      the processor is further configured to evaluate the indication of authorized objects by evaluating whether the attempted modification of the virtual machine state is authorized.

15. An apparatus, comprising:
- a virtual machine element comprising instructions in a memory; and
  
  a processor operable to execute the instructions in the memory to operate the virtual machine element;
  
  wherein the virtual machine element is configured to;
  
  insert a security layer in a privileged domain of the apparatus, wherein;
  
  the security layer is in a kernel of a privileged domain of a computer configured to operate in a virtual machine environment; and
  
  the privileged domain of the apparatus manages a virtual machine monitor (VMM) that operates at a higher priority than one or more operating systems; and
  
  store an indication of authorized objects in a user space of the privileged domain;
  
  wherein the security layer is configured to intercept a request for an execution of an object in the computer from the user space of the privileged domain; and
  
  wherein the virtual machine element is further configured to;
  
  verify the request for execution of the object by evaluating the indication of authorized objects;
  
  allow or deny the execution of the object based upon the verification of the request.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The apparatus of claim 15, wherein:
    - the security layer is further configured to intercept an attempt to execute code from a previously authorized binary; and
      
      the virtual machine element is further configured to evaluate an origination address of a hypercall associated with the code before executing the code.
  - 17. The apparatus of claim 15, wherein the virtual machine element is further configured to evaluate the indication of authorized objects by comparing the object to an inventory of authorized objects stored in a user space of the computer.
  - 18. The apparatus of claim 17, wherein the virtual machine element is further configured to populate a log based on a determination that the execution of the object is not authorized.
  - 19. The apparatus of claim 15, wherein:
    - the attempted execution of the object is an attempted execution of a kernel module to perform a hypercall to access a privileged domain area within the computer; and
      
      wherein the virtual machine element is further configured to evaluate the indication of authorized objects by evaluating whether the hypercall to access a privileged domain area within the computer is authorized.
  - 20. The apparatus of claim 15, wherein:
    - the attempted execution of the object is an attempted modification of a virtual machine state; and
      
      wherein the virtual machine element is further configured to evaluate the indication of authorized objects by evaluating whether the attempted modification of the virtual machine state is authorized.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Mohinder, Preet, Dang, Amit
Primary Examiner(s)
Parsons, Theodore C

Application Number

US14/506,326
Publication Number

US 20150026762A1
Time in Patent Office

956 Days
Field of Search
US Class Current
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 21/12   Protecting executable software

G06F 21/51   at application loading time...

G06F 21/52   during program execution, e...

G06F 21/554   involving event detection a...

G06F 21/6218   to a system of files or obj...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

G06F 9/468   Specific access rights for ...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

System and method for enforcing security policies in a virtual environment

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

302 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for enforcing security policies in a virtual environment

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

302 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links