USOO8984478B2
`
`(12)
`
`United States Patent
`Epstein
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 8,984.478 B2
`Mar. 17, 2015
`
`(54) REORGANIZATION OF VIRTUALIZED
`COMPUTER PROGRAMIS
`
`(75) Inventor: Joe Epstein, Pleasanton, CA (US)
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`(US)
`
`(*) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 27 days.
`(21) Appl. No.: 13/549,410
`
`(22) Filed:
`
`Jul. 13, 2012
`
`(65)
`
`Prior Publication Data
`US 2013/OO86550 A1
`Apr. 4, 2013
`s
`Related U.S. Application Data
`(60) Provisional application No. 61/542,786, filed on Oct.
`3, 2011.
`
`(2006.01)
`(2006.01)
`(2006.01)
`
`(51) Int. Cl.
`G06F 9/44
`G06F 2/14
`GO6F 9/455
`(52) U.S. Cl.
`CPC. G06F 12/1475 (2013.01); G06F 2009/45583
`(2013.01)
`USPC .............. 717/110; 717/11 1; 717/1 12: 726/22
`(58) Field of Classification Search
`None
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`5,699,507 A * 12/1997 Goodnow et al. ............ 714,38.1
`5,787.285 A * 7/1998 Lanning ........................ 717/130
`6,430,670 B1
`8/2002 Bryget al.
`
`8,239,836 B1* 8/2012 Franz et al. ................... 717/127
`8,856,782 B2 10/2014 Ghosh et al.
`2007/OOO6178 A1
`1, 2007 Tan
`2007/0039048 A1
`2/2007 Shelest et al. ................... 726/22
`2008, OO86550 A1* 4, 2008 Evora et al. ....
`TO9,223
`2009/0055693 A1
`2/2009 Budko et al. .................... 714/57
`2009/0228718 A1* 9, 2009 Manferdelli et al. ......... 713,190
`2010.0031360 A1
`2/2010 Seshadri et al. ................ T26/24
`2010, 0146620 A1
`6, 2010 Simeral et al.
`2011/0047543 A1
`2/2011 Mohinder ......................... T18, 1
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`
`EP
`
`T23224 A1 * T 1996
`OTHER PUBLICATIONS
`
`International Searching Authority, “Search Report and Written Opin
`ion', in application No. PCT/US2012000486 dated Dec. 10, 2012, 12
`pageS.
`
`(Continued)
`
`Primary Examiner — Don Wong
`Assistant Examiner — Roberto E Luna
`(74) Attorney, Agent, or Firm — Hickman Palermo Truong
`Becker Bingham Wong LLP
`
`ABSTRACT
`(57)
`In an embodiment, a data processing method comprises
`obtaining access to computer program code; identifying a
`plurality of code segments in the computer program code:
`reorganizing the computer program code into reorganized
`code, by re-ordering the plurality of code segments into a new
`order that is potentially different than an original order of the
`plurality of code segments; wherein the new order is unpre
`dictable based on the original order; rewriting one or more
`pointers of the reorganized code to point to new locations in
`the reorganized code consistent with the order of the reorga
`nized code; wherein the method is performed by one or more
`computing devices.
`
`24 Claims, 7 Drawing Sheets
`
`4.14 Intercept dynamic loader
`
`402Obtain access to Computer program
`Code
`
`404Perform staticanalysis or dynamic analysis
`on computer program code to identify boundaries
`of code segments sufficient to reorganize the code
`segments in an unpredictable manner
`
`406 Modify layout of binary computer program code
`based on analysis by moving code segments to
`randomly selected or otherwise unpredictable locations
`
`41Rewrite instruction pointers to point properly to
`locations within reorganized code segments
`
`
`
`48AMove functions and related
`code to randomized or
`unpredictable new locations within
`the binary
`
`408B Reorganize instructions by
`swapping, relocation, or spacing with
`no-op instructions in randomized or
`unpredictable manner
`
`408Alter the identification of
`registers that are used by
`instructions by substitutingrandomly
`selected or unpredictable new
`register identifier
`
`48DModify order within the stack of
`H
`local function variables and add
`412 Rewrite data segment pointers to reference data
`randomly selected or unpredictable
`segments that have been moved in reorganization
`numbers and kinds of padding bytes
`
`416Optionally repeat periodically on demand,
`including while program is in memory
`
`WIZ, Inc. EXHIBIT - 1068
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 8,984.478 B2
`US 8,984,478 B2
`Page 2
`Page 2
`
`(56)
`(56)
`
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`
`8/2012 Jaudon etal.
