Operating systems typically employ monolithic kernels that grant full memory access to all kernel code. Thus, defective or malicious kernel code may compromise the operation of unrelated portions of the kernel. Kernels that are initially considered secure or non-malicious may still be vulnerable to attacks that inject new, malicious code into the kernel, or cause existing code to operate in a malicious manner (e.g. return-oriented programming attacks). Additionally, application spaces within an OS are generally shared under one paging hierarchy creating another monolithic memory space, where all libraries and data structures in the same process have the same access rights, and where further partitioning is limited to process boundaries.
Some types of anti-malware systems use virtual machine environments to partition OS kernel components and other applications to selectively prevent certain segments of code from accessing particular data structures. This may be accomplished by providing separate memory views, for each trusted software component, that has exclusive write access to its own data structures, thus preventing other kernel code from accessing those structures and possibly disrupting the functionality of the trusted software. A hypervisor or virtual machine monitor (VMM) may provide management of these views.
As the memory views become larger and more dynamic, however, the overhead associated with maintaining permissions and detecting and restricting access may become prohibitively expensive as view modification become more frequent. Additionally, the performance limitations of these existing approaches may prevent their application to many potentially useful types of malware monitoring.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art.