Abstract: Executing one or more vehicle applications using a vehicle computation unit of a vehicle and providing a permission information manifest for a vehicle application, and controlling a communication between vehicle applications of a vehicle based on permission information manifests associated with the vehicle applications. Programming instructions of the one or more vehicle applications are obtained, as well as one or more individual permission information manifests of the one or more vehicle applications. Each permission information manifest includes information related to one or more permitted vehicle services of a vehicle application of the one or more vehicle applications. The information related to the one or more permitted services indicates one or more vehicle services the vehicle application is permitted to offer to further vehicle applications of the vehicle and/or one or more vehicle services of the further vehicle applications the vehicle application is permitted to use.

Abstract: A technique deploys a virtualization layer underneath an operating system executing on a node of a network environment to enable the virtualization layer to control the operating system is described. One or more executables (binaries) for the virtualization layer may be included in a kernel module loaded in memory of the node with a first privilege level (e.g., highest privilege level) needed to control the guest operating system. The kernel module may be configured to suspend the guest operating system and one or more hardware resources to a quiescent state. Furthermore, the kernel module is configured to (i) capture and save states of the hardware resource(s) and (ii) bootstrap the virtualization layer to create a virtual machine with an initial state that corresponds to a state of the system prior to deployment of the virtualization layer.

Abstract: According to one embodiment, a computing device comprises one or more hardware processor and a memory coupled to the one or more processors. The memory comprises software that supports a virtualization software architecture including a first virtual machine operating under control of a first operating system. Responsive to determining that the first operating system has been compromised, a second operating system, which is stored in the memory in an inactive (dormant) state, is now active and controlling the first virtual machine or a second virtual machine different from the first virtual machine that now provides external network connectivity.

Abstract: Secure communication is established between a hyper-process of the virtualization layer (e.g., host) and an agent process in the guest operating system (e.g., guest) using a virtual communication device which, in an embodiment, is implemented as shared memory having two memory buffers. A guest-to-host buffer is used as a first message box configured to provide unidirectional communication from the agent to the virtualization layer and a host-to-guest buffer is used as a second message box configured to provide unidirectional communication from the virtualization layer to the agent. The buffers cooperate to transform the virtual device into a low-latency, high-bandwidth communication interface configured for bi-directional transfer of information between the agent process and the hyper-process of the virtualization layer, wherein the communication interface also includes a signaling (doorbell) mechanism configured to notify the processes that information is available for transfer over the interface.

Abstract: A computing device features one or more hardware processors and a memory that is coupled to the one or more processors. The memory comprises software that is implemented with a security mechanism to protect the availability of a software component operating within a virtual machine, which is controlled by a guest operating system (OS) kernel. The software comprises a virtualization layer operating in a host mode, where the virtualization layer, when executed by the one or more hardware processors, is configured to send one or more virtual interrupts to the guest OS kernel of the virtual machine. A virtual interrupt causes an interrupt service routine within the guest OS kernel to perform a particular service that prevents a protected process (or protected software data structures) from being effected by malware.

Abstract: A computing device features one or more hardware processors and a memory that is coupled to the one or more processors. The memory comprises software that supports virtualization, including a virtual machine operating in the guest mode and a virtualization layer operating in the host mode. The virtual machine is configured to execute a plurality of processes including a guest agent process. The virtualization layer is configured to protect the guest agent process operating within the virtual machine that provides metadata to the virtualization layer by restricting page permissions for memory pages associated with the guest agent process when the guest agent process is inactive.

Abstract: A technique protects guest processes of a guest operating system kernel using a virtualization layer of a virtualization architecture executing on a node of a network environment. The virtualization layer may include a user mode portion having hyper-processes and a kernel portion having an micro-hypervisor that cooperate to virtualize the guest operating system kernel within a virtual machine and to make hardware resources of the node available for use by the guest operating system kernel, either as pass-through resources, emulated resources, or a combination thereof. Illustratively, the micro-hypervisor may cooperate with the hyper-processes of the virtualization layer to protect the guest processes against attack by one or more exploits that may employ malware.

