Abstract: A method for protecting memory pages of a computing device using a hypervisor includes detecting, by a hypervisor, a token associated with the trusted program, in response to receiving a hypercall from a trusted program. The token associated with the trusted program is checked against a saved token of the hypervisor to determine trustworthiness of the trusted program. The hypervisor creates a memory page containing a safe hypercall address of the hypervisor. Addresses of the memory page are transmitted from the hypervisor to the trusted program. The hypervisor allows execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.

Abstract: Disclosed are systems and methods for protecting memory pages of a computing device using a hypervisor. An exemplary method comprises: in response to receiving a hypercall from a trusted program, detecting, by a hypervisor, a token associated with the trusted program, checking the token associated with the trusted program against a saved token of the hypervisor to determine trustworthiness of the trusted program, creating, by the hypervisor, a memory page comprising a safe hypercall address of the hypervisor, transmitting addresses of the memory page from the hypervisor to the trusted program and allowing, by the hypervisor, execution of the hypercall by the trusted program accessing the safe hypercall address found at the addresses of the memory page.

Abstract: Systems and methods for protecting memory pages of a computing device using a hypervisor comprise: in response to receiving a hypercall from a trusted program, detecting by the hypervisor a token associated with the trusted program; checking the token associated with the trusted program against a saved token of the hypervisor; in response to detecting that the token associated with the trusted program matches the saved token of the hypervisor, transmitting addresses of a plurality of memory pages from the hypervisor to the trusted program; and performing a checksums verification for data stored in the plurality of memory pages.

Abstract: Disclosed are systems and methods for protecting memory pages of a computing device using a hypervisor. An exemplary method comprises: in response to receiving a hypercall from a trusted program, detecting by the hypervisor a token associated with the trusted program; checking the token associated with the trusted program against a saved token of the hypervisor; in response to detecting that the token associated with the trusted program matches the saved token of the hypervisor, transmitting addresses of a plurality of memory pages from the hypervisor to the trusted program; and performing a checksums verification for data stored in the plurality of memory pages.

Abstract: Disclosed are systems and methods for enabling secure execution of code in hypervisor mode. An exemplary method comprises: loading a hypervisor configured to check integrity of protected virtual memory pages; loading a trusted program configured to make hypercalls to the hypervisor; making by the trusted program a first hypercall to the hypervisor; responsive to the first hypercall, generating by the hypervisor a token, which is used by the hypervisor to identify the trusted program during subsequent hypercalls; allocating a memory page for storing the token and a memory address of the hypervisor; and returning the allocated memory page address to the trusted program.

Abstract: Disclosed are methods, systems, and computer program are provided for managing access to computer resources. An example method includes receiving a request, from a client process, for performing an operation on a computer resource, including receiving the request by a kernel of an operating system for creating a separate process to perform the requested operation on the computer resource; obtaining, by a resource manager, metadata of the computer resource, security policies for the client process to perform the requested operation on the computer resource, and data relating to operations requested by other client processes on the computer resource; and performing the requested operation on the resource upon detecting that the requested operation does not: alter the metadata, violate an isolation condition of the computer resource, violate rights of the client process, and distort the operations requested by the other client processes.

Abstract: Disclosed are methods, systems, and computer program are provided for managing access to computer resources. An example method includes receiving a request, from a client process, for performing an operation on a computer resource, including receiving the request by a kernel of an operating system for creating a separate process to perform the requested operation on the computer resource; obtaining, by a resource manager, metadata of the computer resource, security policies for the client process to perform the requested operation on the computer resource, and data relating to operations requested by other client processes on the computer resource; and performing the requested operation on the resource upon detecting that the requested operation does not: alter the metadata, violate an isolation condition of the computer resource, violate rights of the client process, and distort the operations requested by the other client processes.

Abstract: Methods, systems, and computer program are provided for managing access to computer resources by receiving a request, from a client, for performing one or more operations on a computer resource; determining functions of a resource manager that are required to perform the requested one or more operations on the resource; obtaining metadata of the resource, security policies for the client to perform the requested one or more operations on the resource, and data about other operations requested by other clients on the resource; and performing the requested one or more operations on the resource when the requested one or more operations do not result in altering the metadata or violating the isolation of the resource by the requested one or more operations, do not result in violating the rights of the client, and do not result in distorting the results of the other operations requested by the other clients.

Abstract: A computer system includes an Open Bus Hypervisor having the highest privilege level. An Open Bus Hypervisor is a set of modules that operate on the root level. The Open Bus Hypervisor provides support for processing, filtering and redirecting of low level events. The Open Bus Hypervisor is used primarily for maintenance and support of computer virtualization features, which are implemented within computer system CPU. Additionally, the Open Bus Hypervisor can be used for supporting new hardware and software modules installed on a computer system. A Virtual Machine Monitor (VMM) runs with fewer privileges than the Open Bus Hypervisor. A Primary Virtual Machine (PVM) runs without system level privileges and has a Primary Operating System (POS) running within it.

Abstract: A system, method and computer program product for virtualizing a processor include a virtualization system running on a computer system and controlling memory paging through hardware support for maintaining real paging structures. A Virtual Machine (VM) is running guest code and has at least one set of guest paging structures that correspond to guest physical pages in guest virtualized linear address space. At least some of the guest paging structures are mapped to the real paging structures. For each guest physical page that is mapped to the real paging structures, paging means for handling a connection structure between the guest physical page and a real physical address of the guest physical page. A cache of connection structures represents cached paths to the real paging structures. Each path is described by guest paging structure descriptors and by tie descriptors. Each path includes a plurality of nodes connected by the tie descriptors.

Abstract: A system, method and computer program product for virtualizing a processor include a virtualization system running on a computer system and controlling memory paging through hardware support for maintaining real paging structures. A Virtual Machine (VM) is running guest code and has at least one set of guest paging structures that correspond to guest physical pages in guest virtualized linear address space. At least some of the guest paging structures are mapped to the real paging structures. For each guest physical page that is mapped to the real paging structures, paging means for handling a connection structure between the guest physical page and a real physical address of the guest physical page. A cache of connection structures represents cached paths to the real paging structures. Each path is described by guest paging structure descriptors and by tie descriptors. Each path includes a plurality of nodes connected by the tie descriptors.