Detection of unauthorized memory modification and access using transactional memory
US-2016026581-A1 · Jan 28, 2016 · US
Systems and methods for dynamically protecting a stack from below the operating system
US9703726B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-9703726-B2 |
| Application number | US-201414312712-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 24, 2014 |
| Priority date | Jun 24, 2014 |
| Publication date | Jul 11, 2017 |
| Grant date | Jul 11, 2017 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Described systems and methods allow protecting a host system against malware, using hardware virtualization technology. A memory introspection engine executes at the level of a hypervisor, protecting a virtual machine (VM) from exploits targeting the call stack of a thread executing within the respective VM. The introspection engine identifies a virtual memory page reserved for the stack, but not committed to the stack, and intercepts an attempt to write to the respective page. In response to intercepting the write attempt, the memory introspection engine marks the respective page as non-executable, thus protecting the stack against exploits.
First claim
Opening claim text (preview).
What is claimed is: 1. A method comprising employing at least one hardware processor of a host system to execute a memory introspection engine, the memory introspection engine executing outside of a virtual machine exposed by the host system, the virtual machine comprising a virtualized processor and a virtualized physical memory, the virtual machine configured to employ the virtualized processor to execute a target thread of a process, and wherein executing the memory introspection engine comprises: identifying within a virtual memory space of the process a target page reserved for a call stack of the target thread, wherein identifying the target page comprises determining an address of a top of the call stack, and determining whether the target page is reserved for the call stack according to the address; determining according to a page table of the virtual machine whether the target page is mapped to the virtualized physical memory; and in response to determining whether the target page is mapped to the virtualized physical memory, when the target page is not mapped to the virtualized physical memory: intercepting an attempt to write to the target page, and in response to intercepting the attempt to write to the target page, changing an access permission of the target page to indicate that the target page is non-executable. 2. The method of claim 1 , further comprising configuring the hardware processor to switch to executing the memory introspection engine in response to an attempt to execute a content of the target page. 3. The method of claim 1 , wherein changing the access permission of the target page comprises: identifying within a physical memory of the host system a physical page to which the target page is mapped; and modifying a page table entry of the physical page to mark the physical page as non-executable. 4. The method of claim 3 , wherein the page table entry of the physical page is an entry of a second level address translation (SLAT) page table. 5. The method of claim 1 , wherein intercepting the attempt to write to the target page comprises configuring the hardware processor to switch, in response to the attempt to write to the target page, from executing the target thread to executing the memory introspection engine. 6. The method of claim 1 , wherein executing the introspection engine further comprises, in preparation for intercepting the attempt to write to the target page: identifying within a physical memory of the host system a physical page to which the target page is mapped; and modifying a page table entry of the physical page to mark the physical page as non-writable. 7. The method of claim 6 , wherein the page table entry of the physical page is an entry of a second level address translation (SLAT) page table. 8. The method of claim 6 , wherein executing the introspection engine further comprises, in response to intercepting the attempt to write to the target page, modifying the page table entry of the physical page to mark the physical page as writable. 9. The method of claim 1 , wherein determining whether the target page is mapped to the virtualized physical memory comprises: determining according to the page table of the virtual machine whether the target page is a guard page; and in response, when the target page is a guard page, concluding that the target page is not mapped to the virtualized physical memory. 10. The method of claim 1 , wherein executing the memory introspection engine further comprises, in response to changing the access permission of the target page: identifying within the virtual memory space of the process a second page reserved for the call stack of the target thread; determining according to the page table of the virtual machine whether the second page is mapped to the virtualized physical memory; and in response, when the second page is not mapped to the virtualized physical memory, intercepting an attempt to write to the second page, and in response to intercepting the attempt to write to the second page, changing an access permission of the second page, to indicate that the second page is non-executable. 11. The method of claim 1 , wherein executing the memory introspection engine further comprises, in response to changing the access permission of the target page: intercepting an attempt to execute a content of the target page; and in response, determining whether the attempt to execute the content is indicative of malware. 12. A host system comprising a hardware processor configured to operate: a virtual machine comprising a virtualized processor and a virtualized physical memory, the virtual machine configured to employ the virtualized processor to execute a target thread of a process; and a memory introspection engine executing outside the virtual machine and configured to: identify within a virtual memory space of the process a target page reserved for a call stack of the target thread, wherein identifying the target page comprises determining an address of a top of the call stack, and determining whether the target page is reserved for the call stack according to the address; determine according to a page table of the virtual machine whether the target page is mapped to the virtualized physical memory; and in response to determining whether the target page is mapped to the virtualized physical memory, when the target page is not mapped to the virtualized physical memory: intercept an attempt to write to the target page, and in response to intercepting the attempt to write to the target page, change an access permission of the target page to indicate that the target page is non-executable. 13. The host system of claim 12 , wherein the memory introspection engine further configures the hardware processor to switch to executing the memory introspection engine in response to an attempt to execute a content of the target page. 14. The host system of claim 12 , wherein changing the access permission of the target page comprises: identifying within a physical memory of the host system a physical page to which the target page is mapped; and modifying a page table entry of the physical page to mark the physical page as non-executable. 15. The host system of claim 14 , wherein the page table entry of the physical page is an entry of a second level address translation (SLAT) page table. 16. The host system of claim 12 , wherein intercepting the attempt to write to the target page comprises configuring the hardware processor to switch, in response to the attempt to write to the target page, from executing the target thread to executing the memory introspection engine. 17. The host system of claim 12 , wherein the introspection engine is further configured, in preparation for intercepting the attempt to write to the target page, to: identify within a physical memory of the host system a physical page to which the target page is mapped; and modify a page table entry of the physical page to mark the physical page as non-writable. 18. The host system of claim 17 , wherein the page table entry of the physical page is an entry of a second level address translation (SLAT) page table. 19. The host system of claim 17 , wherein the introspection engine is further configured, in response to intercepting the attempt to write to the target page, to modify the page table entry of the physical page to mark the physical page as writable. 20. The host system of claim 12 , wherein determining whether the target page is mapped to the virt
Assignees
Inventors
Classifications
Details of virtual memory and virtual address translation · CPC title
involving event detection and direct action · CPC title
using page tables, e.g. page table structures · CPC title
Security improvement · CPC title
- G06F21/53Primary
by executing in a restricted environment, e.g. sandbox or secure virtual machine · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US9703726B2 cover?
- Described systems and methods allow protecting a host system against malware, using hardware virtualization technology. A memory introspection engine executes at the level of a hypervisor, protecting a virtual machine (VM) from exploits targeting the call stack of a thread executing within the respective VM. The introspection engine identifies a virtual memory page reserved for the stack, but n…
- Who is the assignee on this patent?
- Bitdefender Ipr Man Ltd
- What technology area does this patent fall under?
- Primary CPC classification G06F21/53. Mapped technology areas include Physics.
- When was this patent published?
- Publication date Tue Jul 11 2017 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).