`2012/0204235 Al
`8/2012 Jaudon et al.
`2012/0204235 A1
`4/2013 Epstein
`2013,0086.299 A1
`4/2013 Epstein
`2013/0086299 Al
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`
`Current Claims in application No. PCT/US2012000486, dated Dec.
`Current Claimsin application No. PCT/US2012000486, dated Dec.
`2012, 8 pages.
`2012, 8 pages.
`Satyajit Grover et al., “RKRD: Runtime Kernel Rootkit Detection'.
`Satyajit Groveret al., “RKRD: Runtime Kernel Rootkit Detection’,
`dated 2009, 13 pages.
`dated 2009, 13 pages.
`Yee et al., “Native Client: A Sandbox for Portable, Untrusted x86
`Yee et al., “Native Client: A Sandbox for Portable, Untrusted x86
`Native Code', dated 2009, IEEE Symposium on Security and Pri
`Native Code”, dated 2009, IEEE Symposium on Security and Pri-
`vacy, 15 pages.
`vacy, 15 pages.
`Wang et al., “HyperSafe: A light Approach to Provide Lifetime
`Wang et al., “HyperSafe: A light Approach to Provide Lifetime
`Hypervisor Control-Flow Integrity', dated 2010, 16 pages.
`Hypervisor Control-Flow Integrity”, dated 2010, 16 pages.
`Rutkowska, Joanna, "System Virginity Verifier”. Defining the
`Rutkowska,
`Joanna, “System Virginity Verifier’, Defining the
`Roadmap for Malware Detection on Windows System, dated Sep.
`Roadmap for Malware Detection on Windows System, dated Sep.
`28-29, 2005, 38 pages.
`28-29, 2005, 38 pages.
`
`Garfinkelet al., “A Virtual Machine Introspection Based Architecture
`Garfinkelet al., “A Virtual Machine Introspection Based Architecture
`for Intrusion Detection', dated 2009, 16 pages.
`for Intrusion Detection”, dated 2009, 16 pages.
`Vasudevan et al., "Lockdown: A Safe and Practical Environment for
`Vasudevan et al., “Lockdown: A Safe and Practical Environment for
`Security Applications”. CMU-CyLab-09-011, dated Jul. 14, 2009, 18
`Security Applications”, CMU-CyLab-09-011, dated Jul. 14, 2009, 18
`pages.
`pageS.
`Riley et al., “Guest-Transparent Prevention of Kernel Rootkits with
`Rileyet al., “Guest-Transparent Prevention of Kernel Rootkits with
`VMM-based Memory Shadowing', dated 2008, 20 pages.
`VMM-based Memory Shadowing”, dated 2008, 20 pages.
`Kiriansky et al., “Secure Execution Via Program Shepherding', dated
`Kiriansky etal., “Secure Execution Via Program Shepherding”, dated.
`2002, 16 pages.
`2002, 16 pages.
`Rutkowaska et al., “Qubes OS Architecture'. Verision 0.3, dated Jan.
`Rutkowaskaet al., “Qubes OS Architecture”, Verision 0.3, dated Jan.
`2010, 44 pages.
`2010, 44 pages.
`Garfinkel et al., “A Virtual Machine-Based Platform for Trusted
`Garfinkel et al., “A Virtual Machine-Based Platform for Trusted
`Computing”, SOSP, dated Oct. 2003, 14 pages.
`Computing”, SOSP, dated Oct. 2003, 14 pages.
`Seshadri et al., “SeVisor: A Tiny Hypervisor to Provide Lifetime
`Seshadri et al., “SeVisor: A Tiny Hypervisor to Provide Lifetime
`Kernel Code Integrity for Commodity OSes”, SOSP, dated Oct. 2007,
`Kernel Code Integrity for Commodity OSes”, SOSP, dated Oct. 2007,
`16 pages.
`16 pages.
