The act of virtualizing memory translation tables (such as Shadow Paging) of a guest Operating System (OS) is a technique used by a Virtual Machine Monitor (VMM) to maintain control over the guest OS's access to physical memory. Shadow Paging is expensive, variations of Shadow Paging that are intended to optimize performance can be found in U.S. Pat. No. 8,443,156 and U.S. Patent Application Publication No. US 2014/0122830. INTEL CORPORATION defined the steps required to implement a Virtual Translation Lookaside Buffer (vTLB), and the approach has been adapted to work on other architectures and their associated Virtualization Extensions. Shadow Paging and the variations of Shadow Paging techniques in the above-described patents are used to support systems running multiple guests.
Security monitoring tools need to be isolated from the system they wish to monitor to ensure their own integrity. This can be accomplished by running the monitor at a higher privilege level from the system (e.g., Hypervisor, TrustZone®, System Management Mode) if an OS is to be monitored. At the same time, security monitoring tools require the ability to inspect the state of the OS to: (i) verify its integrity; and (ii) detect or prevent its compromise from applications that it is managing (e.g., Internet Browsers, E-Mail Clients, PDF readers).
One technique to achieve the security capabilities described above is to prevent lesser privileged software from performing potentially harmful activities after the lesser privileged software has been initialized. An attacker may attempt to break into a higher privilege level or maintain control of a privilege level the attacker has already broken into. Specifics include: (1) Mapping memory as writable and executable (allows for uncontrollable self-modifying code); (2) Mapping read-only data as writable (allows for constant variables to be manipulated); (3) Mapping physical memory at multiple locations with different attributes (readable writable at one and read-only executable at another); and (4) Mapping executable memory at multiple privilege levels (allowing an OS and an application to execute from the same memory location).
While the basic Memory Management Unit (MMU) provides the ability to perform all of these activities, the MMU itself can be manipulated from within the context of the OS so if that privilege level is compromised, the MMU can no longer maintain control over these structures.
One approach to providing introspection capabilities to an out-of-band monitor is to implement Shadow Paging. Shadow Paging forces all address translation regime changes, page faults, and translation lookaside buffer (TLB) maintenance operations to be trapped by the out-of-band monitor, which consumes a lot of computing resources.