发明名称 |
System and method for kernel rootkit protection in a hypervisor environment |
摘要 |
A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page. |
申请公布号 |
US9069586(B2) |
申请公布日期 |
2015.06.30 |
申请号 |
US201113273002 |
申请日期 |
2011.10.13 |
申请人 |
McAfee, Inc. |
发明人 |
Dang Amit;Mohinder Preet;Srivastava Vivek |
分类号 |
G06F9/455;G06F21/00 |
主分类号 |
G06F9/455 |
代理机构 |
Patent Capital Group |
代理人 |
Patent Capital Group |
主权项 |
1. A method, comprising:
creating a soft whitelist having an entry corresponding to a guest kernel page of a guest operating system (OS) in a hypervisor environment comprising a hypervisor, wherein the entry is a duplicate page of the guest kernel page, and the guest OS has not loaded at least some kernel components; mapping a virtual base address of the guest kernel page to a machine page frame number of the corresponding duplicate page; generating a page fault when a process attempts to access the guest kernel page; and redirecting the process to the duplicate page corresponding to the guest kernel page if the page fault is an instruction page fault. |
地址 |
Santa Clara CA US |