`Nance et al., “Virtual Machine Introspection'. Observation or Inter
`Nanceet al., “Virtual Machine Introspection”, Observation or Inter-
`ference?, IEEE Computer Society, Sep./Oct. 2008, 6 pages.
`ference?, IEEE Computer Society, Sep./Oct. 2008, 6 pages.
`
`* cited by examiner
`* cited by examiner
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 1 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`
`
`
`
`102 Hardware
`
`|
`
`104 VMM Logic
`,
`
`|
`
`
`
`
`106 Operating System
`
`
`
`
`
`
`
`[
`Application
`
`
`
`
`
`
`
`-一
`Application
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`112 Security
`
`Logic
`
`
`
`100 Computer
`
`
`
`
`
`
`
`Page Table
`107 Extended
`
`
`
`
`
`
`
`\
`
`
`
`
`
`
`
`
`
`
`
`
`102 Hardware
`
`
`
`
`
`
`
`
`
` 4100 Computer
`
`
`
`
`
`
`|__|
`
`4110 Xen Operating System
`
`
`
`
`Logic
`
`
`
`
`
`
`
`112 Security
`
`
`
`
`
`
`
`|
`
`-一
`
`
`
`
`108B domU
`
`
`
`
`
`
`
`108A dom0
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fig. 1B
`
`
`
`
`108B
`
`108A
`
`
`
`
`
`
`
`
`
`
`Fig. 1A
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 2 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`站
`Application
`
`
`
`
`108B
`
`
`
`
`
`
`
`L
`
`Application
`
`108A
`
`
`
`
`
`
`
`
`
`
`
`
`
`Fig. 1D
`
`
`
`
`System
`
`
`
`
`
`
`
`110 Xen Operating
`
`
`
`
`Hypercall
`
`
`
`
`
`
`
`
`
`
`
`
`
`Driver
`
`124
`
`
`
`
`
`
`
`
`
`
`
`
`application
`
`
`
`
`122 User space
`
`
`
`
`120 dom0
`
`
`
`
`Fig. 1C
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`102 Hardware
`
`
`
`
`|
`
`| 106 Operating System
`
`
`
`
`“ea 112 Security Logic
`
`100 Computer
`
`
`
`
`
`
`
`Page Table
`4107 Extended
`
`
`
`
`
`
`
`
`
`
`

`

`US. Patent
`
`Mar. 17, 2015
`
`Sheet 3 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`
`
`
`
`204 libxc
`
`
`
`
`(e.g., xenctrl)
`202 Driver
`
`
`
`
`
`
`
`110 Xen Operating
`
`System
`
`
`
`
`
`
`
`
`
`
`Aperoal
`
`
`
`
`
`
`
`
`
`application
`
`122 User space
`
`
`
`
`
`
`
`
`
`
`
`
`120 dom0
`
`
`
`
`
`
`
`
`
`
`206 vbind
`
`228 Termination
`
`218 Harvesting
`
`
`
`
`216 Activation
`
`218 Harvesting
`
`page faults
`
`226 mieet
`
`Authentication
`
`212
`
`
`
`
`
`
`
`oracle
`
`
`
`
`Identification
`
`214
`
`210 Page
`
`
`
`
`copies (program
`
`fingerprints)
`
`
`
`
`Remediation
`
`224
`
`222 Rewrites
`
`2
`
`
`
`.
