Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: The disclosure herein describes verifying integrity of security policies on a client device. Policy data sets associated with security applications of virtual machines on the client device are received from a server and stored on the client device. An integrity verifier on the client device receives verified checksums from the server, wherein the verified checksums are associated with the policy data sets. Client-side checksums are generated by the integrity verifier based on the stored policy data sets. Upon generating the client-side checksums, the integrity verifier compares the verified checksums to the generated client-side checksums. Based on the comparison indicating that a verified checksum and a client-side checksum differ, the integrity verifier generates a checksum failure indicator, wherein the client device is configured to take corrective measures to restore integrity of the virtual machines based on the checksum failure indicator.

Abstract: The disclosure herein describes verifying integrity of security policies on a client device. Policy data sets associated with security applications of virtual machines on the client device are received from a server and stored on the client device. An integrity verifier on the client device receives verified checksums from the server, wherein the verified checksums are associated with the policy data sets. Client-side checksums are generated by the integrity verifier based on the stored policy data sets. Upon generating the client-side checksums, the integrity verifier compares the verified checksums to the generated client-side checksums. Based on the comparison indicating that a verified checksum and a client-side checksum differ, the integrity verifier generates a checksum failure indicator, wherein the client device is configured to take corrective measures to restore integrity of the virtual machines based on the checksum failure indicator.

Abstract: Techniques for verifying the integrity of application data using secure hardware enclaves are provided. In one set of embodiments, a client system can create a secure hardware enclave on the client system and load program code for an integrity verifier into the secure hardware enclave. The client system can further receive a dataset from a server system and store the dataset at a local storage or memory location, and receive, via the integrity verifier, a cryptographic hash of the dataset from the server system and store the received cryptographic hash at a memory location within the secure hardware enclave. Then, on a periodic basis, the integrity verifier can compute a cryptographic hash of the stored dataset, compare the computed cryptographic hash against the stored cryptographic hash, and if the computed cryptographic hash does not match the stored cryptographic hash, determine that the stored dataset has been modified.

Abstract: An example method of managing guest code in a virtualized computing instance of a virtualized computing system includes: receiving, at a hypervisor that manages the virtualized computing instance, identifiers for a first guest-physical memory page, which stores a patched version of the guest code, and a second guest-physical memory page, which stores an original version of the guest code; modifying an entry in a nested page table (NPT), which is associated with the first guest-physical memory page, to cause an exception to the hypervisor in response to a first read operation, performed by first software in the virtualized computing instance, which targets the first guest-physical memory page; and executing, at the hypervisor in response to the exception, a second read operation that emulates the first read operation, but targets the second guest-physical memory page.

Abstract: An example method of managing guest code in a virtualized computing instance of a virtualized computing system includes: receiving, at a hypervisor that manages the virtualized computing instance, identifiers for a first guest-physical memory page, which stores a patched version of the guest code, and a second guest-physical memory page, which stores an original version of the guest code; modifying an entry in a nested page table (NPT), which is associated with the first guest-physical memory page, to cause an exception to the hypervisor in response to a first read operation, performed by first software in the virtualized computing instance, which targets the first guest-physical memory page; and executing, at the hypervisor in response to the exception, a second read operation that emulates the first read operation, but targets the second guest-physical memory page.