IIII 1111 mi
`I III IIIIIIII III iiui II14911J11111111 III 111111
`
`
`
`
`
`USOO8984478B2
`
`United States Patent
`(12) United States Patent
`(12)
`Epstein
`Epstein
`
`(10) Patent No.:
`(10) Patent No.:
`(45) Date of Patent:
`(45) Date of Patent:
`
`US 8,984,478 B2
`US 8,984.478 B2
`Mar. 17, 2015
`Mar. 17, 2015
`
`(54) REORGANIZATION OF VIRTUALIZED
`REORGANIZATION OF VIRTUALIZED
`(54)
`COMPUTER PROGRAMIS
`COMPUTER PROGRAMS
`
`Inventor: Joe Epstein, Pleasanton, CA (US)
`(75)
`(75) Inventor: Joe Epstein, Pleasanton, CA (US)
`
`(73) Assignee: Cisco Technology, Inc., San Jose, CA
`Assignee: Cisco Technology, Inc., San Jose, CA
`(73)
`(US)
`(US)
`
`(*) Notice:
`Notice:
`(*)
`
`Subject to any disclaimer, the term of this
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 27 days.
`U.S.C. 154(b) by 27 days.
`(21) Appl. No.: 13/549,410
`Appl. No.: 13/549,410
`(21)
`
`Filed:
`(22)
`(22) Filed:
`
`Jul. 13, 2012
`Jul. 13, 2012
`
`(65)
`(65)
`
`Prior Publication Data
`Prior Publication Data
`US 2013/OO86550 A1
`Apr. 4, 2013
`US 2013/0086550 Al
`Apr. 4, 2013
`s
`Related U.S. Application Data
`Related U.S. Application Data
`(60) Provisional application No. 61/542,786, filed on Oct.
`(60)
`Provisional application No. 61/542,786, filed on Oct.
`3, 2011.
`3, 2011.
`
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`(2006.01)
`
`(51) Int. Cl.
`Int. Cl.
`(51)
`G06F 9/44
`GO6F 9/44
`G06F 2/14
`GO6F 12/14
`GO6F 9/455
`GO6F 9/455
`(52) U.S. Cl.
`U.S. Cl.
`(52)
`CPC. G06F 12/1475 (2013.01); G06F 2009/45583
`CPC .. GO6F 12/1475 (2013.01); GO6F 2009/45583
`(2013.01)
`(2013.01)
`USPC
` 717/110; 717/111; 717/112; 726/22
`USPC .............. 717/110; 717/11 1; 717/1 12: 726/22
`(58) Field of Classification Search
`Field of Classification Search
`(58)
`None
`None
`See application file for complete search history.
`See application file for complete search history.
`
`(56)
`(56)
`
`References Cited
`References Cited
`U.S. PATENT DOCUMENTS
`U.S. PATENT DOCUMENTS
`
`714/38.1
`5,699,507 A * 12/1997 Goodnow et al.
`5,699,507 A * 12/1997 Goodnow et al. ............ 714,38.1
`5,787.285 A * 7/1998 Lanning ........................ 717/130
`5,787,285 A *
`7/1998 Fanning
` 717/130
`6,430,670 B1
`8/2002 Bryget al.
`6,430,670 B1
`8/2002 Bryg et al.
`
`717/127
`8/2012 Franz et al.
`8,239,836 B1 *
`8,239,836 B1* 8/2012 Franz et al. ................... 717/127
`8,856,782 B2
`10/2014 Ghosh et al.
`8,856,782 B2 10/2014 Ghosh et al.
`2007/0006178 Al
`1/2007 Tan
`2007/OOO6178 A1
`1, 2007 Tan
`726/22
`2007/0039048 Al *
`2/2007 Shelest et al.
`2007/0039048 A1
`2/2007 Shelest et al. ................... 726/22
`2008, OO86550 A1* 4, 2008 Evora et al. ....
`TO9,223
`2008/0086550 Al *
`4/2008 Evora et al.
`709/223
`2009/0055693 Al *
`2/2009 Budko et al.
`714/57
`2009/0055693 A1
`2/2009 Budko et al. .................... 714/57
`2009/0228718 A1* 9, 2009 Manferdelli et al. ......... 713,190
`2009/0228718 Al * 9/2009 Manferdelli et al.
