1. Field
Innovations herein pertain to computer software and hardware, computer virtualization, computer security and/or data isolation, and/or the use of a separation kernel hypervisor (and/or hypervisor), such as to detect and/or process information, including notification(s), interception and other processing regarding code/instruction execution by guest software, such as API calls, and which may include or involve guest operating system(s).
2. Description of Related Information
In computer systems with hypervisors supporting a guest operating system, there exist some means to monitor the guest operating system for malicious or errant activity.
In a virtualized environment, running under control of a hypervisor, a suitably authorized guest may be allowed to monitor the activities of another guest. Among the reasons for such monitoring are debugging and security. However, previous approaches for monitoring other guests may include various drawbacks, such as allowing guests to poll the memory and other information within the monitored guest.
Due to the constantly evolving nature of malicious code, however, such systems face numerous limitations in their ability to detect and defeat malicious code. One major limitation is the inability of a hypervisor to defend itself against malicious code; e.g., the particular hypervisor may be subverted by malicious code and/or may allow malicious code in a guest operating system to proliferate between a plurality of guest operating systems in the system.
To solve that issue, the motivation and use of a Separation Kernel Hypervisor is introduced in environments with malicious code. The Separation Kernel Hypervisor, unlike a hypervisor, does not merely support a plurality of Virtual Machines (VMs), but supports more secure, more isolated mechanisms, including systems and mechanisms to monitor and defeat malicious code, where such mechanisms are isolated from the malicious code but are also have high temporal and spatial locality to the malicious code. For example, they are proximate to the malicious code, but incorruptible and unaffected by the malicious code.
Furthermore the Separation Kernel Hypervisor is designed and constructed from the ground-up, with security and isolation in mind, in order to provide security and certain isolation between a plurality of software entities (and their associated/assigned resources, e.g., devices, memory, etc.); by mechanisms which may include Guest Operating System Virtual Machine Protection Domains (secure entities established and maintained by a Separation Kernel Hypervisor to provide isolation in time and space between such entities, and subsets therein, which may include guest operating systems, virtualization assistance layers, and detection mechanisms); where such software entities (and their associated assigned resources, e.g., devices, memory, etc., are themselves isolated and protected from each other by the Separation Kernel Hypervisor, and/or its use of hardware platform virtualization mechanisms.
Additionally, where some hypervisors may provide mechanisms to communicate between the hypervisor and antivirus software, or monitoring agent, executing within a guest operating system, the hypervisor is not able to prevent corruption of the monitoring agent where the agent is within the same guest operating system; or the guest operating system (or any subset thereof, possibly including the antivirus software, and/or monitoring agent) may be corrupted and/or subverted.
Finally, while some known systems and methods include implementations involving virtualized assistance layers and separation kernel hypervisors to handle various malicious code intrusions, such systems and method possess drawbacks with regard to handling and/or intercepting certain specified attacks, such as those related to API calls.
Overview of Some Aspects
Systems, methods, computer readable media and articles of manufacture consistent with innovations herein are directed to computer virtualization, computer security and/or data isolation, and/or the use of a separation kernel hypervisor (and/or hypervisor), such as to detect, process information, provide notification and/or interception features regarding code/instruction execution in specified physical memory location(s) by guest software and which may include or involve guest operating system(s). Information may further be obtained regarding the context of such code/instruction execution, the flow of execution within the guest may be controlled, and the context of the guest may be changed. Here, for example, certain implementations may include a suitably authorized guest running under control of a hypervisor and involving features of being immediately notified of another guest executing code at specified physical memory location(s). Upon access the monitoring guest may be provided with execution context information from the monitored guest. Further, the flow of execution within the guest may be controlled and/or the context of the guest may be changed.
According to some illustrative implementations, innovations herein may utilize and/or involve a separation kernel hypervisor which may include the use of a guest operating system virtual machine protection domain, a virtualization assistance layer, and/or an instruction (or code) execution detection/interception mechanism (which may be proximate in temporal and/or spatial locality to subject code, but isolated from it), inter alia, for detection, interception etc of code/instruction execution by guest software in specified memory locations. In some implementations, for example, a suitably authorized guest may obtain immediate notification if another guest it is monitoring executes code at specified physical memory location(s). Upon such access, the monitoring guest may be provided with execution context information from the monitored guest. Further, the monitored guest may be paused until the monitoring guest provides a new execution context to the monitored guest, whereupon the monitored guest resumes execution with the new context. Additionally, as indicated herein, the flow of execution within the guest may be controlled and/or the context of the guest may be changed such that, e.g., API calls within the guest may be intercepted and simulated by the authorized guest.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the inventions, as described. Further features and/or variations may be provided in addition to those set forth herein. For example, the present inventions may be directed to various combinations and subcombinations of the disclosed features and/or combinations and subcombinations of several further features disclosed below in the detailed description.