Systems And Methods For Preventing Code Injection In Virtualized Environments

摘要

Described systems and methods allow protecting a host system from malicious injection of code and/or data. A memory introspection engine operates below an operating system (OS), having higher processor privileges than the OS. The memory introspection engine is configured to selectively block the copying of memory between a source process and a destination process, thus preventing the injection of code and/or data, particularly from or into user-mode processes. To prevent inter-process memory copying, some embodiments hook a native OS function carrying out such copy operations. A subsequent call to the hooked function may either carry out or block the requested copy operation, according to a set of decision criteria based on the identity of the source process and/or the identity of the destination process.

主权项

1. A host system comprising a hardware processor configured to operate:
a virtual machine comprising a virtualized processor, the virtual machine configured to employ the virtualized processor to execute a source process and a destination process; and a memory introspection engine executing outside the virtual machine and configured to:
intercept an attempt to copy a content of memory from a virtual memory space of the source process to a virtual memory space of the destination process;identify the source and destination processes according to the attempt; andin response to identifying the source and destination process, selectively block the attempt according to a selection criterion determined according to at least one member of a group consisting of an identity of the source process and an identity of the destination process.