`713/190
`2010/0031360 Al * 2/2010 Seshadri et al.
`726/24
`2010.0031360 A1
`2/2010 Seshadri et al. ................ T26/24
`2010/0146620 Al
`6/2010 Simeral et al.
`2010, 0146620 A1
`6, 2010 Simeral et al.
`718/1
`2011/0047543 Al *
`2/2011 Mohinder
`2011/0047543 A1
`2/2011 Mohinder ......................... T18, 1
`(Continued)
`(Continued)
`
`FOREIGN PATENT DOCUMENTS
`FOREIGN PATENT DOCUMENTS
`
`EP
`EP
`
`723224 Al * 7/1996
`T23224 A1 * T 1996
`OTHER PUBLICATIONS
`OTHER PUBLICATIONS
`
`International Searching Authority, “Search Report and Written Opin
`International Searching Authority, "Search Report and Written Opin-
`ion", in application No. PCT/US2012000486 dated Dec. 10, 2012, 12
`ion', in application No. PCT/US2012000486 dated Dec. 10, 2012, 12
`pages.
`pageS.
`
`(Continued)
`(Continued)
`
`Primary Examiner — Don Wong
`Primary Examiner — Don Wong
`Assistant Examiner — Roberto E Luna
`Assistant Examiner — Roberto E Luna
`(74) Attorney, Agent, or Firm — Hickman Palermo Truong
`(74) Attorney, Agent, or Firm — Hickman Palermo Truong
`Becker Bingham Wong LLP
`Becker Bingham Wong LLP
`
`ABSTRACT
`(57)
`ABSTRACT
`(57)
`In an embodiment, a data processing method comprises
`In an embodiment, a data processing method comprises
`obtaining access to computer program code; identifying a
`obtaining access to computer program code; identifying a
`plurality of code segments in the computer program code:
`plurality of code segments in the computer program code;
`reorganizing the computer program code into reorganized
`reorganizing the computer program code into reorganized
`code, by re-ordering the plurality of code segments into a new
`code, by re-ordering the plurality of code segments into a new
`order that is potentially different than an original order of the
`order that is potentially different than an original order of the
`plurality of code segments; wherein the new order is unpre
`plurality of code segments; wherein the new order is unpre-
`dictable based on the original order; rewriting one or more
`dictable based on the original order; rewriting one or more
`pointers of the reorganized code to point to new locations in
`pointers of the reorganized code to point to new locations in
`the reorganized code consistent with the order of the reorga
`the reorganized code consistent with the order of the reorga-
`nized code; wherein the method is performed by one or more
`nized code; wherein the method is performed by one or more
`computing devices.
`computing devices.
`
`24 Claims, 7 Drawing Sheets
`24 Claims, 7 Drawing Sheets
`
`4.14 Intercept dynamic loader
`(4i Intercept dynamic loader
`
`402Obtain access to Computer program
`4_02 Obtain access to computer program
`code
`Code
`
`404Perform staticanalysis or dynamic analysis
`404 Perform static analysis or dynamic analysis
`on computer program code to identify boundaries
`on computer program code to identify boundaries
`of code segments sufficient to reorganize the code
`of code segments sufficient to reorganize the code
`segments in an unpredictable manner
`segments in an unpredictable manner
`
`406 Modify layout of binary computer program code
`408 Modify layout of binary computer program code
`based on analysis by moving code segments to
`based on analysis by moving code segments to
`randomly selected or otherwise unpredictable locations
`randomly selected or otherwise unpredictable locations
`
`41Rewrite instruction pointers to point properly to
`410 Rewrite instruction pointers to point properly to
`locations within reorganized code segments
`locations within reorganized code segments
`
`
`
`408A Move functions and related
`48AMove functions and related
`code to randomized or
`code to randomized or
`unpredictable new locations within
`unpredictable new locations within
`the binary
`the binary
`
`408B Reorganize instructions by
`4178E Reorganize instructions by
`swapping, relocation, or spacing with
`swapping, relocation, or spacing with
`no-op instructions in randomized or
`no-op instructions in randomized or
`unpredictable manner
`unpredictable manner
`
`408C Alter the identification of
`408Alter the identification of
`registers that are used by
`registers that are used by
`instructions by substitutingrandomly
`instructions by substituting randomly
`selected or unpredictable new
`selected or unpredictable new
`register identifier
`register identifier
`
`48DModify order within the stack of
`4080. Modify order within the stack o
`H
`local function variables and add
`local function variables and add
`412 Rewrite data segment pointers to reference data
`412 Rewrite data segment pointers to reference data
`randomly selected or unpredictable
`randomly selected or unpredictable
`segments that have been moved in reorganization
`segments that have been moved in reorganization
`numbers and kinds of padding bytes
`numbers and kinds of padding bytes
`
`416Optionally repeat periodically on demand,
`LIE Optionally repeat periodically on demand,
`including while program is in memory
`including while program is in memory
`
`WIZ, Inc. EXHIBIT - 1068
`WIZ, Inc. v. Orca Security LTD.
