Field
Innovations herein pertain to computer virtualization, computer security and/or data isolation, and/or the use of a separation kernel hypervisor (and/or hypervisor), such as to detect and/or prevent malicious code and which may include or involve guest operating system(s).
Description of Related Information
In computer systems with hypervisors supporting a guest operating system, there exist some means to monitor the guest operating system for malicious or errant activity.
However, due to the constantly evolving nature of malicious code, such systems face numerous limitations in their ability to detect and defeat malicious code. One major limitation is the inability of a hypervisor to defend itself against malicious code; e.g., the particular hypervisor may be subverted by malicious code and/or may allow malicious code in a guest operating system to proliferate between a plurality of guest operating systems in the system.
To solve that issue, the motivation and use of a Separation Kernel Hypervisor is introduced in environments with malicious code. The Separation Kernel Hypervisor, unlike a hypervisor, does not merely support a plurality of Virtual Machines (VMs), but supports more secure, more isolated mechanisms, including systems and mechanisms to monitor and defeat malicious code, where such mechanisms are isolated from the malicious code but are also have high temporal and spatial locality to the malicious code. For example, they are proximate to the malicious code, but incorruptible and unaffected by the malicious code.
Furthermore the Separation Kernel Hypervisor is designed and constructed from the ground-up, with security and isolation in mind, in order to provide security and isolation (in time and space) between a plurality of software entities (and their associated/assigned resources, e.g., devices, memory, etc.); by mechanisms which may include Guest Operating System Virtual Machine Protection Domains (secure entities established and maintained by a Separation Kernel Hypervisor to provide isolation in time and space between such entities, and subsets therein, which may include guest operating systems, virtualization assistance layers, and rootkit defense mechanisms); where such software entities (and their associated assigned resources, e.g., devices, memory, etc., are themselves isolated and protected from each other by the Separation Kernel Hypervisor, and/or its use of hardware platform virtualization mechanisms.
Additionally, where some hypervisors may provide mechanisms to communicate between the hypervisor and antivirus software, or monitoring agent, executing within a guest operating system (for purposes of attempting to monitor malicious code), the hypervisor is not able to prevent corruption of the monitoring agent where the agent is within the same guest operating system as the malicious code; or the guest operating system (or any subset thereof, possibly including the antivirus software, and/or monitoring agent) is corrupted and/or subverted by malicious code.
With a Separation Kernel Hypervisor, one may use a defense-in-depth technique in order to provide a runtime execution environment whereby software can securely monitor for malicious code without being affected or corrupted by it; while at the same time having close proximity (in time and space) to the malicious code (or code, data, and/or resources under monitoring).
As well, where hypervisors may be used to attempt to detect and monitor malicious code, they may do so in a very limited fashion; e.g., they may attempt to use a software driver or application within a Guest Operating system in order to monitor for corruption of certain (sensitive) tables within the kernel of that guest operating system. In addition to such naïve mechanisms executing within the guest operating system (which may be subverted by malicious code, as in the example above), the defense of a narrow number of types of resources, e.g., systems tables (e.g., Systems Software Descriptor Table (SSDT), as used by variants of the Windows OS) may be limiting and ineffective when dealing with complex and/or adaptive malicious code that attempt to execute and conceal itself with sophisticated techniques (the construction of which may be sponsored by nation states with extremely high levels of resources).