The background description provided herein is for the purpose of generally presenting the context of the disclosure. Work of the presently named inventors, to the extent it is described in this background section, as well as aspects of the description that may not otherwise qualify as prior art at the time of filing, are neither expressly nor impliedly admitted as prior art against the present disclosure. Unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in the present disclosure and are not admitted to be prior art by inclusion in this section.
Hierarchal protection domains, in some cases referred to as “protection rings,” may be implemented and enforced by hardware to protect data and functionality of a computer system. For example, in an Intel® Architecture execution environment, a kernel may execute with a high level of hardware privilege known as “Ring-0,” device drivers may execute with intermediate levels of hardware privilege known as “Ring-1” and “Ring-2,” and user-mode applications may execute with a lowest level of hardware privilege known as “Ring-3.”
Computer code or instructions that cause undesirable and/or malicious operations or results may sometimes be referred to as “malware.” Some malware may be configured to, when executed, use stealth to avoid detection by virus scanners and other security tools. Such malware may be referred to as a “rootkit.” Some user-mode rootkits may exploit user-mode (e.g., Ring-3) processes or applications to hide themselves and steal sensitive user information such as passwords, online banking credentials, and data received from web pages. User-mode rootkits may function in a variety of ways. Some rootkits may inject code or instructions intended to execute undesirable and/or malicious operations into an executing application. Some rootkits may alter a code path of an application to force execution of code or instructions that may cause undesirable and/or malicious operations.
Pages of virtual memory used by applications executing in virtual machines may be mapped to physical memory of a host in various ways. In some virtual machine environments, guest linear or virtual addresses (“GVA”) may be mapped to host physical addresses with the aid of a guest page table (“GPT”). An operating system of a virtual machine, sometimes referred to as a “guest” operating system, may set up and maintain the GPT and may also set a page directory base register (“PDBR”) to point to the base of the GPT. A processor of the host machine may use PDBR to find the GPT and may follow the GPT to locate a particular page. However, a GVA alone may not be sufficient to uniquely identify a page containing code or data. A GVA may be unique only in the context of a particular virtual machine application, and may need to be added to a CR3 to find a particular page of the application.
In Virtual Machine Extensions (“VMX”) environments, an additional level of mapping in the form of extended page tables (“EPT”) may be used by a virtual machine manager to specify its own additional permissions for memory pages. Extended page tables may be available as part of VT-x2 technologies, provided by Intel®. A GPT may map GVA to guest physical addresses (“GPA”), and the EPT may map GPA to host physical addresses. To complete a translation, a processor or processor core may first use CR3 to find the GPT. The processor may then follow the GPT to find the GPA. Then, the processor may utilize an EPTP field in a virtual machine control structure (“VMCS”) to find an appropriate EPT. Last, the processor may use the EPT to locate the actual host physical address. The permissions contained in an EPT may be enforced by hardware in an operating system-independent manner. When a violation of these permissions occurs, control may be passed to the virtual machine manager, which may intervene and take further action.