Abstract: A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that supports a software virtualization architecture, including (i) a virtual machine operating in a guest environment and including a process that is configured to monitor behaviors of data under analysis within the virtual machine and (ii) a threat protection component operating in a host environment. The threat protection component is configured to classify the data under analysis as malicious or non-malicious based on the monitored behaviors.

Abstract: A computerized method is provided for protecting processes operating within a computing device. The method comprises an operation for identifying, by a virtualization layer operating in a host mode, when a guest process switch has occurred. The guest process switch corresponds to a change as to an operating state of a process within a virtual machine. Responsive to an identified guest process switch, an operation is conducted to determine, by the virtualization layer, whether hardware circuitry within the computing device is to access a different nested page table for use in memory address translations. The different nested page table alters page permissions for one or more memory pages associated with at least the process that are executable in the virtual machine.

Abstract: A technique implements memory views using a virtualization layer of a virtualization architecture executing on a node of a network environment. The virtualization layer may include a user mode portion having hyper-processes and a kernel portion having a micro-hypervisor that cooperate to virtualize a guest operating system kernel within a virtual machine (VM) of the node. The micro-hypervisor may further cooperate with the hyper-processes, such as a guest monitor, of the virtualization layer to implement one or more memory views of the VM. As used herein, a memory view is illustratively a hardware resource (i.e., a set of nested page tables) used as a container (i.e., to constrain access to memory of the node) for one or more guest processes of the guest operating system kernel.

Abstract: A late load technique deploys a virtualization layer underneath an operating system executing on a node of a network environment to enable the virtualization layer to control the operating system. Binary executable files (binaries) for the virtualization layer may be included in a ring 0 driver loaded in memory of the node with the highest privilege level (e.g., host mode ring 0) needed to control the guest operating system. The ring 0 driver may request allocation of physical memory from the guest operating system for the virtualization layer and thereafter suspend the guest operating system and hardware resources of the node in a deterministic manner. The ring 0 driver may capture architectural states of those resources, which are used to create a virtual machine and virtual devices having initial states that are substantially identical to the states of the operating system and hardware resources at the time of suspension.

Abstract: A computing device is described that comprises one or more hardware processors and a memory communicatively coupled to the one or more hardware processors. The memory comprises software that, when executed by the processors, operates as (i) a virtual machine and (ii) a hypervisor. The virtual machine includes a guest kernel that facilitates communications between a guest application being processed within the virtual machine and one or more virtual resources. The hypervisor configures a portion of the guest kernel to intercept a system call from the guest application and redirect information associated with the system call to the hypervisor. The hypervisor enables logic within the guest kernel to analyze information associated with the system call to determine whether the system call is associated with a malicious attack in response to the system call being initiated during a memory page execution cycle.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: A processing system may include a service operating system (OS) and a guest virtual machine (VM). The service OS may be a host OS or an OS in a service VM, for instance. The guest VM may have a physical address space. In one embodiment, a pseudo-device driver in the service OS causes an address within the physical address space of the guest VM to be mapped to an address within a virtual address space of a user level monitor (ULM) running on top of the service OS. When an operation that involves the physical address space of the guest VM (e.g., a direct memory access (DMA) operation requested by the guest VM, an interrupt triggered by the guest VM, etc.) is detected, the ULM may use its virtual address space to access the physical address space of the guest VM. Other embodiments are described and claimed.

Abstract: Embodiments of apparatuses, methods, and systems for delivering an interrupt to a virtual processor are disclosed. In one embodiment, an apparatus includes an interface to receive an interrupt request, delivery logic, and exit logic. The delivery logic is to determine, based on an attribute of the interrupt request, whether the interrupt request is to be delivered to the virtual processor. The exit logic is to transfer control to a host if the delivery logic determines that the interrupt request is not to be delivered to the virtual processor.

Abstract: A apparatus is disclosed. The apparatus includes a remapping circuit to facilitate access of one or more I/O devices to a memory device for direct memory access (DMA) transactions. The remapping circuit includes a translation mechanism to perform memory address translations for I/O DMA transactions via address window-based translations.