`
`g
`
`i
`
`F
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 4 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`oc
`
`OOF
`1
`| MINT
`
`BE
`
`3JVJH3INI
`NOLLVOINNAWOO
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`WE
`4yOSSIDONd
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
` MA
`
`
`
`
`
`
`Oe
`
`BOE
`
`gg
`
`
`
`
`
`
`
`IAI
`3o9vols
`
`
`
`
`
`
`AOy
`
`
`
`
`
`
`
`ANHON3WN
`
`NWA
`
`
`
`
`KK
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`OE
`
`snd
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 5 of 7
`
`US 8,984,478 B2
`
`randomly selected or unpredictable
`
`
`
`
`local function variables and add
`
`408D Modify order within the stack of
`
`
`
`
`
`
`
`
`
`
`register identifier
`
`selected or unpredictable new
`
`instructions by substituting randomly
`
`registers that are used by
`
`408C Alter the identification of
`
`
`
`
`
`
`
`
`
`
`unpredictable manner
`
`no-op instructions in randomized or
`swapping, relocation, or spacing with
`
`408B Reorganize instructions by
`
`
`
`
`
`
`
`the binary
`
`unpredictable new locations within
`
`code to randomized or
`
`
`
`
`
`
`
`408A Move functions and related
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`locations within reorganized code segments
`
`410 Rewrite instruction pointers to point properly to
`
`
`
`
`|
`
`randomly selected or otherwise unpredictable locations
`
`based on analysis by moving code segments to
`
`406 Modify layout of binary computer program code
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`segments in an unpredictable manner
`
`of code segments sufficient to reorganize the code
`on computer program code to identify boundaries
`404 Perform static analysis or dynamic analysis
`
`
`
`
`!
`
`
`
`
`
`
`code
`
`|
`
`
`
`
`
`
`
`
` >
`
`
`402 Obtain access to computer program
`
`
`
`
`Fig. 4
`
`
`
`
`[414 Intercept dynamic loader |
`
`
`
`
`seqments that have been moved in reorganization
`412 Rewrite data segment pointers to reference data
` |
`
`
`
`
`numbers and kinds of padding bytes
`
`/
`
`
`
`
`including while program is in memory
`
`416 Optionally repeat periodically on demand,
`
`L
`
`、
`
`了
`
`
`
`
`
`
`
`/~
`
`
`
`
`
`
`
`
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 6 of 7
`
`US 8,984,478 B2
`
`randomized reorganization plan
`
`
`
`
`
`
`
`reorganization plan
`
`information about new
`504 Update storage with
`
`
`
`
`
`
`
` Vv
`
`
`
`program and generate new
`
`last reorganization of this
`
`
`
`
`
`
`
`
`
`
` Ad
`
`
`
`
`
`
`Ad
`
`
`
`
`
`
`memory
`
`
`
`
`502 Retrieve information about
`
`501Load computer program codeinto FL
`
`
`
`
`
`
`
`
`
`locations within reorganized code segments
`
`
`
`
`
`
`410 Rewrite instruction pointers to point properly to
`
`randomly selected or otherwise unpredictable locations +
`
`based on analysis by moving code segments to
`
`
`
`
`406 Modify layout of binary computer program code
`
`
`
`
`
`
`
`
`
`
`unpredictable manner
`
`to reorganize the code segments in an
`
`code segments and to obtain information sufficient
`computer program code to select boundaries of
`
`404 Perform static analysis or dynamic analysis on
`
`
`
`
`+
`
`

`

`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 7 of 7
`
`US 8,984,478 B2
`
`
`
`
`approach
`
`using MO MMU
`
`618 Perform OS-transparent rewrites
`
`
`
`
`A
`
`
`
`
`
`
`
`
`
`
`
`
`
`originally referenced in those calls
`rather than contents of the memory
`to OPEN followed by READ or MMAP
`
`contents of reorganized code in response
`608B Use private memory map to deliver
`
`
`
`
`
`
`
`
`
`
`
`
`
` Vv
`
`
`
`
`
`
`
`
`
`
`
`
`updated header
`
`610 Allow dynamic loader to perform loading based on
`
` v
`
`
`
`
`
`
`
`
`
`
`
`
`randomly selected or otherwise unpredictable locations
`
`code based on analysis to reflect moving code segments to
`
`609 Update binary header of binary computer program
`
`家
`
`
`
`
`
`
`
`
`
`
`unpredictable manner
`
`to reorganize the code segments in an
`
`code segments and to obtain information sufficient
`computer program code to select boundaries of
`404 Perform static analysis or dynamic analysis on
`
`
`
`
`
`
`
`
`
`
`to different files
`
`
`
`
`
`
`
`
`
`
`
`
`
`dynamic loader to cause loading rearganized code
`
`606 Redirect system call instructions in the
`
`
`
`
`
`
`
`
`
`
`
`y
`
`
`
`
`608A Redirect OPEN, READ, MMAP, etc.
