Abstract: Systems, apparatuses and methods may provide for detecting an attempt by an operating system (OS) to access a non-OS managed resource and injecting, in response to the attempt, an access event into a platform security component via a guest kernel associated with the OS. Additionally, a response to the attempt may be made based on a policy response from the platform security component. In one example, the attempt is detected with respect to one or more extended page table (EPT) permissions set by a security virtual machine monitor (SVMM). Moreover, injecting the access event into the platform security component may include invoking a previously registered policy callback.

Abstract: Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed.

Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.

Abstract: Apparatus, systems and methods may provide a browser interface to detect an attempt by web content to manipulate data in a local data store. In addition, the data may be classified into a category if the data is remotely accessible. Additionally, a security policy may be applied to the data based on the category. In one example, a separator may separate the data from other data based on the category, the data may be encrypted/decrypted based on the category, and/or context information and user input may be determined to apply the security policy further based on the context information and the user input.

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract: Systems, methods, and computer program products that provide for the use of a type 2 VMM to de-link or isolate underlying processor hardware from an operating system. This may allow the launching of a task that requires direct access to processor hardware, where such access requires the absence of an operating system. Such a task may take the form of a type 1 VMM, such as an information security or integrity VMM, e.g., an anti-malware VMM.

Abstract: Various embodiments are directed enabling anti-malware software to co-exist with protective features of an operating system. An apparatus may include a processor component including an IDT register storing an indication of size of an IDT; a monitoring component to retrieve the indication and compare the indication to a size of a guard IDT in response to modification of the IDT register to determine whether the guard routine is to inspect the IDT and a set of ISRs; and a cache component to overwrite the IDT and set of ISRs with a cached IDT and cached set of ISRs, respectively, based on the determination and prior to the inspection to prevent the guard routine from detecting a modification by an anti-malware routine, the cached IDT and cached set of ISRs generated from the IDT and set of ISRs, respectively, prior to the modification. Other embodiments are described and claimed.

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract: Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed.

Abstract: Systems, methods, and computer program products that provide for the use of a type 2 VMM to de-link or isolate underlying processor hardware from an operating system. This may allow the launching of a task that requires direct access to processor hardware, where such access requires the absence of an operating system. Such a task may take the form of a type 1 VMM, such as an information security or integrity VMM, e.g., an anti-malware VMM.

Abstract: Methods and apparatus relating to low overhead paged memory runtime protection are described. In an embodiment, permission information for guest physical mapping are received prior to utilization of paged memory by an Operating System (OS) based on the guest physical mapping. The permission information is provided through an Extended Page Table (EPT). Other embodiments are also described.

Abstract: Apparatus, systems and methods may provide a browser interface to detect an attempt by web content to manipulate data in a local data store. In addition, the data may be classified into a category if the data is remotely accessible. Additionally, a security policy may be applied to the data based on the category. In one example, a separator may separate the data from other data based on the category, the data may be encrypted/decrypted based on the category, and/or context information and user input may be determined to apply the security policy further based on the context information and the user input.

Abstract: Embodiments of techniques and systems for using substitute virtualized-memory page tables are described. In embodiments, a virtual machine monitor (VMM) may determine that a virtualized memory access to be performed by an instruction executing on a guest software virtual machine is not allowed in accordance with a current virtualized-memory page table (VMPT). The VMM may select a substitute VMPT that permits the virtualized memory access, In scenarios where a data access length for the instruction is known, the substitute VMPT may include full execute, read, and write permissions for the entire guest software address space. In scenarios where a data access length for the instruction is not known, the substitute VMPT may include less than full execute, read, and write permissions for the entire guest software address space, and may be modified to allow the requested virtualized memory access. Other embodiments may be described and claimed.

Abstract: Various embodiments of this disclosure may describe method, apparatus and system for reducing system latency caused by switching memory page permission views between programs while still protecting critical regions of the memory from attacks of malwares. Other embodiments may be disclosed and claimed.

Abstract: Embodiments of techniques and systems for using substitute virtualized-memory page tables are described. In embodiments, a virtual machine monitor (VMM) may determine that a virtualized memory access to be performed by an instruction executing on a guest software virtual machine is not allowed in accordance with a current virtualized-memory page table (VMPT). The VMM may select a substitute VMPT that permits the virtualized memory access, In scenarios where a data access length for the instruction is known, the substitute VMPT may include full execute, read, and write permissions for the entire guest software address space. In scenarios where a data access length for the instruction is not known, the substitute VMPT may include less than full execute, read, and write permissions for the entire guest software address space, and may be modified to allow the requested virtualized memory access. Other embodiments may be described and claimed.

Abstract: Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.

Abstract: Various embodiments of this disclosure may describe method, apparatus and system for reducing system latency caused by switching memory page permission views between programs while still protecting critical regions of the memory from attacks of malwares. Other embodiments may be disclosed and claimed.

Abstract: Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.

Abstract: A method and apparatus to model routing in a network are described wherein a data test route table (DTRT) is created from a route table, a stream of packets to test the DTRT is generated, and the DTRT is tested using the stream of packets. Other embodiments are described and claimed.

Abstract: A method and apparatus to model routing in a network are described.