WO2012134584A1 - Method and apparatus for transparently instrumenting an application program - Google Patents
Method and apparatus for transparently instrumenting an application program Download PDFInfo
- Publication number
- WO2012134584A1 WO2012134584A1 PCT/US2011/067796 US2011067796W WO2012134584A1 WO 2012134584 A1 WO2012134584 A1 WO 2012134584A1 US 2011067796 W US2011067796 W US 2011067796W WO 2012134584 A1 WO2012134584 A1 WO 2012134584A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- application program
- physical address
- host physical
- memory
- read
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/36—Preventing errors by testing or debugging software
- G06F11/362—Software debugging
- G06F11/3644—Software debugging by instrumenting at runtime
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Definitions
- Figure 1 illustrates one exemplary embodiment of a system consistent with the present disclosure
- the VMM 120 utilizes the extended page tables 132a, 132b, ..., 132k to provide address translation from guest physical memory 130 to host physical memory 104.
- the Permissions Manager 134 may be configured to update the copy of the target executable stored at a host physical address hpa2 with instrumented executable code as described herein.
- the instrumentation may be configured to transfer control from the instrumented target application program to an anti-malware component, as described herein.
- the VMM may be configured to load the EPTP corresponding to the first extended page table into the EPTP register at operation 720. Program flow may then proceed to operation 750. If the page fault is an execute fault, the VMM may be configured to load the EPTP corresponding to the second extended page table into the EPTP register at operation 730. Program flow may then proceed to operation 750.
- the method may include storing at least a portion of an executable application program in a host system physical memory at a first host physical address; instrumenting a copy of the portion of the executable application program and storing the instrumented copy in the host system physical memory at a second host physical address; setting a corresponding access permission to read only for the first host physical address and setting a corresponding access permission to execute only for the second host physical address; and executing the instrumented copy or reading the portion of the executable application program based, at least in part, on the access permissions.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Memory System Of A Hierarchy Structure (AREA)
- Storage Device Security (AREA)
Abstract
Generally, this disclosure describes systems and methods for transparently instrumenting a computer process. The systems and methods are configured to allow instrumenting executable code while permitting legacy memory scanning tools to monitor corresponding uninstrumented executable code stored in memory.
Description
METHOD AND APPARATUS FOR TRANSPARENTLY INSTRUMENTING AN APPLICATION PROGRAM
FIELD
The disclosure relates to instrumenting an application program, more particularly to transparently instrumenting the application program.
BACKGROUND
Many electronic devices include processors configured to execute one or more application programs. Electronic devices include, but are not limited to, computers (e.g., desktop, portable, laptops, tablet, handhelds, etc.) and smart phones. Such electronic devices may be connected to other electronic devices (both known and unknown) via a network and are susceptible to a number of security threats. Security threats may include, for example, malicious programs ("malware"), exposure of personal information and/or exposure of critical information. Malware may include virus applications, email viruses, spyware, applications configured to disable anti-virus applications and/or applications configured to mimic a web site, e.g., banking web sites, in order to capture a user's password.
Anti-malware software and/or hardware components (also referred to as an anti- malware engine) have been developed to fight against malware. Anti-malware components are typically configured to detect malware and to take action in response to detecting malware. Such actions include, but are not limited to disabling the malware, disabling the electronic device, alerting a supervisor program and/or alerting a user. For example, an anti-malware component such as an anti-virus component or a host intrusion prevention component may be configured to "instrument" an operating system (OS) kernel at certain points in order to monitor actions of an untrusted application program. The anti- malware component may then be configured to determine whether an untrusted application program is violating any rules of the anti-malware component. Such rule violations are configured to indicate that the untrusted application program is in fact malware.
BRIEF DESCRIPTION OF THE DRAWINGS
Features and advantages of embodiments of the claimed subject matter will become apparent as the following Detailed Description proceeds, and upon reference to the Drawings, wherein like numerals depict like parts, and in which:
Figure 1 illustrates one exemplary embodiment of a system consistent with the present disclosure;
Figure 2 illustrates addressing between a guest page table and an extended page table consistent with the present disclosure;
Figures 3A and 3B illustrate examples of extended page table entries consistent with the present disclosure;
Figure 4 illustrates a flowchart of exemplary initialization operations consistent with the present disclosure;
Figure 5 illustrates a flowchart of exemplary operations for using a hypervisor to manage access to two versions of target executable code consistent with the present disclosure;
Figure 6 illustrates another flowchart of exemplary operations for managing access to two versions of target executable code without invoking the hypervisor consistent with the present disclosure; and
Figure 7 illustrates another flowchart of exemplary operations for using the hypervisor to manage access to two versions of target executable code consistent with the present disclosure.
