Method and system for preventing tampering with software agent in a virtual machine

摘要

Techniques are disclosed for monitoring a software agent running in a virtual machine to prevent execution of the software agent from being tampered with. In one embodiment, the software agent bootstraps such monitoring by ensuring that its code is present in memory and providing the code, memory addresses associated with the code, and a cryptographic signature of the code, to a monitoring process upon request. In response to receiving the code, the monitoring process checks the code using the cryptographic signatures and further ensures that the code is present in memory at the provided address. The monitoring process may then placing write traces on all memory pages of the agent and execution trace(s) on certain pages of the agent. By tracking writes to and execution of the respective pages, the monitoring process may determine whether the agent has been modified and whether the agent is still running.

主权项

1. A method to prevent tampering with a software component in a guest virtual machine, comprising:
determining, by the software component, that code of the software component is loaded in non-pageable memory; transmitting, from the software component to a monitoring process external to the guest virtual machine, locations in the non-pageable memory at which the code is loaded; transmitting, from the software component to the monitoring process, a location in disk of the code; validating, by the monitoring process, that the locations in the non-pageable memory at which the code is loaded store code of the software component wherein the validating includes comparing the code at the location in disk of the code with memory content at the locations in the non-pageable memory at which the code is loaded; placing, by the monitoring process, at least one of execution and write traces on one or more pages of the non-pageable memory at which the code is loaded; monitoring, via the execution and write traces, execution of, and writes to, the one or more pages of the non-pageable memory at which the code is loaded, respectively; and generating an alarm if a write trace fires or if an execution trace fails to fire periodically.