Bare-metal computer security appliance

摘要

Described systems and methods allow conducting computer security operations, such as detecting malware and spyware, in a bare-metal computer system. In some embodiments, a first processor of a computer system executes the code samples under assessment, whereas a second, distinct processor is used to carry out the assessment and to control various hardware components involved in the assessment. Such hardware components include, among others, a memory shadower configured to detect changes to a memory connected to the first processor, and a storage shadower configured to detect an attempt to write to a non-volatile storage device of the computer system.

主权项

1. A method comprising:
employing a first hardware processor of a computer system to execute a code sample loaded into a first memory of the computer system, the computer system further comprising a memory shadower and an interrupt generator, wherein the memory shadower includes a second memory and logic configured to take snapshots of the first memory, wherein each snapshot comprises a current content of a memory section of the first memory, wherein taking snapshots comprises copying the current content from the first memory to the second memory; employing the interrupt generator to inject a hardware interrupt into the first hardware processor, the hardware interrupt causing the computer system to transition into a sleeping state, wherein the sleeping state is a state wherein the first hardware processor is not executing instructions and the first memory is powered; in response to the computer system transitioning to the sleeping state, employing the memory shadower to take a first snapshot of the first memory; and in response to taking the first snapshot, employing the memory shadower to transmit at least a part of the first snapshot to a second hardware processor configured to determine according to the first snapshot whether the code sample poses a computer security threat.