Although the following Detailed Description will proceed with reference being made to illustrative embodiments, many alternatives, modifications, and variations thereof will be apparent to those skilled in the art. Accordingly, it is intended that the claimed subject matter be viewed broadly, and be defined only as set forth in the accompanying claims.
DETAILED DESCRIPTION
A method and apparatus consistent with the present disclosure are configured to allow instrumenting an application program whether or not the application program is itself configured for instrumenting. The instrumenting is configured to be transparent to a memory scanner so that the memory scanner may continue to operate properly in the presence of the instrumenting. The memory scanner may read physical memory addresses corresponding to the application program independent of any instrumenting that may be present.
"Instrumenting" corresponds to an ability to introduce new behavior into an existing program in order to monitor the program's behavior, e.g., for security, debugging, performance and/or testing. Anti-malware components may use instrumenting techniques to detect and prevent potential malicious activity in a program. Code interposition is one
instrumenting technique and includes binary patching. Binary patching includes an executable code modification method where the modifications are configured to allow an anti-malware component to monitor the existing program's behavior. For example, the binary patch may be configured to transfer control from the instrumented application program to the anti-malware component during program execution. The anti-malware program may then review the context in which the instrumented application program was called. "Executable code" corresponds to the executable application program or a portion of the executable application program.
Another instrumenting technique utilizes callback APIs (application programming interfaces) in order to instrument an existing application program. A callback is a reference to executable code or a piece of executable code that is passed as an argument to other executable code. For example, a callback may include passing a function pointer as an argument. An application programming interface is a set of functions and data structure definitions that one application program may use to access and use services and resources of another application program that implements the API. When callback APIs are utilized for instrumenting an existing application program, the existing application program provides the callback APIs. However, not all existing application programs provide callback APIs and those that do may not provide an opportunity to instrument all desired control points. This may interfere with an ability to instrument an existing application program.
An anti-malware component, for example, may initiate binary instrumentation configured to modify or overwrite an instruction sequence of the executable code associated with a target application program or module. Upon execution of the
instrumented application program, the modified instruction sequence is configured to cause execution control to transfer to an anti-malware component. The anti-malware component may then review the context in which the application program was called. The anti-malware component may then determine whether the context in which the application program was called violates any rules that may indicate that the application program has been corrupted by malicious software.
Instrumenting techniques that modify the executable code may interfere with the operation of memory scanners such as legacy in-memory virus scanners. Memory scanners may include hardware or software components that are configured to read physical memory and perform comparison of the contents of the physical memory with a predefined reference. For example, memory scanners may be used to detect virus
programs that may be resident in physical memory. Instrumented executable code may be classified as malware by the memory scanner since the instrumented executable code differs from the original executable and the memory scanner is unlikely to have visibility to the instrumenting.
The method and apparatus consistent with the present disclosure are configured to store two versions of at least a portion of a target application program in host system physical memory. One version includes the original uninstrumented target application program executable code and the other version includes an instrumented copy of the target application program executable code. The versions of the code may be stored at blocks of memory referred to as pages. Each page may have an associated address and the page size may be fixed or variable. Access permissions may be set to read only for the host physical address of the uninstrumented target application program executable code pages and may be set to execute only for the instrumented target application program executable code pages. The instrumented target application program may be executed and/or the uninstrumented target application may be read based on, at least in part, the access permissions. Various methods may be used to manage access to the two versions of the target executable code, as will be described in greater detail below.
In a first embodiment, an extended page table associated with a virtual machine monitor (VMM) may be used to control access to one of the two versions depending on whether the target application program or the memory scanning tool is being executed. A guest physical address may be configured to point to either the original version or the instrumented version. Each entry in the extended page table includes a host physical address associated with a code page in the host physical memory as well as a permission field. The permissions include read (R), write (W) and execute (X) and any combination thereof. For example, the permissions may be restricted to read only (RO) or execute only (XO). The permissions are typically used to control access to the pages in the physical memory. In this embodiment, these permissions and a page fault functionality associated with the VMM may be utilized to ensure that the instrumented application program is executed and a memory scanner reads the original application program.