`
`WIZ, Inc. EXHIBIT - 1068
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`US 8,984,478 B2
`Page 2
`
`(56)
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`2012/0204235 Al
`2013/0086299 Al
`
`8/2012 Jaudon et al.
`4/2013 Epstein
`
`OTHER PUBLICATIONS
`
`Current Claims in application No. PCT/US2012000486, dated Dec.
`2012, 8 pages.
`Satyajit Grover et al., "RKRD: Runtime Kernel Rootkit Detection",
`dated 2009, 13 pages.
`Yee et al., "Native Client: A Sandbox for Portable, Untrusted x86
`Native Code", dated 2009, IEEE Symposium on Security and Pri-
`vacy, 15 pages.
`Wang et al., "HyperSafe: A light Approach to Provide Lifetime
`Hypervisor Control-Flow Integrity", dated 2010, 16 pages.
`Rutkowska, Joanna, "System Virginity Verifier", Defining the
`Roadmap for Malware Detection on Windows System, dated Sep.
`28-29, 2005, 38 pages.
`
`Garfinkel et al., "A Virtual Machine Introspection Based Architecture
`for Intrusion Detection", dated 2009, 16 pages.
`Vasudevan et al., "Lockdown: A Safe and Practical Environment for
`Security Applications", CMU-CyLab-09-011, dated Jul. 14, 2009, 18
`pages.
`Riley et al., "Guest-Transparent Prevention of Kernel Rootkits with
`VMM-based Memory Shadowing", dated 2008, 20 pages.
`Kiriansky et al., "Secure Execution Via Program Shepherding", dated
`2002, 16 pages.
`Rutkowaska et al., "Qubes OS Architecture", Verision 0.3, dated Jan.
`2010, 44 pages.
`Garfinkel et al., "A Virtual Machine-Based Platform for Trusted
`Computing", SOSP, dated Oct. 2003, 14 pages.
`Seshadri et al., "SeVisor: A Tiny Hypervisor to Provide Lifetime
`Kernel Code Integrity for Commodity OSes", SOSP, dated Oct. 2007,
`16 pages.
`Nance et al., "Virtual Machine Introspection", Observation or Inter-
`ference?, IEEE Computer Society, Sep./Oct. 2008, 6 pages.
`
`* cited by examiner
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO I WIN
`
`Zll 81,171786'8 Sf1
`
`107 Extended
`Page Table
`
`112 Security
`Logic
`
`100 Computer
`
`Fig. 1A
`
`108A
`Application
`I
`
`108B
`Application
`I
`
`106 Operating System
`
`I
`
`104 VM M Logic
`
`I
`
`102 Hardware
`
`Fig. 1B
`
`108A dom0
`
`I
`
`108B domU
`
`I
`
`' 1Q Xen Operating System
`
`112 Security
`Logic
`I
`
`100 Computer
`
`102 Hardware
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 1 of 7
`
`US 8,984,478 B2
`
`Fig. 1A
`
`
`
`108A
`108B
`
`
`Application
`Application
`
`
`-一
`[
`
`
`
`
`
`106 Operating System
`
`
`
`
`107 Extended
