Virtualization is a technique in which a computer system is partitioned into multiple isolated virtual machines (VMs), each of which appears to the software within it to be a complete computer system. A conventional virtual machine manager (VMM) may run on a computer to present the abstraction of one or more VMs or guests to other software. Each VM may function as a self-contained platform that runs its own software stack, including an operating system (OS) and applications. Collectively this software stack is referred to as “guest software.”
Recent worms and viruses are capable of breaching user/kernel boundaries which can compromise privileged software on the platform to malicious activities. A number of protection mechanisms are available to protect memory belonging to critical software agents. Some of these mechanisms partition a linear address space into protected and unprotected memory.
A verification procedure is typically used to verify the integrity of the agent in order to confirm that the agent requesting protection is one that should be granted protection. It is important that an agent in a VM not be allowed to run or modify its own local state until after its verification procedure is completed and protection is provided. One technique used to achieve this in the past was to lock down all hardware threads in a VM while verification was being performed in the VIM. This approach, however, adversely impacted the performance of other applications running in the VM. In addition, since the verification procedure could take a significant amount of time, an agent requesting protection could hold control of the operating system for a substantial amount of time.