In other embodiments, two extended page tables may be implemented. A first extended page table is configured to point to the original, uninstrumented target executable code stored in host physical memory (permissions set to read-only) and a second extended page table is configured to point to the instrumented copy of the target executable code stored in host physical memory (permissions set to execute -only). In a second
embodiment, for example, the memory scanning tools may be instrumented with one or more instructions configured to select the appropriate extended page table to ensure that the instrumented application program is executed and a memory scanner reads the original application program without using page fault functionality. In a third embodiment, two extended page tables may be implemented, and a page fault functionality associated with a VMM may be utilized to ensure that the instrumented application program is executed and a memory scanner reads the original application program.
The first embodiment may use the VMM (also referred to as a hypervisor) to ensure the appropriate version of the target executable code is accessed while the second embodiment is configured to instrument the memory scanning tools and use the extended page tables, without invoking the VMM, to ensure the memory scanning tools read the uninstrumented version of the target executable code. The third embodiment may use the VMM and a plurality of extended page tables to ensure the memory scanning tools read the uninstrumented version of the target code. Advantageously, any point(s) in any application program may be instrumented and legacy memory scanners may safely scan physical memory without returning a false mismatch between the scanned code pages in host physical memory and their predefined reference.
System Architecture
Figure 1 illustrates one exemplary embodiment of a system 100 consistent with the present disclosure. The system 100 generally includes processor CPU 102 and system memory, e.g., host physical memory 104. The system 100 may include a memory management unit MMU 106 and secondary storage, e.g., disk(s) 108. The MMU 106 may be configured to manage memory access requests from CPU 102 to memory 104 and/or secondary storage.
The system 100 is configured to support virtualization of its resources, including the CPU 102 and host physical memory 104. As is known, virtualization allows sharing of system resources by multiple processes. A supervising process, e.g., a virtual machine monitor (VMM) may manage the sharing and act as an interface between one or more virtual machines (VMs) and the host resources, e.g., CPU 102 and memory 104.
Accordingly, the VMM has access to and control of system 100 while each VM has access to resources via the VMM and shares the resources with other VMs. Each VM is typically unaware that the resources are shared.
The CPU 102 may include a plurality of modes of operation that may be used to support virtualization. For example, the CPU 102 may include a privileged mode (VMx
root) 110 and a non-privileged mode (VMx nonroot) 112. A VMM 120 may use the privileged mode 110 and VMs 122a, 122b, ..., 122n may use the non-privileged mode 112. For example, a plurality of VMs 122a, 122b, ..., 122n may execute on a plurality of virtual CPUs 103a, 103b, ..., 103n in the VMx non-root mode 112. Because of virtualization, execution of some instructions by a VM (i.e., VMx non-root mode) and certain events may cause control to transfer to the supervisor or VMM (i.e., Vmxroot mode), e.g., page faults, as described herein.
Host physical memory 104 is configured to store the VMM 120 and one or more VMs 122a, 122b,..., 122n, generically VM 122. The VMM 120 may include one or more extended page table(s) 132a, 132b, ..., 132k and a permissions manager 134, as described herein. Each extended page table 132a, 132b, ..., 132k may have a corresponding extended page table base pointer (EPTP) corresponding to a base address of the respective extended page table. The VMM 120 may include an EPTP register 150 configured to store the EPTP associated with a selected extended page table (corresponding to a guest page table).
For ease of explanation, a VM is described herein. As will be understood by those skilled in the art, the description may be applied to any one or more of the plurality of VMs 122a, 122b,..., 122n in system 100. VM 122 may include a guest operating system (OS) 124 and one or more application programs 126a, 126b,..., 126m, generically 126.
In a non-virtualized system, an operating system typically manages the system physical memory and sharing of the physical memory by a plurality of application programs that may utilize the system physical memory. Each application program may be configured to utilize a "linear address space" that is the application program's view of its memory space. The linear address space may be divided into blocks, i.e., code pages, corresponding to some number of bytes of executable code. The size of the code pages may vary or may be fixed. The application program is typically ignorant of the placement of the code pages in physical memory. This allows the application program to be compiled without consideration of the actual physical addresses associated with its code pages and allows the OS to place the code pages in physical memory in a manner that best utilizes the host physical memory. The OS manages placing pages in physical memory and further manages translation, i.e., mapping, linear address space addresses to physical memory addresses. The mapping is implemented using page tables where, typically, the linear address is a pointer (index) into the page table and each page table entry includes the address in physical memory (physical address) corresponding to the associated linear
address. Each application program may have an associated page table and the OS is configured to manage the page table and placement of each executable code page of the executing application programs into the physical memory.
