公开(公告)号：US10552638B2

公开(公告)日：2020-02-04

申请号：US14757948

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Manohar R. Castelino ,  Harshawardhan Vipat

IPC: G06F21/62

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.

公开(公告)号：US20170090963A1

公开(公告)日：2017-03-30

申请号：US14866187

申请日：2015-09-25

Applicant: Intel Corporation

Inventor： Jun Nakajima ,  Asit K. Mallick ,  Harshawardhan Vipat ,  Madhukar Tallam ,  Manohar R. Castelino

IPC: G06F9/455

CPC classification number: G06F9/45558 ,  G06F2009/45575 ,  G06F2009/45579 ,  G06F2009/45583

Abstract: Technologies for multi-level virtualization include a computing device having a processor that supports a root virtualization mode and a non-root virtualization mode. A non-root hypervisor determines whether it is executed under control of a root hypervisor, and if so, registers a callback handler and trigger conditions with the root hypervisor. The non-root hypervisor hosts one or more virtual machines. In response to a virtual machine exit, the root hypervisor determines whether a callback handler has been registered for the virtual machine exit reason and, if so, evaluates the trigger conditions associated with the callback handler. If the trigger conditions are satisfied, the root hypervisor invokes the callback handler. The callback handler may update a virtual virtualization support object based on changes made by the root hypervisor to a virtualization support object. The root hypervisor may invoke the callback handler in the non-root virtualization mode. Other embodiments are described and claimed.

公开(公告)号：US20160162698A1

公开(公告)日：2016-06-09

申请号：US15042838

申请日：2016-02-12

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita ,  Roshni Chatterjee ,  Madhukar Tallam

IPC: G06F21/62 ,  G06F21/56 ,  G06F21/53 ,  G06F9/455

CPC classification number: G06F21/629 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/145 ,  G06F21/44 ,  G06F21/53 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/151 ,  G06F2221/033

Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

公开(公告)号：US10073986B2

公开(公告)日：2018-09-11

申请号：US15042838

申请日：2016-02-12

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita ,  Roshni Chatterjee ,  Madhukar Tallam

IPC: G06F7/04 ,  G06F21/62 ,  G06F12/14 ,  G06F9/455 ,  G06F21/44 ,  G06F21/53 ,  G06F21/56

CPC classification number: G06F21/629 ,  G06F9/45533 ,  G06F9/45558 ,  G06F12/145 ,  G06F21/44 ,  G06F21/53 ,  G06F21/566 ,  G06F21/6218 ,  G06F2009/45583 ,  G06F2009/45587 ,  G06F2212/151 ,  G06F2221/033

Abstract: Embodiments of apparatus, computer-implemented methods, systems, and computer-readable media are described herein for a virtual machine manager, wherein the virtual machine manager is configured to selectively employ different views with different permissions to map guest physical memory of a virtual machine of the apparatus to host physical memory of the apparatus, to regulate access to and protect different portions of an application of the virtual machine that resides in different portions of the physical memory. Other embodiments may be described and/or claimed.

公开(公告)号：US20160308903A1

公开(公告)日：2016-10-20

申请号：US14998087

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Manohar R. Castelino ,  Barry E. Huntley ,  Kuo-Lang Tseng

IPC: H04L29/06

CPC classification number: G06F21/552 ,  G06F9/45541 ,  G06F9/45558 ,  G06F21/53 ,  G06F21/629 ,  G06F2009/45587

Abstract: Systems, apparatuses and methods may provide for detecting an attempt by an operating system (OS) to access a non-OS managed resource and injecting, in response to the attempt, an access event into a platform security component via a guest kernel associated with the OS. Additionally, a response to the attempt may be made based on a policy response from the platform security component. In one example, the attempt is detected with respect to one or more extended page table (EPT) permissions set by a security virtual machine monitor (SVMM). Moreover, injecting the access event into the platform security component may include invoking a previously registered policy callback.

