Strongly isolated malware scanning using secure virtual containers

摘要

Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest VM. The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment.

主权项

1. A host system comprising:
at least one hardware processor configured to execute a hypervisor, the hypervisor configured to expose a guest virtual machine (VM), a first virtual container (VC), and a second VC, wherein exposing the first and second VCs includes setting up a first memory domain for the first VC and a second memory domain for the second VC, the first and second memory domains isolated from each other and from a memory domain of the quest VM, wherein:
the guest VM is configured to execute a malware scanner on a virtualized processor of the guest VM; andthe hypervisor is further configured to:
in response to setting up the first memory domain, map a memory page containing a part of the malware scanner to a first memory page within the first memory domain,in response to setting up the second memory domain, map the memory page containing the part of the malware scanner to a second memory page within the second memory domain,in response to the guest VM launching a first instance of the malware scanner to determine whether a first target object comprises malware, switch a memory context of the first instance of the malware scanner from the memory domain of the guest VM to the first memory domain, andin response to the guest VM launching a second instance of the malware scanner to determine whether a second target object comprises malware, switch a memory context of the second instance of the malware scanner from the memory domain of the guest VM to the second memory domain.