In a virtualized system, each guest OS may manage only a respective guest physical memory 130a, 130b,...,130n, generically 130. In the virtualized system, each guest physical memory corresponds to host virtual memory. In other words, the memory addresses used by the guest OS may point to addresses in memory but these addresses may not be actual host physical addresses. The VMM 120 manages the actual (host) physical memory 104 and the translation from guest physical memory 130 (host virtual memory) to host physical memory 104. In other words, from the view of a VM and its associated guest OS, the VM is managing guest physical memory and translation of application linear addresses to guest physical memory addresses. From the view of the VMM, the VMM is managing the actual physical memory (host physical memory 104) and translation from guest physical memory 130a (host virtual memory) to host physical memory 104.
In the system 100, each VM 122a, 122b, ..., 122n may then include a number of page tables 128a, 128b, 128m, generically 128, where each page table 128a, 128b, 128m is associated with a respective application program 126a, 126b, ..., 126m. The page tables 128a, 128b, ..., 128m are managed by the guest OS (e.g., guest OS 124) and are configured to provide address translation (mapping) from the application linear address space to the guest physical memory. The VMM 120 is configured to translate the guest physical address to a host physical memory address.
The VMM 120 utilizes the extended page tables 132a, 132b, ..., 132k to provide address translation from guest physical memory 130 to host physical memory 104.
Similar to the VM page tables, the guest physical address may act as a pointer (index) into an extended page table 132a, 132b, ..., 132k and each extended page table entry may include the corresponding host physical address. In this manner, address mapping between application linear addresses and guest physical memory addresses is separated from mapping between guest physical addresses and host physical addresses.
Figure 2 illustrates address mapping from an application linear address space to a corresponding host physical memory address. An application linear address may index into an associated page table 202 whose entries correspond to guest physical memory addresses. This page table 202 may be managed by an associated guest OS. The guest physical memory address pointed to by the application linear address may then index into an extended page table 204, managed by a permissions manager (e.g., Permissions
Manager 134 in Figure 1). The entries in the extended page table 204 may correspond to host physical memory addresses. In this manner, an application linear address may have a corresponding host physical address where the guest OS manages mapping only to a guest physical address and a VMM manages mapping from the guest physical address to the host physical address.
Each extended page table entry may further include a permissions field identifying permissions (e.g., read, execute and/or write), which may be managed by Permissions Manager 134. Permissions are associated with code pages in physical memory and are configured to control access (e.g., by type of access) to the code pages in physical memory. For example, if an application attempts to read a code page that has permission set to execute only, a read page fault is generated. In another example, if an application attempts to execute a code page that has permission set to read only, an execute page fault is generated. A page fault may cause control to be transferred from the VM and associated guest OS to the VMM 120 and/or the Permissions Manager 134. Page faults may be utilized as described herein to support transparent instrumenting of an application program while allowing operation of a memory scanner.
Referring back to Figure 1, VM 122a includes guest OS 124 and may include instrumentation driver 140 and memory scanning tools 142. Instrumentation driver 140 is configured to instrument a target application program (e.g., application program 126a) by modifying the target application program's executable code, for example, in response to operation of an anti-malware component. The memory scanning tools 142 are configured to scan guest physical memory, read code pages and to compare read code pages with a predetermined reference, as described herein. In one example application, the target application program is instrumented (e.g., by an anti-malware component) for the purpose of detecting malicious programs and the memory scanning is performed for the purpose of detecting malicious programs.
A method consistent with the present disclosure is configured to utilize the extended page table(s) to control access to an instrumented target application program's executable code or to the target application program's original uninstrumented executable code. In one embodiment, one extended page table may be utilized and access may be controlled using the VMM (and Permissions Manager) and associated page fault functionality, as described herein. In another embodiment, the memory scanning tools may be instrumented with one or more instructions configured to select between a first extended page table associated with the target application program's original
uninstrumented executable code and a second extended page table associated with the instrumented target application program's executable code, as described herein. In a third embodiment, a plurality of extended page tables may be utilized and access may be controlled using the VMM (and Permissions Manager) and associated page fault functionality.
Two versions of the target application executable code may be stored in host physical memory as described herein. When the extended page table entry pointed to by a guest physical address corresponds to the host physical address of the instrumented executable code, the permissions may be set to execute only. When the extended page table entry pointed to by the guest physical address corresponds to the host physical address of the original uninstrumented executable code, the permissions may be set to read only. The guest physical address may be provided by guest OS 124. The guest OS 124 may be unaware that the two versions of the target application executable code pages may be present in host physical memory. Thus, whether the guest physical address ultimately points to the original uninstrumented target executable code pages or to the instrumented target executable code pages depends on the selected extended page table and/or the contents of the extended page table entry that corresponds to the guest physical address.