`
`
`
`
`
`
`
`
`
`segment linkages
`614 Validate code
`
`
`
`
`
`
`
`
`
`
`
`
`
`604 Allow dynamic loader to be loaded 一 一 一
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`y
`
`
`
`
`
`
`
`different loader
`
`616 Cause loading a
`
`
`
`
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`602 Detect loading of a dynamic loader
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`US 8,984,478 B2
`US 8,984,478 B2
`
`1.
`1
`REORGANIZATION OF VIRTUALIZED
`REORGANIZATION OF VIRTUALIZED
`COMPUTER PROGRAMS
`COMPUTER PROGRAMIS
`
`BENEFIT CLAIM
`BENEFIT CLAIM
`
`This application claims the benefit under 35 U.S.C. 119 of
`This application claimsthe benefit under 35 U.S.C. 119 of
`prior provisional application 6.1/542,786, filed Oct. 3, 2011,
`prior provisional application 61/542,786, filed Oct. 3, 2011,
`the entire contents of which are hereby incorporated by ref
`the entire contents of which are hereby incorporated byref-
`erence for all purposes as if fully set forth herein.
`erencefor all purposes as if fully set forth herein.
`
`10
`
`2
`2
`fault. Additional memory types exist for pages that are emu
`fault. Additional memory types exist for pages that are emu-
`lating hardware—and thus should cause the I/O emulator to
`lating hardware—andthus should cause the I/O emulator to
`react as if the memory access were a bus access to a periph
`react as if the memory access were a bus access to a periph-
`eral. Additional page types are for shared memory between
`eral. Additional page types are for shared memory between
`domains. However, none of the page types represent access
`domains. However, none of the page types represent access
`permissions different from their type or usage, and thus make
`permissions different from their type or usage, and thus make
`altering or restricting memory access permissions further for
`altering or restricting memory access permissions further for
`security—for example, of the content, rather than the emula
`security—for example,of the content,rather than the emula-
`tion purpose—of the page impossible.
`tion purpose—ofthe page impossible.
`
`TECHNICAL FIELD
`TECHNICAL FIELD
`
`SUMMARY OF THE INVENTION
`SUMMARY OF THE INVENTION
`
`The present disclosure generally relates to computer pro
`The present disclosure generally relates to computer pro-
`gram security. The disclosure relates more specifically to
`gram security. The disclosure relates more specifically to
`techniques for improving the resistance of virtualized com
`15
`techniques for improving the resistance of virtualized com-
`puter programs against various kinds of unauthorized use or
`puter programs against various kinds of unauthorized use or
`attacks.
`attacks.
`
`BACKGROUND
`BACKGROUND
`
`20
`
`25
`25
`
`30
`30
`
`35
`35
`
`40
`40
`
`45
`45
`
`The approaches described in this section are approaches
`The approaches described in this section are approaches
`that could be pursued, but not necessarily approaches that
`that could be pursued, but not necessarily approaches that
`have been previously conceived or pursued. Therefore, unless
`have been previously conceived or pursued. Therefore, unless
`otherwise indicated, it should not be assumed that any of the
`otherwise indicated, it should not be assumedthat any of the
`approaches described in this section qualify as prior art
`approaches described in this section qualify as prior art
`merely by virtue of their inclusion in this section.
`merely by virtue oftheir inclusion in this section.
`Computer programs that operate on servers that are acces
`Computer programsthat operate on servers that are acces-
`sible over the public Internet, and in other contexts, are known
`sible over the public Internet, and in other contexts, are known
`to have vulnerabilities to various kinds of attacks. Certain
`to have Vulnerabilities to various kinds of attacks. Certain
`attacks are implemented by installing unauthorized or mali
`attacks are implemented by installing unauthorized or mali-
`cious code into the programs and causing execution of the
`cious code into the programs and causing execution of the
`foreign code.
`foreign code.
`Virtualization is a technique with which multiple different
`Virtualization is a technique with which multiple different
`host operating systems, with associated computer programs,
`host operating systems, with associated computer programs,
`can run on a single computer or processor under control of a
`can run on a single computer or processor under control of a
`Supervisory program, which may be a hypervisor. The use of
`supervisory program, which may be a hypervisor. The use of
`virtualization creates new opportunities for attacks and new
`virtualization creates new opportunities for attacks and new
`kinds of security vulnerabilities.
