Virtual machine monitor (VMM)-based mechanisms can protect in-memory components from snooping or modification by malicious code by a paradigm of identify, measure and protect. An Integrity Measurement Module (IMM) runs in protected space outside the bounds of the operating system (OS) (and associated malware) in protected hardware or in a protected virtual machine (VM) running on top of the VMM. The IMM verifies the identity and integrity of the executing program against a signature file containing a cryptographic hash of code sections, the entry points into the code sections and the relocation table. Once identified and measured, the IMM signals a Memory Protection Module (MPM) to enforce the protections.
While this mechanism works because the kernel (i.e., ring-0) linear address space across all user level (i.e., ring-3) processes is mapped to the same set of physical pages, this does not hold true for the ring-3 memory.