Figures 3A and 3B illustrate examples of extended page table entries consistent with the present disclosure. In some embodiments, the extended page tables 132a and 132b may be the same extended page table (with different entries at different times). In other embodiments, the extended page tables 132a, 132b may be two different extended page tables (that may both exist at the same time), as described herein. In both Figures 3A and 3B, a guest physical address indexes into the extended page table(s) 132a and 132b and points to a page table entry 302a or 302b. In the extended page table 132a of Figure 3 A, the contents of the page table entry 302a correspond to the address hpal of the original uninstrumented target application program executable code page 312 in host physical memory 104, with permission set to read only (RO). In the extended page table 132b of Figure 3B, the contents of the page table entry 302b correspond to the address hpa2 of the instrumented target application program executable code page 310 in host physical memory 104, with permission set to execute only (XO).
For example, if memory scanning tools attempt to read the executable code corresponding to the guest physical address and if the extended page table entry, e.g., extended page table entry 302a, corresponds to the original uninstrumented executable code (i.e., hpal), the original uninstrumented executable code may be read without a page
fault being generated. On the other hand, if the extended page table entry, e.g., extended page table entry 302b, corresponds to the instrumented executable code (i.e., hpa2), a read page fault may be generated.
In this embodiment, the VMM and Permissions Manager are configured to manage the extended page table and may change the contents of the extended page table entry 302a, 302b in response to a page fault. For example, if a read page fault is generated, the Permissions Manager may update the extended page table entry associated with the fault to correspond to the host physical address of the original uninstrumented code page (i.e., hpal), set the permissions to read only and return control to the VM that includes the memory scanning tools. The memory scanning tools may then read the original executable code stored at hpal in host physical memory 104.
In another embodiment, the memory scanning tools may be instrumented with an instruction configured to select the appropriate extended page table, e.g., extended page table 132a or 132b. For example, a first instruction may be configured to load the EPTP of the first extended page table 132a into the EPTP register prior to a read instruction of the memory scanning tools 142 (e.g., when the memory scanning tools begin executing and/or just prior to execution of the read instruction). Continuing with this example, the first instruction may correspond to an instruction to switch the contents of the EPTP register to a first EPTP corresponding to a first index. The first index may index into a table created by the VMM that includes a list of valid EPTPs. The effect of the first instruction is to load the EPTP (e.g., EPTP of the first extended page table 132a) that corresponds to the first index into the EPTP register. When the instrumented scanning tools 142 then attempt to read the contents of host physical memory corresponding to guest physical address gpa, the guest physical address may index into the first extended page table 132a that corresponds to the target application original executable code with permissions set to read only.
In this embodiment, a second instruction may be configured to load the EPTP of the second extended page table 132b into the EPTP register after the read operation (e.g., when the memory scanning tools complete and/or just after the read operation executes). Continuing with this example, the second instruction may correspond to an instruction to switch the contents of the EPTP register 150 to a second EPTP corresponding to a second index. The second index may index into the table created by the VMM that includes the list of valid EPTPs. The effect of the second instruction is to load the EPTP (e.g., EPTP of the second extended page table 132a) that corresponds to the second index into the EPTP
register. If the target application is then executed, the guest physical address may index into the second extended page table 132b and the instrumented target application executable code may execute. This embodiment may be relatively more efficient compared to the first embodiment because it is not configured to invoke the VMM or hypervisor in order to switch between the original and instrumented copy target application executable code pages.
In a third embodiment, the VMM and permission manager are configured to manage a plurality of extended page tables and may change the EPTP register to select the appropriate extended page table 132a or 132b in response to a page fault. This
embodiment may be relatively more efficient compared to the first embodiment as it potentially reduces the amount of page faults and VMM invocations when the memory scanner launches. Also it may be performed without instrumenting the memory scanning code.
Exemplary Methodology
Figure 4 illustrates a flow chart 400 of exemplary operations for initializing transparent instrumentation of a target application program consistent with the present disclosure. The operations illustrated in this embodiment may be performed by circuitry and/or software modules associated with system 100 (e.g., CPU 102). Program flow may begin at operation 405. Operation 405 includes identifying a linear address of an executable code page of a target application program that is to be instrumented, for example, using the instrumentation driver 140. For ease of description, a single code page is referenced below; although one or more executable code pages of the target application may be identified and the operations described may apply to multiple code pages. A guest physical memory address (gpa) corresponding to the identified linear address may be identified at operation 410. The instrumentation driver 140 may interface with the Permissions Manager 134 to identify the address (gpa) of the guest physical page corresponding to the identified application linear address. For example, the
instrumentation driver 140 may read the page table (guest) to determine the guest physical address corresponding to the identified application linear address. The instrumentation driver 140 may then provide the guest physical address to the Permissions Manager 134.