`Page Table
`
`\
`
`
`
`|
`
`
`
`
`
`
`112 Security
`,
`104 VMM Logic
`Logic
`
`|
`
`102 Hardware
`
`100 Computer
`
`Fig. 1B
`
`
`
`
`
`
`
`
`
`
`
`108A dom0
`
`108B domU
`
`
`
`
`112 Security
`
`
`Logic
`|
`-一
`4110 Xen Operating System
`|__|
`
`
`
`
`
` 4100 Computer
`
`
`
`
`102 Hardware
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO Z WIN
`
`Zll 81,171786'8 Sf1
`
`Fig. 1C
`
`aQ dom0
`122 User space
`application
`
`124 Driver
`
`„............„./I-lypercall
`
`l' Xen Operating
`System
`
`Fig. 1 D
`
`108A
`Application
`I
`
`108B
`Application
`I
`
`112 Security Logic
`
`106 Operating System
`
`107 Extended
`Page Table
`
`102 Hardware
`
`100 Computer
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 2 of 7
`
`US 8,984,478 B2
`
`Fig. 1C
`
`
`120 dom0
`
`122 User space
`
`application
`
`
`
`
`
`
`
`
`124
`
`Driver
`
`
`
`Hypercall
`
`
`
`110 Xen Operating
`
`System
`
`
`
`Fig. 1D
`
`
`
`
`
`
`
`
`
`108A
`Application
`L
`
`
`
`
`
`
`
`108B
`Application
`站
`
`
`
`
`
`
`
`| 106 Operating System
`“ea 112 Security Logic
`
`|
`
`4107 Extended
`Page Table
`
`
`
`
`
`
`
`100 Computer
`
`
`
`
`
`
`
`102 Hardware
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO £ WIN
`
`Zll 81,171786'8 Sf1
`
`Fig. 2
`
`C222 Rewrites
`
`aQ Policy
`
`224
`Remediation
`
`( 210 oracle
`
` l: ag e
`
`(208 Memory page
`copies (program
`fingerprints)
`
`214
`Identification
`
`aa Harvesting
`
`212
`Authentication
`
`aa Inject
`page faults
`
`206 vbind
`
`aa Harvesting
`
`216 Activation
`
`228 Termination
`
`12 dom0
`122 User space
`application
`
`libxc
`
`202 Driver
`(e.g., xenctrl)
`
`/Hypercall
`
`U' Q Xen Operating
`System
`
`US. Patent
`
`Mar. 17, 2015
`
`Sheet 3 of 7
`
`US 8,984,478 B2
`
`F
`
`i
`
`g
`
`.
`
`
`
`2
`
`222 Rewrites
`
`224
`Remediation
`
`
`
`copies (program
`fingerprints)
`
`
`210 Page
`
`oracle
`
`
`
`
`
`214
`Identification
`
`218 Harvesting
`
`212
`Authentication
`
`226 mieet
`
`page faults
`
`218 Harvesting
`
`216 Activation
`
`228 Termination
`
`
`
`206 vbind
`
`
`
`
`
`
`
`120 dom0
`
`122 User space
`204 libxc
`application
`
`
`
`
`202 Driver
`(e.g., xenctrl)
`
`
`
`
`
`Aperoal
`110 Xen Operating
`System
`
`
`
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO 17 JaM1S
`
`Zll 81,171786'8 Sf1
`
`328
`
`326
`
`FIG. 3
`
`DISPLAY
`312
`
`MAIN
`MEMORY
`3.0fi
`
`-1
`
`INPUT DEVICE
`
`314. <
`
`>
`
`STORAGE
`DEVICE
`310
`
`l \
`
`ROM
`
`
`
`3011 .3011
`
`V
`BUS
`
`A
`
`CURSOR
`CONTROL
`316.