`kinds of security vulnerabilities.
`The SecVisor academic research project uses permissions
`The SecVisor academic research project uses permissions
`bits maintained in an operating system page table to deter
`bits maintained in an operating system page table to deter-
`mine whether a page is writable or executable and to set page
`mine whethera pageis writable or executable andto set page
`permissions so that pages of program code are not executable
`permissionsso that pages ofprogram codeare not executable
`if they are also writable. However, SecVisor provides no
`if they are also writable. However, SecVisor provides no
`mechanism for interworking with the memory page permis
`mechanism for interworking with the memory page permis-
`sions that are maintained in a hypervisor or in a virtual
`sions that are maintained in a hypervisor or in a virtual
`machine monitor (VMM) that is closely coupled to a virtual
`machine monitor (VMM)that is closely coupled to a virtual-
`ization-optimized CPU, such as Xen on Intel processors.
`ization-optimized CPU,such as Xen on Intel processors.
`Xen has provided the ability for a privileged domain to
`Xen has provided the ability for a privileged domain to
`register on a hypercall interface for a memory event that is
`register on a hypercall interface for a memory event that is
`served by the memory handler of the hypervisor. Memory
`served by the memory handler of the hypervisor. Memory
`events have been used for demand paging of the domain, for
`events have been used for demandpaging of the domain, for
`example, for disk Swapping of memory pages. Programs lis
`example, for disk swapping of memory pages. Programslis-
`tening on memory events could use a different hypercall to
`tening on memory events could use a different hypercall to
`read or write pages from or to disk and update page type
`read or write pages from or to disk and update page type
`values to indicate that the pages have been paged in or out.
`values to indicate that the pages have been pagedin or out.
`Xen implements a memory page framework denoted p2m that
`Xenimplements a memory page framework denoted p2m that
`manages memory page type values for the purpose of Sup
`manages memory page type values for the purpose of sup-
`porting different uses of memory. For example, when a
`porting different uses of memory. For example, when a
`memory page has been paged out to disk, the memory page
`memory page has been paged out to disk, the memory page
`type value for that page may be set to “swapped out
`type value for that page may be set to “swapped out”
`(p2m ram paged) because the page is unavailable. This type
`(p2m_ram_paged) becausethe page is unavailable. This type
`is then converted to a memory access permission of not
`is then converted to a memory access permission of not-
`readable. If a program attempts to read the page, Xen p2m
`readable. If a program attempts to read the page, Xen p2m
`throws a page fault and its page fault handler will page the
`throws a page fault and its page fault handler will page the
`memory in from disk, update the memory page type value to
`memory in from disk, update the memory page type value to
`a paged-in type (which is converted to an access permission of
`apaged-in type (which is converted to an access permission of
`readable), and return control to the program that caused the
`readable), and return control to the program that caused the
`
`50
`50
`
`55
`55
`
`60
`60
`
`65
`65
`
`The appended claims may serve as a Summary of the inven
`The appended claims may serve as a summary ofthe inven-
`tion.
`tion.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`In the drawings:
`In the drawings:
`FIG. 1A illustrates a computer configured with certain
`FIG. 1A illustrates a computer configured with certain
`elements of a security system for virtualized computer pro
`elements of a security system for virtualized computer pro-
`grams.
`grams.
`FIG. 1B illustrates a computer configured with certain
`FIG. 1B illustrates a computer configured with certain
`elements of a security system for virtualized computer pro
`elements of a security system for virtualized computer pro-
`grams using Xen.
`grams using Xen.
`FIG. 1C illustrates further details of an embodimentthat
`FIG. 1C illustrates further details of an embodiment that
`uses the Xen operating system.
`uses the Xen operating system.
`FIG. 1D illustrates an embodiment in which a special
`FIG. 1D illustrates an embodiment in which a special-
`purpose hypervisor is installed into a guest operating system
`purpose hypervisor is installed into a guest operating system
`to integrate with security logic.
`to integrate with security logic.
`FIG. 2 illustrates an approach for identifying, authenticat
`FIG.2 illustrates an approachfor identifying, authenticat-
`ing, and authorizing pages of memory in a virtualized com
`ing, and authorizing pages of memory in a virtualized com-
`puter environment.