Operation 415 may include modifying an extended page table entry corresponding to the guest physical address (gpa) of the target application executable code page so that the permissions are read-only (in a first extended page table). For example, the
Permissions Manager 134 may be configured to edit the extended page table entry that
maps the guest physical address to the host physical memory address (hpal) that corresponds to the target executable code page to be instrumented to set the associated permissions to read-only.
The target executable code page may then be copied from the host physical memory address (hpal) to another host physical memory address (hpa2) at operation 420. After operation 420, an original target executable code page may exist in host physical memory at address hpal and the copy of the target executable code page may exist in host physical memory at address hpa2. The copy of the target executable code page may be located in host physical memory accessible only to the VMM 120.
The copy of the target executable code page may be instrumented at operation 425.
The Permissions Manager 134 may be configured to update the copy of the target executable stored at a host physical address hpa2 with instrumented executable code as described herein. For example, the instrumentation may be configured to transfer control from the instrumented target application program to an anti-malware component, as described herein.
At operation 430, the extended page table entry corresponding to the guest physical address (gpa) of the target executable code page may be updated to point to the host physical address (hpa2) of the instrumented copy of the target executable code page (in the first extended page table). The permissions associated with this extended page table entry (pointing to the instrumented copy of the target executable code page) may be set to execute only (i.e., no read, no write) at operation 435 (in the first extended page table).
At operation 440, the memory scanning tools may be instrumented by adding instruction(s) to the memory scanning tool executable code. The instruction(s) are configured to select an appropriate extended page table, as described herein. For example, the instruction(s) may include request(s) to switch an EPTP index to a first EPTP index or a second EPTP index that index into a table of valid EPTPs. Operation 445 may include generating a second extended page table corresponding to the instrumented copy of the target executable code (with permission set to execute only). An EPTP register may be loaded with a pointer to the second extended page table corresponding to the instrumented copy of the target executable code page at operation 450.
The instrumentation driver 140, for example, may be configured to interface with the Permissions Manager 134 to initialize a plurality of extended page tables (each with an associated EPTP) and to instrument the memory scanning tools 142 with an instruction configured to select an appropriate extended page table from the plurality of extended
page tables 132a, 132b, ..., 132k. For example, the selecting may include loading the appropriate EPTP into the EPTP register 150 (see Figure 1). In other embodiments, the instrumentation driver may be configured to interface with the Permission Manager 134 to initialize a plurality of extended page tables (each with an associated EPTP) but choose not to instrument the memory scanning tools, and continue to utilize page faults to select an appropriate extended page table from the plurality of extended page tables 132a, 132b,....132k.
Depending on the desired functionality, all or fewer than all of the operations of flow chart 400 may be performed. Operation 405 through operation 425 may typically be performed in all implementations. For example, operations 430 and 435 may be performed and operations 440, 445 and 450 may not be performed. In another example, operations 440, 445 and 450 may be performed and operations 430 and 435 may not be performed. In yet another example, operations 430, 435, 445 and 450 may be performed and operation 440 may not be performed. In this manner, access to the two versions of the target executable code pages may be managed using the VMM and page fault functionality and/or by instructions in the instrumented memory scanning tools using two extended page tables.
Thus, at the end of these initialization operations, the original, uninstrumented target code page may exist in host physical memory at address hpal . The instrumented copy of the target code page may exist in the host physical memory at address hpa2. The extended page table entry corresponding to guest physical address gpa of the target application executable code page may contain host physical memory address hpa2 (i.e., instrumented executable code page) and the permissions may be set to execute only (XO).
When the target application (e.g., application 126a) is executed, the instrumented copy of the code page (at host physical memory address hpa2) is configured to execute based on the extended page table entry. If the memory scanning tools 142 are launched (e.g., by OS 124), and the memory scanning tools 142 attempt to read the code page at guest physical address gpa (that points to the host physical address hpa2 of the
instrumented copy of the executable code page), then a read fault may be generated since the permission for hpa2 is set to execute only. A read fault may transfer control to a supervisor (e.g., the VMM 120 and the Permissions Manager 134). The Permissions Manager 134 may be configured to update the extended page table entry pointed to by guest physical address gpa from host physical address hpa2 (i.e., instrumented target code page) to host physical address hpal (i.e., original, uninstrumented target code page). The
Permissions Manager 134 may be further configured to set the associated permission to read only (i.e., no execute, no write). Control may then return to the VM 122a and the memory scanning tools 142. The memory scanning tools 142 may then read the host physical memory address hpaland the original target executable code page. In this manner, utilizing the extended page table and the associated page fault functionality, instrumented target code pages may be executed and original target code pages may be read.