`
`V
`PROCESSOR
`304
`
`7
`COMMUN CATION
`INTERFACE
`
`32
`
`N
`i LINK
`Mai
`
`320
`
`SERVER Ei
`ni
`
`INTERNET
`
`ISP
`
`LOCAL
`NETWORK
`322
`1
`HOST
`324
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 4 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`snd
`KK
`OE
`
`
`
`
`
`
`
`
`
`3o9vols
`AOy
`NWA
`IAI
`ANHON3WN
`Oe
`BOE
`gg
`
`
`
` MA
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NOLLVOINNAWOO
`4yOSSIDONd
`3JVJH3INI
`WE
`
`
`
`
`
`| MINT
`BE
`1
`OOF
`
`oc
`
`
`
`
`
`
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO S WIN
`
`Zll 81,171786'8 Sf1
`
`414 Intercept dynamic loader
`
`Fig. 4
`
`402 Obtain access to computer program
`code
`
`101 Perform static analysis or dynamic analysis
`on computer program code to identify boundaries
`of code segments sufficient to reorganize the code
`segments in an unpredictable manner
`
`406 Modify layout of binary computer program code
`based on analysis by moving code segments to
`randomly selected or otherwise unpredictable locations
`
`410 Rewrite instruction pointers to point properly to
`locations within reorganized code segments
`
`412 Rewrite data segment pointers to reference data
`segments that have been moved in reorganization
`
` [
`
`416 Optionally repeat periodically on demand,
`including while program is in memory
`
`408A Move functions and related
`code to randomized or
`unpredictable new locations within
`the binary
`
`408B Reorganize instructions by
`swapping, relocation, or spacing with
`no-op instructions in randomized or
`unpredictable manner
`
`408C Alter the identification of
`registers that are used by
`instructions by substituting randomly
`selected or unpredictable new
`register identifier
`
`408D Modify order within the stack of
`local function variables and add
`randomly selected or unpredictable
`numbers and kinds of padding bytes
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 5 of 7
`
`US 8,984,478 B2
`
`
`
`408A Move functions and related
`code to randomized or
`unpredictable new locations within
`the binary
`
`
`
`
`
`
`
`408B Reorganize instructions by
`swapping, relocation, or spacing with
`no-op instructions in randomized or
`unpredictable manner
`
`
`
`
`
`
`
`408C Alter the identification of
`registers that are used by
`instructions by substituting randomly
`selected or unpredictable new
`register identifier
`
`
`
`
`
`
`
`
`
`408D Modify order within the stack of
`local function variables and add
`randomly selected or unpredictable
`
`
`
`
`
`[414 Intercept dynamic loader |
`
`
`
`Fig. 4
`
`
`
`
`
`402 Obtain access to computer program
`
` >
`code
`|
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`404 Perform static analysis or dynamic analysis
`on computer program code to identify boundaries
`of code segments sufficient to reorganize the code
`segments in an unpredictable manner
`!
`406 Modify layout of binary computer program code
`based on analysis by moving code segments to
`randomly selected or otherwise unpredictable locations
`|
`410 Rewrite instruction pointers to point properly to
`locations within reorganized code segments
` |
`412 Rewrite data segment pointers to reference data
`seqments that have been moved in reorganization
`
`
`
`
`/~
`、
`
`了
`
`
`
`
`
`416 Optionally repeat periodically on demand,
`including while program is in memory
`
`L
`
`
`
`/
`
`numbers and kinds of padding bytes
`
`

`

`lualud °S n
`
`stoz `a •ARAT
`
`L JO 9 WIN
`
`Zll 81,171786'8 Sf1
`
`Fig. 5
`
`501 Load computer program code into
`memory
`
`_
`
`•
`101 Perform static analysis or dynamic analysis on
`computer program code to select boundaries of
`code segments and to obtain information sufficient
`to reorganize the code segments in an
`unpredictable manner
`
`T
`406 Modify layout of binary computer program code
`based on analysis by moving code segments to
`randomly selected or otherwise unpredictable locations
`
`410 Rewrite instruction pointers to point properly to
`locations within reorganized code segments
`
`502 Retrieve information about
`last reorganization of this
`program and generate new
`randomized reorganization plan
`
`504 Update storage with
`information about new
`reorganization plan
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 6 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`501Load computer program codeinto FL
`memory
`
`
`
`
` Ad
`404 Perform static analysis or dynamic analysis on
`computer program code to select boundaries of
`code segments and to obtain information sufficient
`to reorganize the code segments in an
`unpredictable manner
`+
`406 Modify layout of binary computer program code
`based on analysis by moving code segments to
`
`Ad
`
`
`
`
`
`
`
`
`
`randomly selected or otherwise unpredictable locations +
`
`410 Rewrite instruction pointers to point properly to
`
`locations within reorganized code segments
`
`502 Retrieve information about
`last reorganization of this
`program and generate new
`
`
`
` randomized reorganization plan
`
`
`
` Vv
`504 Update storage with
`information about new
`reorganization plan
`
`
`
`
`
`

`

`lualud °Sil
`
`stoz `a *Inv
`
`L JO L WIN
`
`Zll 81,171786'8 Sf1
`
`Fig. 6
`
`a0 1.
`
`FIG. 5
`
`614 Validate code
`segment linkages
`
`616 Cause loading a
`different loader
`
`608A Redirect OPEN, READ, M MAP, etc.