Abstract translation: 系统，装置和方法可以提供用于检测操作系统（OS）尝试访问非OS管理的资源，并且响应于该尝试，通过与所述客户端内核相关联的访客内核将访问事件注入平台安全组件 操作系统。 此外，可以基于来自平台安全组件的策略响应来对尝试做出响应。 在一个示例中，针对由安全虚拟机监视器（SVMM）设置的一个或多个扩展页表（EPT）权限检测到该尝试。 此外，将访问事件注入到平台安全组件中可以包括调用先前注册的策略回调。

公开(公告)号：US20160203317A1

公开(公告)日：2016-07-14

申请号：US14924036

申请日：2015-10-27

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita

IPC: G06F21/56 ,  G06F9/455 ,  G06F21/55

CPC classification number: G06F21/56 ,  G06F9/45558 ,  G06F11/302 ,  G06F11/3093 ,  G06F21/44 ,  G06F21/554 ,  G06F2009/45587 ,  G06F2201/815 ,  G06F2201/865 ,  G06F2221/034

Abstract: A method and device for monitoring calls to an application program interface (API) function includes monitoring for a memory permission violation of a computing device caused by the API function call. If a memory permission violation occurs, control of the computing device is transferred to a virtual machine monitor to intervene prior to execution of the API function. The virtual machine monitor may perform one or more actions in response to the API function call.

Abstract translation: 用于监视对应用程序接口（API）功能的调用的方法和设备包括监视由API函数调用引起的对计算设备的存储器许可冲突。 如果发生存储器许可冲突，则在执行API功能之前，将计算设备的控制传送到虚拟机监视器进行干预。 虚拟机监视器可以响应于API函数调用执行一个或多个动作。

公开(公告)号：US20160335429A1

公开(公告)日：2016-11-17

申请号：US14757948

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Manohar R. Castelino ,  Harshawardhan Vipat

IPC: G06F21/52 ,  G06F21/62

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.

Abstract translation: 系统，装置和方法可以提供强制访问控制策略的签名验证，并且如果签名验证成功，则将强制访问控制策略提供给内核存储器。 此外，可以通过具有系统级特权的一个或多个进程来保护内核存储器免于未授权的写入操作。 在一个示例中，强制访问控制策略被配置，而不需要重新启动系统。

公开(公告)号：US09495540B2

公开(公告)日：2016-11-15

申请号：US14924036

申请日：2015-10-27

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Ravi L. Sahita

IPC: G06F11/00 ,  G06F21/56 ,  G06F21/55 ,  G06F9/455

CPC classification number: G06F21/56 ,  G06F9/45558 ,  G06F11/302 ,  G06F11/3093 ,  G06F21/44 ,  G06F21/554 ,  G06F2009/45587 ,  G06F2201/815 ,  G06F2201/865 ,  G06F2221/034

Abstract: A method and device for monitoring calls to an application program interface (API) function includes monitoring for a memory permission violation of a computing device caused by the API function call. If a memory permission violation occurs, control of the computing device is transferred to a virtual machine monitor to intervene prior to execution of the API function. The virtual machine monitor may perform one or more actions in response to the API function call.

公开(公告)号：US20200250343A1

公开(公告)日：2020-08-06

申请号：US16728916

申请日：2019-12-27

Applicant: Intel Corporation

Inventor： Ned M. Smith ,  Manohar R. Castelino ,  Harshawardhan Vipat

IPC: G06F21/62 ,  G06F21/57

Abstract: Systems, apparatuses and methods may provide for conducting a signature verification of a mandatory access control policy and provisioning the mandatory access control policy into kernel memory if the signature verification is successful. Additionally, the kernel memory may be protected from unauthorized write operations by one or more processes having system level privileges. In one example, the mandatory access control policy is provisioned without a system reboot.

公开(公告)号：US10248786B2

公开(公告)日：2019-04-02

申请号：US14998087

申请日：2015-12-24

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Manohar R. Castelino ,  Barry E. Huntley ,  Kuo-Lang Tseng

IPC: G06F21/55 ,  G06F21/53 ,  G06F21/62 ,  G06F9/455

Abstract: Systems, apparatuses and methods may provide for detecting an attempt by an operating system (OS) to access a non-OS managed resource and injecting, in response to the attempt, an access event into a platform security component via a guest kernel associated with the OS. Additionally, a response to the attempt may be made based on a policy response from the platform security component. In one example, the attempt is detected with respect to one or more extended page table (EPT) permissions set by a security virtual machine monitor (SVMM). Moreover, injecting the access event into the platform security component may include invoking a previously registered policy callback.