公开(公告)号：US09747123B2

公开(公告)日：2017-08-29

申请号：US14866187

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Jun Nakajima ,  Asit K. Mallick ,  Harshawardhan Vipat ,  Madhukar Tallam ,  Manohar R. Castelino

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45579 ,  G06F2009/45583

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

公开(公告)号：US09454676B2

公开(公告)日：2016-09-27

申请号：US14318215

申请日：2014-06-27

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Manohar R. Castelino ,  Ravi L. Sahita ,  Sergio Rodriguez ,  Vikas Gupta

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F21/79 ,  G06F21/62

CPC classification number: G06F21/79 ,  G06F21/62

Abstract: Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed.

Abstract translation: 用于监视系统API调用的技术包括具有硬件虚拟化支持的计算设备。 计算设备建立默认内存视图和安全内存视图来定义物理内存映射和权限。 计算设备在默认存储器视图中执行应用程序，并响应于对API函数的调用执行默认内联钩子。 默认内联挂钩将使用硬件支持切换到安全内存视图，而不会导致虚拟机退出。 安全内联钩调用安全回调函数来验证安全内存视图中的API函数调用。 通过将默认内存视图中的不可执行的API函数的内存页指定为不可执行的内存页，或者通过将应用程序的内存页指定为不可执行的方式，可以通过使用无操作指令填充默认内联钩来防止跳钩攻击 安全内存视图。 描述和要求保护其他实施例。

公开(公告)号：US09292679B2

公开(公告)日：2016-03-22

申请号：US14272440

申请日：2014-05-07

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita ,  Roshni Chatterjee ,  Madhukar Tallam

IPC: G06F12/14 ,  G06F21/44 ,  G06F21/62 ,  G06F9/455

CPC classification number: G06F21/629 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/145 ,  G06F21/44 ,  G06F21/53 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/151 ,  G06F2221/033

Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

Abstract translation: 这里描述了用于虚拟机管理器的装置，计算机实现的方法，系统和计算机可读介质的实施例，其中虚拟机管理器被配置为选择性地采用具有不同权限的不同视图来映射虚拟机的虚拟机的客户物理存储器 用于承载设备的物理存储器的装置，以调节对位于物理存储器的不同部分中的虚拟机的应用的不同部分的访问和保护。 可以描述和/或要求保护其他实施例。

公开(公告)号：US08726404B2

公开(公告)日：2014-05-13

申请号：US13653077

申请日：2012-10-16

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita ,  Roshni Chatterjee ,  Madhukar Tallam

IPC: G06F7/04

CPC classification number: G06F21/629 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/145 ,  G06F21/44 ,  G06F21/53 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/151 ,  G06F2221/033

Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

Abstract translation: 这里描述了用于虚拟机管理器的装置，计算机实现的方法，系统和计算机可读介质的实施例，其中虚拟机管理器被配置为选择性地采用具有不同权限的不同视图来映射虚拟机的虚拟机的客户物理存储器 用于承载设备的物理存储器的装置，以调节对位于物理存储器的不同部分中的虚拟机的应用的不同部分的访问和保护。 可以描述和/或要求保护其他实施例。