`puter environment.
`FIG.3 is a block diagram of a computer system with which
`FIG. 3 is a block diagram of a computer system with which
`an embodiment may be used.
`an embodiment maybe used.
`FIG. 4 illustrates a process of reorganizing virtualized
`FIG. 4 illustrates a process of reorganizing virtualized
`computer programs in a randomized or unpredictable manner
`computer programsin a randomizedor unpredictable manner
`for security purposes.
`for security purposes.
`FIG. 5 illustrates a process of variably randomizing the
`FIG. 5 illustrates a process of variably randomizing the
`reorganization of a computer program upon each memory
`reorganization of a computer program upon each memory
`load of the program.
`load of the program.
`FIG. 6 illustrates a process of intercepting dynamic loading
`FIG.6 illustrates a process of intercepting dynamic loading
`and responding to dynamic loading for security purposes.
`and responding to dynamic loading for security purposes.
`
`DESCRIPTION OF EXAMPLE EMBODIMENTS
`DESCRIPTION OF EXAMPLE EMBODIMENTS
`
`In the following description, for the purposes of explana
`In the following description, for the purposes of explana-
`tion, numerous specific details are set forth in order to provide
`tion, numerousspecific details are set forth in orderto provide
`a thorough understanding of the present invention. It will be
`a thorough understanding of the present invention.It will be
`apparent, however, that the present invention may be prac
`apparent, however, that the present invention may be prac-
`ticed without these specific details. In other instances, well
`ticed without these specific details. In other instances, well-
`known structures and devices are shown in block diagram
`knownstructures and devices are shown in block diagram
`form in order to avoid unnecessarily obscuring the present
`form in order to avoid unnecessarily obscuring the present
`invention.
`invention.
`1.0 General Overview and Benefits of Embodiments
`1.0 General Overview and Benefits of Embodiments
`Xen has provided the ability for a privileged domain to
`Xen has provided the ability for a privileged domain to
`register on a hypercall interface for a memory event that is
`register on a hypercall interface for a memory event that is
`served by the memory handler of the hypervisor. Memory
`served by the memory handler of the hypervisor. Memory
`events have been used for demand paging of the domain, for
`events have been used for demandpaging of the domain, for
`example, for disk Swapping of memory pages. Programs lis
`example, for disk swapping of memory pages. Programslis-
`tening on memory events could use a different hypercall to
`tening on memory events could use a different hypercall to
`read or write pages from or to disk, allocate or de-allocate
`read or write pages from or to disk, allocate or de-allocate
`memory and update page type values to indicate that the
`memory and update page type values to indicate that the
`pages have been paged in or out. However, in this context,
`pages have been paged in or out. However, in this context,
`there has been no practical method prior to this disclosure to
`there has been nopractical methodprior to this disclosure to
`implement page-level memory security without interfering
`implement page-level memory security without interfering
`with the existing Xen memory model So that legacy applica
`with the existing Xen memory modelso that legacy applica-
`tions can execute withoutalteration.
`tions can execute without alteration.
