Abstract: Aspects of the disclosure provide for mechanisms for memory protection of virtual machines in a computer system. A method of the disclosure includes: obtaining, by a hypervisor, a guest page table associated with a virtual machine, wherein the guest page table comprises a first guest page table entry associated with a privilege flag indicating that a first virtual page of a guest memory of the virtual machine is accessible to unprivileged code; and in view of a determination that the virtual machine is running in a kernel mode, generating a first host page table in view of the guest page table, wherein the first host page table comprises a first host page table entry corresponding to the first guest page table entry, and wherein the first host page table entry is associated with a privilege flag indicating that the first virtual page is not accessible to the unprivileged code.

Abstract: A method includes, with a hypervisor, receiving a first request from a guest to write a first piece of data to a first memory location within a kernel code page. The method further includes determining that the first request triggers a violation based on a kernel protection mechanism, and in response to determining that the first request triggers the violation, determining that the first piece of data includes a breakpoint. The method further includes, in response to determining that the first piece of data includes the breakpoint, copying a second piece of data currently stored at the first memory location to a second memory location within non-guest writeable memory and overwriting the first memory location with the first piece of data.

Abstract: Systems and methods for enabling a user space process of a guest operating system to initiate hardware operations in a security-enhanced manner. An example method may comprise: configuring a storage unit to store one or more resource requests, the storage unit being accessible to a user space process managed by a guest operating system and to a hypervisor; determining, by a processing device, that the user space process managed by the guest operating system is authorized to store a resource request at the storage unit; and transmitting to the hypervisor a signal associated with the storage unit comprising the resource request, the signal being initiated by a hypercall executed by the user space process.

Abstract: A hypervisor associates a combined register space with a virtual device to be presented to a guest operating system of a virtual machine, the combined register space comprising a default register space and an additional register space. Responsive to detecting an access of the additional register space by the guest operating system of the virtual machine, the hypervisor performs an operation on behalf of the virtual machine, the operation pertaining to the access of the additional register space.

Abstract: A system and method of emulating page table modification logging includes a host hypervisor identifying a first mapping in a nested extended page table and identifying a first bit in a first page table entry of the nested extended page table. The host hypervisor creates a second write-protected mapping in a shadow extended page table. The nested guest performs a first write access to a first page in the nested guest. The first page has a first nested guest physical address corresponding to the second mapping. The host hypervisor triggers an exit from the nested guest to the host hypervisor. The host hypervisor identifies that the first write access occurred and stores the first nested guest physical address in a page modification log (PML) buffer of the nested hypervisor. The host hypervisor sets the first bit as a dirty bit and returns to the nested guest.

Abstract: A system and method of emulating page table modification logging includes a host hypervisor identifying a first mapping in a nested extended page table and identifying a first bit in a first page table entry of the nested extended page table. The host hypervisor creates a second write-protected mapping in a shadow extended page table. The nested guest performs a first write access to a first page in the nested guest. The first page has a first nested guest physical address corresponding to the second mapping. The host hypervisor triggers an exit from the nested guest to the host hypervisor. The host hypervisor identifies that the first write access occurred and stores the first nested guest physical address in a page modification log (PML) buffer of the nested hypervisor. The host hypervisor sets the first bit as a dirty bit and returns to the nested guest.

Abstract: A system, methods, and apparatus for using hypervisor trapping for protection against interrupts in virtual machine functions are disclosed. A system includes memory, one or more physical processors, a virtual machine executing on the one or more physical processors, and a hypervisor executing on the one or more physical processors. The hypervisor reads an interrupt data structure on the virtual machine. The hypervisor determines whether the interrupt data structure points to an alternate page view. Responsive to determining that the interrupt data structure points to an alternate page view, the hypervisor disables a virtual machine function.

Abstract: A hypervisor associates a combined register space with a virtual device to be presented to a guest operating system of a virtual machine, the combined register space comprising a default register space and an additional register space. Responsive to detecting an access of the additional register space by the guest operating system of the virtual machine, the hypervisor performs an operation on behalf of the virtual machine, the operation pertaining to the access of the additional register space.

Abstract: Methods, systems, and computer program products are included for providing one or more additional kernels kernel in a protected kernel environment. A method includes providing, by a hypervisor, a virtual machine that includes a first kernel. A first portion of memory of the virtual machine is allocated for the first kernel and a second portion of memory of the virtual machine is allocated for a second kernel. The virtual machine executes the first kernel. The hypervisor disables access privileges corresponding to the second portion of memory. Execution is transitioned from the first kernel to the second kernel by clearing memory corresponding to the first kernel, enabling access privileges corresponding to the second portion of the memory, and executing the second kernel on the virtual machine.

Abstract: Methods, systems, and computer program products are included for loading a code module. A method includes verifying, by a guest, a digital signature of a code module stored in an initial guest memory buffer. The guest copies the verified code module stored at the initial guest memory buffer into a target guest memory buffer and applies, using one or more symbol entries, one or more relocations to the verified code module stored at the target guest memory buffer. The guest sends a request to a hypervisor to set the target guest memory buffer to a write-protect mode. In response to a determination that first content stored in the initial guest memory buffer corresponds to second content stored in the target guest memory buffer, the guest sends a request to the hypervisor to set the target guest memory buffer to an executable mode.

