Abstract: In some embodiments, a protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server. The server may use the information to determine whether the respective client is under attack by malicious software or an intruder.

Abstract: Described systems and methods allow protecting a host computer system from malicious software, such as return-oriented programming (ROP) and jump-oriented programming (JOP) exploits. In some embodiments, a processor of the host system is endowed with two counters storing a count of branch instructions and a count of inter-branch instructions, respectively, occurring within a sequence of instructions. Exemplary counted branch instructions include indirect JMP, indirect CALL, and RET on x86 platforms, while inter-branch instructions consist of instructions executed between two consecutive counted branch instructions. The processor may be further configured to generate a processor event, such as an exception, when a value stored in a counter exceeds a predetermined threshold, and/or when a branch instruction redirects execution to a critical OS function. Such events may be used as triggers for launching a malware analysis to determine whether the host system is subject to a code reuse attack.

Abstract: Described systems and methods enable protecting multiple client systems (e.g., a corporate network) from computer security threats such as malicious software and intrusion. In some embodiments, each protected client operates a live introspection engine and an on-demand introspection engine. The live introspection engine detects the occurrence of certain events within a protected virtual machine exposed on the respective client system, and communicates the occurrence to a remote security server. In turn, the server may request a forensic analysis of the event from the client system, by indicating a forensic tool to be executed by the client. Forensic tools may be stored in a central repository accessible to the client. In response to receiving the analysis request, the on-demand introspection engine may retrieve and execute the forensic tool, and communicate a result of the forensic analysis to the security server.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.

Abstract: Described systems and methods allow protecting a host system, such as a computer system or smartphone, from malware such as viruses, exploits, and rootkits. In some embodiments, a hypervisor executes at the highest processor privilege level and displaces other software to a guest virtual machine (VM). A security application detects the launch of a target process within the guest VM. In response to the launch, the hypervisor instantiates a process VM isolated from the guest VM, and relocates the target process to the process VM. In some embodiments, when the relocated target process attempts to access a resource, such as a file or registry key, an instance of the respective resource is fetched on-demand, from the guest VM to the respective process VM. Executing the target process within an isolated environment helps to contain malware to the respective environment.

Abstract: Described systems and methods allow malware-protecting a client system (e.g., computer system, smartphone, etc.) connected to a network. In some embodiments, a network appliance transmits a boot image over the network, on demand, to the client system. The boot image may install a hypervisor, which may further load a local OS and applications into a virtual machine. The client system performs a mutual integrity attestation transaction with the network appliance over the network, wherein each side of the transaction verifies the integrity of software objects executing on the other side. When the network appliance determines that the client system is not in a trusted state, the network appliance may block access of the client system to the network. When the client system determines that the network appliance is not in a trusted state, the client system may block communications between the client system and the network appliance.

Abstract: Described systems and methods allow protecting a host system, such as a computer system or smartphone, from malware such as viruses, exploits, and rootkits. In some embodiments, a hypervisor executes at the highest processor privilege level and displaces other software to a guest virtual machine (VM). A security application detects the launch of a target process within the guest VM. In response to the launch, the hypervisor instantiates a process VM isolated from the guest VM, and relocates the target process to the process VM. In some embodiments, when the relocated target process attempts to access a resource, such as a file or registry key, an instance of the respective resource is fetched on-demand, from the guest VM to the respective process VM. Executing the target process within an isolated environment helps to contain malware to the respective environment.

Abstract: Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest VM. The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment.

Abstract: Described systems and methods enable a host system to efficiently perform computer security activities, when operating in a hardware virtualization configuration. A hypervisor exposes a virtual machine on the host system. In some embodiments, the hypervisor further configures a processor of the host system to generate a virtualization exception in response to detecting a memory access violation, and to deliver such exceptions to a computer security program operating within the virtual machine. The hypervisor may further set access permissions to a section of memory containing a part of a function targeted for hooking, so that an attempt to execute the respective target function triggers a virtualization exception. Some embodiments thus achieve hooking of the target function without resorting to conventional methods, such as patching, inline hooking, and MSR hooking.

Abstract: Described systems and methods allow protecting a host system, such as a computer or smartphone, from malware. In some embodiments, an anti-malware application installs a hypervisor, which displaces an operating system executing on the host system to a guest virtual machine (VM). The hypervisor further creates a set of virtual containers (VC), by setting up a memory domain for each VC, isolated from the memory domain of the guest VM. The hypervisor then maps a memory image of a malware scanner to each VC. When a target object is selected for scanning, the anti-malware application launches the malware scanner. Upon intercepting the launch, the hypervisor switches the memory context of the malware scanner to the memory domain of a selected VC, for the duration of the scan. Thus, malware scanning is performed within an isolated environment.

Abstract: Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.

Abstract: Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.

Abstract: Described systems and methods allow protecting a computer system from malware, such as viruses and rootkits. In some embodiments, a hypervisor configures a hardware virtualization platform hosting a set of operating systems (OS). A memory introspection engine executing at the processor privilege level of the hypervisor dynamically identifies each OS, and uses an protection priming module to change the way memory is allocated to a target software object by the memory allocation function native to the respective OS. In some embodiments, the change affects only target objects requiring malware protection, and comprises enforcing that memory pages containing data of the target object are reserved exclusively for the respective object. The memory introspection engine then write-protects the respective memory pages.

Abstract: Described systems and methods allow the detection and prevention of malware and/or malicious activity within a network comprising multiple client computer systems, such as an enterprise network with multiple endpoints. Each endpoint operates a hardware virtualization platform, including a hypervisor exposing a client virtual machine (VM) and a security VM. The security VM is configured to have exclusive use of the network adapter(s) of the respective endpoint, and to detect whether data traffic to/from the client VM comprises malware or is indicative of malicious behavior. Upon detecting malware/malicious behavior, the security VM may block access of the client VM to the network, thus preventing the spread of malware to other endpoints. The client system may further comprise a memory introspection engine configured to perform malware scanning of the client VM from the level of the hypervisor.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: Described systems and methods allow software introspection and/or anti-malware operations in a hardware virtualization system comprising a nested hierarchy of hypervisors and virtual machines, wherein introspection is carried out to any level of the hierarchy from a central location on a host hypervisor. An introspection engine intercepts a processor event occurring in a virtual machine exposed by a nested hypervisor, to determine an address of a software object executing on the respective virtual machine. The address is progressively translated down through all levels of the virtualization hierarchy, to an address within a memory space controlled by the host hypervisor. Anti-malware procedures can thus be performed from the level of the host hypervisor, and may comprise techniques such as signature matching and/or protecting certain areas of memory of the nested virtual machine.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.

Abstract: A client system, such as a computer or a smartphone, securely exchanges sensitive information with a remote service provider computer system such as a bank or an online retailer. The client system executes a commercially available operating system in an untrusted virtual machine (VM), which may be affected by malware. A hypervisor is configured to launch a trusted, malware-free VM from an authenticated image stored on computer-readable media used by the untrusted VM. The trusted VM executes a thin operating system with minimal functionality, to manage a secure communication channel with the remote server system, wherein sensitive communication is encrypted. Data from the trusted VM is forwarded via the hypervisor to a network interface driver of the untrusted VM for transmission to the remote service provider. The service provider may perform a remote attestation of the client system to determine whether it operates a trusted VM.