Figure 5 illustrates an exemplary flow chart 500 of operations consistent with the present disclosure. It is assumed that at least some of the operations of flow chart 400 have been performed prior to the operations of flow chart 500. In particular, it is assumed that at least operations 405-425 and operations 430 and 435 have been performed. Flow may begin at operation 505. Operation 505 includes launching an instrumented application program and/or launching memory scanning tools. The instrumented application program and/or memory scanning tools may be launched by OS 124. A page table fault may be generated at operation 510. For example, if the memory scanning tools attempt to read instrumented application program code pages or the OS attempts to execute the uninstrumented application program code pages, a page fault may be generated.
A type of page fault may be determined at operation 515. For example, the page fault may be a read fault or an execute fault. A read fault may be generated if the scanning tools attempt to read the instrumented application program executable code pages (whose permissions are set to execute only in the extended page table). An execute fault may be generated if the guest OS attempts to execute the original uninstrumented application program executable code pages (whose permissions are set to read only in the extended page table).
If the page fault is a read fault, the page table entry in the extended page table may be replaced with the host physical address of the executable code pages of the original uninstrumented application program (hpal) at operation 520. The permissions associated with this updated extended page table entry may then be set to read only at operation 525. Program flow may then proceed to operation 540.
If the page fault is an execute fault, the page table entry in the extended page table may be replaced with the host physical address of the executable code pages of the instrumented application program (hpa2) at operation 530. The permissions associated
with this updated extended page table entry may then be set to execute only at operation 535. Program flow may then proceed to operation 540.
Operation 540 may include invalidating mapping in a translation lookaside buffer (TLB) for executable code page(s) affected by operations 520 and 525 or operations 530 and 535. As will be understood by those skilled in the art, a TLB corresponds to a cache for a page table (e.g., extended page table) that is configured to increase the speed of address translations (mapping). Recently used mappings may be stored in the TLB, similar to cache memory. Mappings in the TLB are invalidated in response to changing the mapping in the extended page table.
Operation 545 may include resuming the program (e.g., instrumented application program or memory scanning tools) that initiated the page fault. If the program that initiated the page fault was the memory scanning tools, then the memory scanning may resume. The original uninstrumented application program executable code pages may then be read from host physical memory. If the program that initiated the page fault was the OS launching the instrumented application program, then the instrumented application program may be executed. During execution, the instrumented application program may be configured to transfer control to an anti-malware component that monitors operation of the application program as will be understood by those skilled in the art.
Figure 6 illustrates an exemplary flow chart 600 of operations consistent with the present disclosure. It is assumed that at least some of the operations of flow chart 400 have been performed prior to the operations of flow chart 600. In particular, it is assumed that at least operations 405-425 and operations 440, 445 and 450 have been performed. Flow may begin at operation 605. Operation 605 may include launching (instrumented) memory scanning tools. The instrumented memory scanning tools may be launched by OS 124.
A first instruction may be executed at operation 610. The first instruction is associated with instrumenting the memory scanning tools, as described herein. The first instruction is configured to select a first extended page table corresponding to an uninstrumented target executable code page. For example, the first instruction may include a request to switch an index in a table of valid EPTPs and may cause the EPTP corresponding to the first extended page table to be loaded into the EPTP register. As a result, the EPTP register may include the EPTP of the first extended page table, corresponding to an uninstrumented target executable code page. Operation 615 may include scanning host physical memory locations by the memory scanning tools. The
original uninstrumented target executable code pages may then be read from host physical memory. A second instruction may be executed at operation 620. The second instruction is associated with instrumenting the memory scanning tools, as described herein. The second instruction is configured to select a second extended page table corresponding to an instrumented target executable code page. For example, the second instruction may include a request to switch an index in a table of valid EPTPs and may cause the EPTP corresponding to the second extended page table to be loaded into the EPTP register. As a result, the EPTP register may include the EPTP of the second extended page table, corresponding to an instrumented target executable code page. Control may then return at operation 625. For example, program flow may return to an OS that launched the memory scanning tools.
