Abstract: A method is provided for monitoring registered code in a virtual machine of a virtualization system. The method includes instantiating a guest in the virtual machine of the virtualization system and monitoring execution of code registered for monitored execution in an execution context of the guest. The monitoring is performed by the virtualization system and is hidden from computations of the guest.

Abstract: Security of information—both code and data—stored in a computer's system memory is provided by an agent loaded into and at run time resident in a CPU cache. Memory writes from the CPU are encrypted by the agent before writing and reads into the CPU are decrypted by the agent before they reach the CPU. The cache-resident agent also optionally validates the encrypted information stored in the system memory. Support for I/O devices and cache protection from unsafe DMA of the cache by devices is also provided.

Abstract: A method for monitoring a data structure maintained by guest software within a virtual machine is disclosed. Changes to the contents of the data structure are determined, such as by placing write traces on the memory pages containing the data structure. Also, the method involves determining when memory pages containing the data structure are swapped into and/or out of guest physical memory by the guest software, such as by placing write traces on the memory pages containing the guest page table and detecting changes to the present bit of page table entries involved in mapping virtual addresses for the data structure. Information about the contents of the data structure is retained while memory pages containing the data structure are swapped out of guest physical memory.

Abstract: A method is provided for executing guest computations in a virtual machine of a virtualization system and forcing execution of registered code into an execution context of the guest. The forcing is performed from the virtualization system based on an execution trigger monitored without reliance on functionality of the guest software.

Abstract: A system, method, and computer program product are provided for virtual patching. Initially, information associated with at least one vulnerability of a computer application is collected. Further, at least one host interface is identified that is capable of being used to access the vulnerability. In use, data sent to the at least one host interface is analyzed to determine whether the data is unwanted, based on the information.

Abstract: A system, method, and computer program product are provided for virtual patching. Initially, information associated with at least one vulnerability of a computer application is collected. Further, at least one host interface is identified that is capable of being used to access the vulnerability. In use, data sent to the at least one host interface is analyzed to determine whether the data is unwanted, based on the information.

Abstract: Computer implemented methods, system and apparatus for managing execution of a running-page in a virtual machine include associating an execution trace code with the running page by a security virtual machine. The execution trace code generates a notification upon initiation of the execution of the running page by the virtual machine. The notification is received by the security virtual machine running independent of the virtual machine executing the running-page. The running page associated with the execution trace code is validated by the security virtual machine as authorized for execution. An exception is generated if the running-page is not authorized for execution. The generated exception is to prevent the execution of the running page in the virtual machine.

Abstract: A method for monitoring a data structure maintained by guest software within a virtual machine is disclosed. Changes to the contents of the data structure are determined, such as by placing write traces on the memory pages containing the data structure. Also, the method involves determining when memory pages containing the data structure are swapped into and/or out of guest physical memory by the guest software, such as by placing write traces on the memory pages containing the guest page table and detecting changes to the present bit of page table entries involved in mapping virtual addresses for the data structure. Information about the contents of the data structure is retained while memory pages containing the data structure are swapped out of guest physical memory.

Abstract: A hooking system, method and computer program product are provided. In use, a component object model (COM) interface is hooked. To this end, a function may be performed based on the hooking.

Abstract: One embodiment of the present invention includes a method for: (a) executing guest computations in a virtual machine of the virtualization system; and (b) forcing execution of registered code into an execution context of the guest, wherein the forcing is performed from the virtualization system based on an execution trigger monitored without reliance on functionality of the guest software.

Abstract: One embodiment of the present invention is a method of operating a virtualization system, the method including: (a) instantiating a guest in a virtual machine of the virtualization system; and (b) monitoring execution of code registered for monitored execution in an execution context of the guest, wherein the monitoring is performed by the virtualization system and is hidden from computations of the guest.

Abstract: One embodiment of the present invention is a method of operating a virtualization system, the method including: (a) instantiating a virtualization system on an underlying hardware machine, the virtualization system exposing a virtual machine in which multiple execution contexts of a guest execute; (b) monitoring the execution contexts from the virtualization system; and (c) selectively impeding computational progress of a particular one of the execution contexts.

Abstract: A system, method and computer program product are provided which are capable of intercepting a call. Once intercepted, it is determined whether the call is associated with a previous sequence of calls in order to identify a correct sequence of calls associated with the intercepted call. Next, the call is associated with the correct sequence of calls. State information that is associated with the call is then gathered. Further, sequence state information is updated, and it is determined whether a process is unwanted based, at least in part, on such sequence state information. If it is determined that the process is unwanted, a reaction may be made to the unwanted process. If it is not determined that the process is unwanted, a next call may be intercepted, and so on.

Abstract: A method of intercepting application program interface, including dynamic installation of associated software, within the user portion of an operating system. An API interception control server in conjunction with a system call interception module loads into all active process spaces an API interception module. An initializer module within the API interception module hooks and patches all API modules in the active process address space. When called by the application programs, the API routines' flow of execution, by virtue of their patched code, is re-directed into a user-supplied code in a pre-entry routine of the API interception module. The API routine might be completely by-passed or its input parameters might be filtered and changed by the user code. During the operation, the API routine is double-patched by the API interception module to ensure that all simultaneous calls to the API routine will re-direct its flow of control into the API interception module.

Abstract: A system, method and computer program product are provided which are capable of intercepting a call. Once intercepted, it is determined whether the call is associated with a previous sequence of calls in order to identify a correct sequence of calls associated with the intercepted call. Next, the call is associated with the correct sequence of calls. State information that is associated with the call is then gathered. Further, sequence state information is updated, and it is determined whether a process is unwanted based, at least in part, on such sequence state information. If it is determined that the process is unwanted, a reaction may be made to the unwanted process. If it is not determined that the process is unwanted, a next call may be intercepted, and so on.

Abstract: A method of intercepting application program interface, including dynamic installation of associated software, within the user portion of an operating system. An API interception control server in conjunction with a system call interception module loads into all active process spaces an API interception module. An initializer module within the API interception module hooks and patches all API modules in the active process address space. When called by the application programs, the API routines' flow of execution, by virtue of their patched code, is re-directed into a user-supplied code in a pre-entry routine of the API interception module. The API routine might be completely by-passed or its input parameters might be filtered and changed by the user code. During the operation, the API routine is double-patched by the API interception module to ensure that all simultaneous calls to the API routine will re-direct its flow of control into the API interception module.

Abstract: A method of intercepting application program interface, including dynamic installation of associated software, within the user portion of an operating system. An API interception control server in conjunction with a system call interception module loads into all active process spaces an API interception module. An initializer module within the API interception module hooks and patches all API modules in the active process address space. When called by the application programs, the API routines' flow of execution, by virtue of their patched code, is re-directed into a user-supplied code in a pre-entry routine of the API interception module. The API routine might be completely by-passed or its input parameters might be filtered and changed by the user code. During the operation, the API routine is double-patched by the API interception module to ensure that all simultaneous calls to the API routine will re-direct its flow of control into the API interception module.

Abstract: A method for detecting and preventing unauthorized or illegal attempts to gain enhanced privileges within a computing environment by exploiting the buffer overflow-related weakness of the computer system.