Abstract: Systems, apparatuses and methods may provide for locating operating system (OS) kernel information and user mode code in physical memory, wherein the kernel information includes kernel code and kernel read only data, and specifying permissions for the kernel information and the user code in an extended page table (EPT). Additionally, systems, apparatuses and methods may provide for switching, in accordance with the permissions, between view instances of the EPT in response to one or more hardware virtualization exceptions.

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.

Abstract: Systems and methods that manage memory usage by a virtual machine are provided. These systems and methods compact the virtual machine's memory footprint, thereby promoting efficient use of memory and gaining performance benefits of increased data locality. In some embodiments, a guest operating system running within the virtual machine is enhanced to allocate its VM memory in a compact manner. The guest operating system includes a memory manager that is configured to reference an artificial access cost when identifying memory areas to allocate for use by applications. These access costs are described as being artificial because they are not representative of actual, hardware based access costs, but instead are fictitious costs that increase as the addresses of the memory areas increase. Because of these increasing artificial access costs, the memory manager identifies memory areas with lower addresses for allocation and use prior to memory areas with higher addresses.

Abstract: Various embodiments are generally directed to instrumenting an interrupt service routine. A non-executable address may be provisioned and added to an execution stack to cause a page fault on a known address after execution of an interrupt service routine. The page fault on the known address can be used to trigger instrumentation operations and also to return to the interrupted process.

Abstract: Systems, apparatuses and methods may provide for detecting an attempt by an operating system (OS) to access a non-OS managed resource and injecting, in response to the attempt, an access event into a platform security component via a guest kernel associated with the OS. Additionally, a response to the attempt may be made based on a policy response from the platform security component. In one example, the attempt is detected with respect to one or more extended page table (EPT) permissions set by a security virtual machine monitor (SVMM). Moreover, injecting the access event into the platform security component may include invoking a previously registered policy callback.

Abstract: Systems and methods that manage memory usage by a virtual machine are provided. These systems and methods compact the virtual machine's memory footprint, thereby promoting efficient use of memory and gaining performance benefits of increased data locality. In some embodiments, a guest operating system running within the virtual machine is enhanced to allocate its VM memory in a compact manner. The guest operating system includes a memory manager that is configured to reference an artificial access cost when identifying memory areas to allocate for use by applications. These access costs are described as being artificial because they are not representative of actual, hardware based access costs, but instead are fictitious costs that increase as the addresses of the memory areas increase. Because of these increasing artificial access costs, the memory manager identifies memory areas with lower addresses for allocation and use prior to memory areas with higher addresses.

Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to instrumenting an interrupt service routine. A non-executable address may be provisioned and added to an execution stack to cause a page fault on a known address after execution of an interrupt service routine. The page fault on the known address can be used to trigger instrumentation operations and also to return to the interrupted process.

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract: A copy is made of at least a part a stack. A caller return address of a calling function in the stack is verified as trusted. A caller return address of a called function in the stack is verified as matching a source address of the calling function in the copy of the stack. If verification is affirmative, then the called function may be executed in a trusted domain.

Abstract: Various embodiments are generally directed to instrumenting an interrupt service routine. A non-executable address may be provisioned and added to an execution stack to cause a page fault on a known address after execution of an interrupt service routine. The page fault on the known address can be used to trigger instrumentation operations and also to return to the interrupted process.

Abstract: A copy is made of at least a part a stack. A caller return address of a calling function in the stack is verified as trusted. A caller return address of a called function in the stack is verified as matching a source address of the calling function in the copy of the stack. If verification is affirmative, then the called function may be executed in a trusted domain.

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

Abstract: Various embodiments are generally directed to instrumenting an interrupt service routine. A non-executable address may be provisioned and added to an execution stack to cause a page fault on a known address after execution of an interrupt service routine. The page fault on the known address can be used to trigger instrumentation operations and also to return to the interrupted process.

Abstract: Apparatus, systems and methods may provide a browser interface to detect an attempt by web content to manipulate data in a local data store. In addition, the data may be classified into a category if the data is remotely accessible. Additionally, a security policy may be applied to the data based on the category. In one example, a separator may separate the data from other data based on the category, the data may be encrypted/decrypted based on the category, and/or context information and user input may be determined to apply the security policy further based on the context information and the user input.

Abstract: Systems, apparatuses and methods may provide for locating operating system (OS) kernel information and user mode code in physical memory, wherein the kernel information includes kernel code and kernel read only data, and specifying permissions for the kernel information and the user code in an extended page table (EPT). Additionally, systems, apparatuses and methods may provide for switching, in accordance with the permissions, between view instances of the EPT in response to one or more hardware virtualization exceptions.

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.