`to different files
`
`608B Use private memory map to deliver
`contents of reorganized code in response
`to OPEN followed by READ or MMAP
`rather than contents of the memory
`originally referenced in those calls
`
`618 Perform OS-transparent rewrites
`using I/O MMU approach
`
`602 Detect loading of a dynamic loader
`
`604 Allow dynamic loader to be loaded
`
`B_QE Redirect system call instructions in the
`dynamic loader to cause loading reorganized code
`
`•
`101 Perform static analysis or dynamic analysis on
`computer program code to select boundaries of
`code segments and to obtain information sufficient
`to reorganize the code segments in an
`unpredictable manner
`
`•
`Update binary header of binary computer program
`code based on analysis to reflect moving code segments to
`randomly selected or otherwise unpredictable locations
`
`•
`610 Allow dynamic loader to perform loading based on
`updated header
`
`U.S. Patent
`
`Mar. 17, 2015
`
`Sheet 7 of 7
`
`US 8,984,478 B2
`
`
`
`
`
`602 Detect loading of a dynamic loader
`
`
`
`
`
`
`
`
`
`|
`
`616 Cause loading a
`
`different loader
`
`
`
`
`
`
`
`
`
`y
`
`
`
`
`
`604 Allow dynamic loader to be loaded 一 一 一
`
`
`
`
`
`
`
`
`
`
`y
`
`
`
`
`
`614 Validate code
`
`segment linkages
`
`
`
`
`
`
`
`618 Perform OS-transparent rewrites
`
`using MO MMU
`approach
`
`
`
`A
`
`家
`609 Update binary header of binary computer program
`code based on analysis to reflect moving code segments to
`randomly selected or otherwise unpredictable locations
`
`
`
`
`
`
`
` v
`610 Allow dynamic loader to perform loading based on
`updated header
`
`
`
`606 Redirect system call instructions in the
`
`dynamic loader to cause loading rearganized code
`
`
`
`
`
` Vv
`404 Perform static analysis or dynamic analysis on
`computer program code to select boundaries of
`code segments and to obtain information sufficient
`to reorganize the code segments in an
`unpredictable manner
`
`
`
`
`
`
`
`
`
`608A Redirect OPEN, READ, MMAP, etc.
`
`to different files
`
`
`
`
`
`608B Use private memory map to deliver
`contents of reorganized code in response
`to OPEN followed by READ or MMAP
`rather than contents of the memory
`originally referenced in those calls
`
`
`
`
`
`

`

`1
`REORGANIZATION OF VIRTUALIZED
`COMPUTER PROGRAMS
`
`US 8,984,478 B2
`
`BENEFIT CLAIM
`
`This application claims the benefit under 35 U.S.C. 119 of
`prior provisional application 61/542,786, filed Oct. 3, 2011,
`the entire contents of which are hereby incorporated by ref-
`erence for all purposes as if fully set forth herein.
`
`2
`fault. Additional memory types exist for pages that are emu-
`lating hardware and thus should cause the I/O emulator to
`react as if the memory access were a bus access to a periph-
`eral. Additional page types are for shared memory between
`5 domains. However, none of the page types represent access
`permissions different from their type or usage, and thus make
`altering or restricting memory access permissions further for
`security
`for example, of the content, rather than the emula-
`tion purpose—of the page impossible.
`
`10
`
`TECHNICAL FIELD
`
`SUMMARY OF THE INVENTION
`
`The present disclosure generally relates to computer pro-
`gram security. The disclosure relates more specifically to
`techniques for improving the resistance of virtualized com-
`puter programs against various kinds of unauthorized use or
`attacks.
`
`15
`
`The appended claims may serve as a summary of the inven-
`tion.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`BACKGROUND
`
`In the drawings:
`FIG. 1A illustrates a computer configured with certain
`20 elements of a security system for virtualized computer pro-
`grams.
`FIG. 1B illustrates a computer configured with certain
`elements of a security system for virtualized computer pro-
`grams using Xen.
`FIG. 1C illustrates further details of an embodiment that
`uses the Xen operating system.
`FIG. 1D illustrates an embodiment in which a special-
`purpose hypervisor is installed into a guest operating system
`to integrate with security logic.
