Systems and methods for delivering introspection notifications from a virtual machine

摘要

Described systems and methods enable a computer security module to protect a set of guest virtual machines against computer security threats. In some embodiments, the computer security module receives introspection notifications from the protected VM, each such notification indicating that a particular trigger event (e.g., a system call) has occurred during execution of guest software within the respective VM. In some embodiments, delivering a notification comprises suspending execution of guest software and switching the processor to executing a notification handler forming part of the computer security module. Some embodiments of the present invention introduce a dedicated instruction for delivering introspection notifications. The instruction may be encoded such that it is interpreted as a no-operation instruction (NOP) by legacy processors and/or by processors that do not support hardware virtualization or do not currently execute in hardware virtualization mode.

主权项

1. A host system comprising a hardware processor and a memory, the hardware processor configured to:
receive from the memory an introspection notification instruction forming part of a guest process executing within a virtual machine exposed on the host system, wherein execution of the guest process would cause an occurrence of a trigger event within the virtual machine, wherein the introspection notification instruction comprises an operation field and an operand field, wherein the operand field comprises an identifier of an event type of the trigger event; in response to receiving the introspection notification instruction, determine whether a delivery condition is satisfied according to a delivery condition determination value supplied by a computer security program distinct from the guest process; in response to determining whether the delivery condition is satisfied, when the delivery condition is satisfied, deliver an introspection notification; and in response to determining whether the delivery condition is satisfied, when the delivery condition is not satisfied, continue executing the guest process without delivering the introspection notification, wherein delivering the introspection notification comprises suspending execution of the guest process and in response, switching to executing the computer security program, wherein the computer security program is configured to determine whether the occurrence of the trigger event is indicative of a computer security threat.