公开(公告)号：US09454676B2

公开(公告)日：2016-09-27

申请号：US14318215

申请日：2014-06-27

Applicant: Intel Corporation

Inventor： Harshawardhan Vipat ,  Manohar R. Castelino ,  Ravi L. Sahita ,  Sergio Rodriguez ,  Vikas Gupta

IPC: G06F11/00 ,  G06F12/14 ,  G06F12/16 ,  G08B23/00 ,  G06F21/79 ,  G06F21/62

CPC classification number: G06F21/79 ,  G06F21/62

Abstract: Technologies for monitoring system API calls include a computing device with hardware virtualization support. The computing device establishes a default memory view and a security memory view to define physical memory maps and permissions. The computing device executes an application in the default memory view and executes a default inline hook in response to a call to an API function. The default inline hook switches to the security memory view using hardware support without causing a virtual machine exit. The security inline hook calls a security callback function to validate the API function call in the security memory view. Hook-skipping attacks may be prevented by padding the default inline hook with no-operation instructions, by designating memory pages of the API function as non-executable in the default memory view, or by designating memory pages of the application as non-executable in the security memory view. Other embodiments are described and claimed.

Abstract translation: 用于监视系统API调用的技术包括具有硬件虚拟化支持的计算设备。 计算设备建立默认内存视图和安全内存视图来定义物理内存映射和权限。 计算设备在默认存储器视图中执行应用程序，并响应于对API函数的调用执行默认内联钩子。 默认内联挂钩将使用硬件支持切换到安全内存视图，而不会导致虚拟机退出。 安全内联钩调用安全回调函数来验证安全内存视图中的API函数调用。 通过将默认内存视图中的不可执行的API函数的内存页指定为不可执行的内存页，或者通过将应用程序的内存页指定为不可执行的方式，可以通过使用无操作指令填充默认内联钩来防止跳钩攻击 安全内存视图。 描述和要求保护其他实施例。