`FIG. 2 illustrates an approach for identifying, authenticat-
`ing, and authorizing pages of memory in a virtualized com-
`puter environment.
`FIG. 3 is a block diagram of a computer system with which
`an embodiment may be used.
`FIG. 4 illustrates a process of reorganizing virtualized
`computer programs in a randomized or unpredictable manner
`for security purposes.
`FIG. 5 illustrates a process of variably randomizing the
`reorganization of a computer program upon each memory
`40 load of the program.
`FIG. 6 illustrates a process of intercepting dynamic loading
`and responding to dynamic loading for security purposes.
`
`DESCRIPTION OF EXAMPLE EMBODIMENTS
`
`In the following description, for the purposes of explana-
`tion, numerous specific details are set forth in order to provide
`a thorough understanding of the present invention. It will be
`apparent, however, that the present invention may be prac-
`so ticed without these specific details. In other instances, well-
`known structures and devices are shown in block diagram
`form in order to avoid unnecessarily obscuring the present
`invention.
`1.0 General Overview and Benefits of Embodiments
`55 Xen has provided the ability for a privileged domain to
`register on a hypercall interface for a memory event that is
`served by the memory handler of the hypervisor. Memory
`events have been used for demand paging of the domain, for
`example, for disk swapping of memory pages. Programs lis-
`60 tening on memory events could use a different hypercall to
`read or write pages from or to disk, allocate or de-allocate
`memory and update page type values to indicate that the
`pages have been paged in or out. However, in this context,
`there has been no practical method prior to this disclosure to
`65 implement page-level memory security without interfering
`with the existing Xen memory model so that legacy applica-
`tions can execute without alteration.
`
`25
`
`30
`
`35
`
`The approaches described in this section are approaches
`that could be pursued, but not necessarily approaches that
`have been previously conceived or pursued. Therefore, unless
`otherwise indicated, it should not be assumed that any of the
`approaches described in this section qualify as prior art
`merely by virtue of their inclusion in this section.
`Computer programs that operate on servers that are acces-
`sible over the public Internet, and in other contexts, are known
`to have vulnerabilities to various kinds of attacks. Certain
`attacks are implemented by installing unauthorized or mali-
`cious code into the programs and causing execution of the
`foreign code.
`Virtualization is a technique with which multiple different
`host operating systems, with associated computer programs,
`can run on a single computer or processor under control of a
`supervisory program, which may be a hypervisor. The use of
`virtualization creates new opportunities for attacks and new
`kinds of security vulnerabilities.
`The SecVisor academic research project uses permissions
`bits maintained in an operating system page table to deter-
`mine whether a page is writable or executable and to set page
`permissions so that pages of program code are not executable
`if they are also writable. However, SecVisor provides no
`mechanism for interworking with the memory page permis-
`sions that are maintained in a hypervisor or in a virtual 45
`machine monitor (VMM) that is closely coupled to a virtual-
`ization-optimized CPU, such as Xen on Intel processors.
`Xen has provided the ability for a privileged domain to
`register on a hypercall interface for a memory event that is
`served by the memory handler of the hypervisor. Memory
`events have been used for demand paging of the domain, for
`example, for disk swapping of memory pages. Programs lis-
`tening on memory events could use a different hypercall to
`read or write pages from or to disk and update page type
`values to indicate that the pages have been paged in or out.