Abstract: In a process for migrating a virtual machine's storage from a source disk to a destination disk, during a steady state (i.e., wherein the contents of the virtual machine stored on the source disk and the destination disk are equal), a virtual machine monitor receives a set of write requests from a guest operating system (“guest”) of the virtual machine, provides confirmation of the completion of the set of writes to the source disk, and asynchronously replicates the set of write requests to the destination disk. Upon receipt of a flush request from the guest, the virtual machine monitor confirms completion of the flushing of the destination disk following replication of the write requests to the destination disk. Upon receipt of a switch request from a virtual machine manager, the virtual machine monitor switches the virtual machine to the destination disk and issues subsequent write requests to the destination disk.

Abstract: An example method of sharing message-signaled interrupt vectors in multi-processor computer systems comprises: associating an interrupt vector with a first device component, by creating a first interrupt mapping entry of an interrupt mapping table, wherein the first interrupt mapping entry references a first processor and the interrupt vector; associating the interrupt vector with a second device component, by creating a second interrupt mapping entry of the interrupt mapping table, wherein the second interrupt mapping entry references a second processor and the interrupt vector; and creating, in an interrupt descriptor table (IDT) associated with the first processor and the second processor, an interrupt descriptor for the interrupt vector.

Abstract: A method includes, with a hypervisor, receiving a first request from a guest to write a first piece of data to a first memory location within a kernel code page. The method further includes determining that the first request triggers a violation based on a kernel protection mechanism, and in response to determining that the first request triggers the violation, determining that the first piece of data includes a breakpoint. The method further includes, in response to determining that the first piece of data includes the breakpoint, copying a second piece of data currently stored at the first memory location to a second memory location within non-guest writeable memory and overwriting the first memory location with the first piece of data.

Abstract: An operating system (OS) receives a request to allocate a physical memory page to an address space of an application. The OS maintains a data structure that stores references to a plurality of physical memory pages that are available to be allocated, and generates a random index into the data structure, wherein the random index comprises a random number, and wherein the random index corresponds to a first reference for a first physical memory page of the plurality of physical memory pages. The OS selects the first physical memory page of the plurality of memory pages from the data structure using the random index, and maps the first physical memory page to the address space of the application.

Abstract: Methods, systems, and computer program products are included for loading a code module. A method includes verifying, by a guest, a digital signature of a code module stored in an initial guest memory buffer. The guest copies the verified code module stored at the initial guest memory buffer into a target guest memory buffer and applies, using one or more symbol entries, one or more relocations to the verified code module stored at the target guest memory buffer. The guest sends a request to a hypervisor to set the target guest memory buffer to a write-protect mode. In response to a determination that first content stored in the initial guest memory buffer corresponds to second content stored in the target guest memory buffer, the guest sends a request to the hypervisor to set the target guest memory buffer to an executable mode.

Abstract: Systems and methods for transmitting inter-processor interrupt messages by privileged virtual machine functions. An example method may comprise: mapping, by a hypervisor being executed by a processing device of a host computer system, a plurality of interrupt controller registers of the host computer system into a memory address space of a virtual machine being executed by the host computer system; mapping, into the memory address space of the virtual machine, a task mapping data structure comprising a plurality of records, each record associating a task with a processor of the host computer system; and mapping, into the memory address space of the virtual machine, a notification code module to be invoked by the virtual machine for writing a notification message into an interrupt controller register associated with a processor identified using the task mapping data structure.

Abstract: Systems and methods for sharing message-signaled interrupt vectors in multi-processor computer systems. An example method may comprise: associating an interrupt vector with a first device component; associating the interrupt vector with the second device component; creating, in a first interrupt descriptor table (IDT) associated with a first processor, a first interrupt descriptor to reference a first interrupt service routine to process a first interrupt triggered by the first device component; and creating, in a second IDT associated with a second processor, a second interrupt descriptor to reference a second interrupt service routine to process a second interrupt triggered by the second device component, wherein the first interrupt descriptor and the second interrupt descriptor reference the interrupt vector.

Abstract: Methods, systems, and computer program products are included for performing tracing in a protected kernel environment. A method includes scanning at least a portion of a kernel to locate one or more instructions. The locations of the one or more instructions are provided to a hypervisor. The one or more instructions are replaced with one or more other instructions. After replacing the one or more instructions, a kernel protection feature is activated. After activating the kernel protection feature, they hypervisor detects an attempted modification of the kernel. The hypervisor determines that the attempted modification corresponds to the at least one location provided to the hypervisor and that the attempted modification corresponds to an authorized code variant. The hypervisor modifies the kernel to include the authorized code variant at the at least one location.

Abstract: A method includes, with a hypervisor, receiving a first request from a guest to write a first piece of data to a first memory location within a kernel code page. The method further includes determining that the first request triggers a violation based on a kernel protection mechanism, and in response to determining that the first request triggers the violation, determining that the first piece of data includes a breakpoint. The method further includes, in response to determining that the first piece of data includes the breakpoint, copying a second piece of data currently stored at the first memory location to a second memory location within non-guest writeable memory and overwriting the first memory location with the first piece of data.

Abstract: A system, methods, and apparatus for using hypervisor trapping for protection against interrupts in virtual machine functions are disclosed. A system includes memory, one or more physical processors, a virtual machine executing on the one or more physical processors, and a hypervisor executing on the one or more physical processors. The hypervisor reads an interrupt data structure on the virtual machine. The hypervisor determines whether the interrupt data structure points to an alternate page view. Responsive to determining that the interrupt data structure points to an alternate page view, the hypervisor disables a virtual machine function.