`
`

`

`US 8,984,478 B2
`US 8,984,478 B2
`
`10
`
`15
`
`20
`
`25
`25
`
`35
`35
`
`3
`4
`3
`4
`prising an INTEL XEN hypervisor, at least one privileged
`In an embodiment, a data processing method provides in a
`prising an INTEL XEN hypervisor, at least one privileged
`In an embodiment, a data processing method providesin a
`domain in computer memory, and a p2m page fault handler
`computer that is executing an INTEL XEN architecture com
`domain in computer memory, and a p2m pagefault handler
`computerthat is executing an INTEL XENarchitecture com-
`prising at least an INTELXEN hypervisor, at least one privi
`associated with a first table of a plurality of values of memory
`associated with a first table of a plurality ofvalues ofmemory
`prising at least an INTEL XEN hypervisor,at least oneprivi-
`page type permissions stored in memory for a plurality of
`leged domain in computer memory, and a p2m page fault
`page type permissions stored in memory for a plurality of
`leged domain in computer memory, and a p2m page fault
`pages of the memory, wherein the memory page type permis
`handler associated with a first table of a plurality of values of
`5
`
`handler associated withafirst table ofa plurality of values of pages of the memory, wherein the memory pagetype permis-
`memory page types stored in memory for a plurality of pages
`sions comprise readable, writeable, not readable and not
`memory page types stored in memory fora plurality of pages
`sions comprise readable, writeable, not readable and not
`of the memory, wherein the memory page types dictate the
`writeable: creating and storing a second table of a plurality of
`of the memory, wherein the memory page types dictate the
`writeable: creating and storing a secondtable ofa plurality of
`setting of memory page permissions (for use in a hardware
`values of memory page access permissions, wherein the sec
`setting of memory page permissions (for use in a hardware
`values of memory page access permissions, wherein the sec-
`memory page table) that comprise readable, writeable,
`ond table is independent of the first table, wherein the
`memory page table)
`that comprise readable, writeable,
`ond table is independent of the first table, wherein the
`memory page access permissions comprise at least readable,
`executable, non-readable, non-writeable, and non-execut
`executable, non-readable, non-writeable, and non-execut-
`memory page access permissions comprise at least readable,
`able: creating and storing a second table of a plurality of
`writeable, executable, not readable, not writeable, not execut
`writeable, executable, not readable, not writeable, not execut-
`able: creating and storing a second table of a plurality of
`able; registering a memory event interface registered to a
`values of memory page access permissions, wherein the sec
`values of memory page access permissions, wherein the sec-
`able; registering a memory event interface registered to a
`hypercall interface of the INTELXEN hypervisor; receiving,
`ond table is independent of the first table, wherein the
`ond table is independent of the first table, wherein the
`hypercall interface of the INTEL XENhypervisor; receiving,
`memory page access permissions comprise at least readable,
`through the hypercall interface, a page fault that identifies a
`memory page access permissions comprise at least readable,
`through the hypercall interface, a page fault that identifies a
`particular memory page, wherein the page fault may be pro
`writeable, executable, not readable, not writeable, not execut
`writeable, executable, not readable, not writeable, not execut-
`particular memory page, wherein the page fault may be pro-
`able; registering security logic as a memory event interface
`vided also to the p2m page fault handler, identifying an appli
`able; registering security logic as a memory event interface
`vided also to the p2m pagefault handler; identifying an appli-
`registered to a hypercall interface of the INTEL XEN hyper
`cation program or other metadata associated with the particu
`registered to a hypercall interface of the INTEL XEN hyper-
`cation program or other metadata associated withthe particu-
`visor; the security logic receiving, through the hypercall inter
`lar memory page based on a database that maps identifiers of
`visor; the security logic receiving, through the hypercallinter-
`lar memory page based on a database that maps identifiers of
`face, a page fault that identifies a particular memory page,
`known memory pages to metadata for the known memory
`face, a page fault that identifies a particular memory page,
`known memory pages to metadata for the known memory
`pages; determining whether the particular memory page is
`wherein the page fault may be provided also to the p2m page
`wherein the page fault may be providedalso to the p2m page
`pages; determining whether the particular memory pageis
`fault handler, the security logic determining, based on the first
`authentic; determining whether to authorize use of the par
`fault handler; the security logic determining, based on thefirst
`authentic; determining whether to authorize use of the par-
`ticular memory page based on a security policy applicable to
`table and the second table, a different permission for a par
`table and the second table, a different permission for a par-
`ticular memory page based on a security policy applicable to
`the particular memory page.
`ticular memory page that is identified in the page fault; the
`ticular memory pagethat is identified in the page fault; the
`the particular memory page.
`security logic comparing the different permission to a
`In an embodiment, the media further comprise sequences
`security logic comparing the different permission to a
`In an embodiment, the media further comprise sequences
`memory action that is specified in the page fault; the security
`of instructions which when executed cause processing the
`memory action that is specified in the page fault; the security
`of instructions which when executed cause processing the
`logic allowing the memory action only when the different
`page fault at the p2m page fault handler to perform demand
`logic allowing the memory action only when the different
`page fault at the p2m page fault handler to perform demand
`memory paging to disk or shared memory handling in parallel
`permission indicates that the memory action is allowable. A
`permission indicates that the memory acti