`Xen implements a memory page framework denoted p2m that
`manages memory page type values for the purpose of sup-
`porting different uses of memory. For example, when a
`memory page has been paged out to disk, the memory page
`type value for that page may be set to "swapped out"
`(p2m_ram_paged) because the page is unavailable. This type
`is then converted to a memory access permission of not-
`readable. If a program attempts to read the page, Xen p2m
`throws a page fault and its page fault handler will page the
`memory in from disk, update the memory page type value to
`a paged-in type (which is converted to an access permission of
`readable), and return control to the program that caused the
`
`

`

`US 8,984,478 B2
`
`3
`In an embodiment, a data processing method provides in a
`computer that is executing an INTEL XEN architecture com-
`prising at least an INTEL XEN hypervisor, at least one privi-
`leged domain in computer memory, and a p2m page fault
`handler associated with a first table of a plurality of values of
`memory page types stored in memory for a plurality of pages
`of the memory, wherein the memory page types dictate the
`setting of memory page permissions (for use in a hardware
`memory page table) that comprise readable, writeable,
`executable, non-readable, non-writeable, and non-execut-
`able: creating and storing a second table of a plurality of
`values of memory page access permissions, wherein the sec-
`ond table is independent of the first table, wherein the
`memory page access permissions comprise at least readable,
`writeable, executable, not readable, not writeable, not execut-
`able; registering security logic as a memory event interface
`registered to a hypercall interface of the INTEL XEN hyper-
`visor; the security logic receiving, through the hypercall inter-
`face, a page fault that identifies a particular memory page,
`wherein the page fault may be provided also to the p2m page
`fault handler; the security logic determining, based on the first
`table and the second table, a different permission for a par-
`ticular memory page that is identified in the page fault; the
`security logic comparing the different permission to a
`memory action that is specified in the page fault; the security
`logic allowing the memory action only when the different
`permission indicates that the memory action is allowable. A
`further embodiment has the different permission be more
`restrictive than the permissions specified or determined by the
`multiple tables. Yet another has the different permissions be
`the most restrictive.
`In an embodiment, the media further comprise sequences
`of instructions which when executed cause processing the
`page fault at the p2m page fault handler to perform demand
`memory paging to disk or shared memory handling in parallel
`with the identifying and determining steps.
`In an embodiment, the media further comprise sequences
`of instructions which when executed cause requesting updat-
`ing a particular memory page type permissions value for the
`particular memory page to a different value based on the
`different permission.
`In an embodiment, the media further comprise sequences
`of instructions which when executed cause requesting updat-
`ing a particular memory page type permissions value for the
`particular memory page to a different value based on different
`permission, except when the different value is unsupported by
`CPU hardware.
`In an embodiment, the memory page access permissions
`comprise at least readable, writeable, executable, not read-
`able, not writeable, not executable, readable writeable and
`executable; and readable-executable-to-readable-writeable.
`In an embodiment, the memory page access permissions
`further comprise at least a "readable-executable-to-readable-
`writeable" memory page access permission.
`In an embodiment, the media further comprise sequences
`of instructions which when executed cause, in response to
`determining that the memory action is execute, automatically
`modifying the memory page access permission of the particu-
`lar memory page to readable-writeable.
`In an embodiment, the media further comprise sequences
`of instructions which when executed cause ensuring that the
`second table indicates that the particular memory page is not
`both writeable and executable.
`Another embodiment provides one or more non-transitory
`computer-readable media storing one or more sequences of
`instructions which when executed cause performing: in a
`computer that is executing an INTEL XEN architecture com-
`
`4
`prising an INTEL XEN hypervisor, at least one privileged
`domain in computer memory, and a p2m page fault handler
`associated with a first table of a plurality of values of memory
`page type permissions stored in memory for a plurality of
`5 pages of the memory, wherein the memory page type permis-
`sions comprise readable, writeable, not readable and not
`writeable: creating and storing a second table of a plurality of
`values of memory page access permissions, wherein the sec-
`ond table is independent of the first table, wherein the
`10 memory page access permissions comprise at least readable,
`writeable, executable, not readable, not writeable, not execut-
`able; registering a memory event interface registered to a
`hypercall interface of the INTEL XEN hypervisor; receiving,
`through the hypercall interface, a page fault that identifies a
`15 particular memory page, wherein the page fault may be pro-
`vided also to the p2m page fault handler; identifying an appli-
`cation program or other metadata associated with the particu-
`lar memory page based on a database that maps identifiers of
`known memory pages to metadata for the known memory
`20 pages; determining whether the particular memory page is
`authentic; determining whether to authorize use of the par-
`ticular memory page based on a security policy applicable to
`the particular memory page.
`In an embodiment, the media further comprise sequences
`25 of instructions which when executed cause processing the
`page fault at the p2m page fault handler to perform demand
`memory paging to disk or shared memory handling in parallel
`with the identifying and determining steps.
`In an embodiment, the instructions which when executed
`30 cause identifying comprise instructions which when executed
`cause forming a hash value based upon a specified set of bytes
`of the particular memory page, forming an erasure mask
`based upon one or more sets of variable bytes of the particular
`memory page, determining whether the hash value matches
`35 any of a plurality of known hash values in the database, and
`determining whether all bytes of the particular memory page
`after applying the erasure mask match any other pa