Figure 7 illustrates an exemplary flow chart 700 of operations consistent with the present disclosure. It is assumed that at least some of the operations of flow chart 400 have been performed prior to the operations of flow chart 700. In particular, it is assumed that at least operations 405-425 and operations 445 and 450 have been performed. Flow may begin at operation 705. Operation 705 includes launching an instrumented application program and/or launching memory scanning tools. The instrumented application program and/or memory scanning tools may be launched by OS 124. A page table fault may be generated at operation 710. For example, if the memory scanning tools attempt to read instrumented application program code pages or the OS attempts to execute the uninstrumented application program code pages, a page fault may be generated.
A type of page fault may be determined at operation 715. For example, the page fault may be a read fault or an execute fault. A read fault may be generated if the scanning tools attempt to read the instrumented application program executable code pages (whose permissions are set to execute only in the extended page table). An execute fault may be generated if the guest OS attempts to execute the original uninstrumented application program executable code pages (whose permissions are set to read only in the extended page table).
If the page fault is a read fault, the VMM may be configured to load the EPTP corresponding to the first extended page table into the EPTP register at operation 720. Program flow may then proceed to operation 750.
If the page fault is an execute fault, the VMM may be configured to load the EPTP corresponding to the second extended page table into the EPTP register at operation 730. Program flow may then proceed to operation 750.
Operation 750 may include resuming the program (e.g., instrumented application program or memory scanning tools) that initiated the page fault. If the program that initiated the page fault was the memory scanning tools, then the memory scanning may resume. The original uninstrumented application program executable code pages may then be read from host physical memory. If the program that initiated the page fault was the OS launching the instrumented application program, then the instrumented application program may be executed. During execution, the instrumented application program may be configured to transfer control to an anti-malware component that monitors operation of the application program as will be understood by those skilled in the art.
A method and apparatus consistent with the present disclosure are configured to allow instrumenting an application program whether or not the application program is itself configured for instrumenting. The instrumenting is configured to be transparent to a memory scanner and may continue to operate properly in the presence of the
instrumenting. Two versions of a target application program may be stored in host system physical memory. One version is the original uninstrumented target application program's executable code pages while the other version is an instrumented copy of the target application program's executable code pages.
Extended page table(s) associated with a virtual machine monitor may be used to control access to one of the two versions depending on whether the target application program or the memory scanning tool is being executed. The guest physical address may point to either the original version or the instrumented version depending on the contents of page table entry pointed to by the guest physical address. Each entry in the extended page table(s) includes a host physical address associated with a code page in the host physical memory as well as a permission field.
In one example, the permissions and a page fault functionality associated with a VMM may be used to ensure that the instrumented application program is executed and a memory scanner reads the original application program. In another example, two extended page tables may be implemented. A first extended page table is configured to point to the original, uninstrumented target executable code stored in host physical memory (permissions set to read-only) and a second extended page table is configured to point to the instrumented copy of the target executable code stored in host physical
memory (permissions set to execute-only). In this example, the memory scanning tools may be instrumented with one or more instructions configured to select the appropriate extended page table to ensure that the instrumented application program is executed and a memory scanner reads the original application program without using page fault functionality. Advantageously, any point(s) in any application program may be instrumented and legacy memory scanners may safely scan physical memory without returning a false mismatch between the scanned code pages in host physical memory and their predefined reference.
While the foregoing is provided as exemplary system architectures and
methodologies, modifications to the present disclosure are possible. For example, operating system 124 may be configured to manage system resources and control tasks that are run on system 100. For example, OS 124 may be implemented using Microsoft Windows, HP-UX, Linux, or UNIX, although other operating systems may be used. OS 124 shown in FIG. 1 may run in a virtual machine under a virtual machine monitor which may provide a layer of abstraction for underlying hardware to various virtual machines and operating systems running on one or more processors.
Other modifications are possible. For example, memory 104 may include one or more of the following types of memory: semiconductor firmware memory, programmable memory, non-volatile memory, read only memory, electrically programmable memory, random access memory, flash memory, magnetic disk memory, and/or optical disk memory. Either additionally or alternatively, memory 104 may include other and/or later- developed types of computer-readable memory.
Embodiments of the methods described herein may be implemented in a system that includes one or more storage mediums having stored thereon, individually or in combination, instructions that when executed by one or more processors perform the methods. Here, the processor may include, for example, a system CPU (e.g., CPU 102 of Fig. 1). The storage medium may include any type of tangible medium, for example, any type of disk including floppy disks, optical disks, compact disk read-only memories (CD- ROMs), compact disk rewritables (CD-RWs), and magneto -optical disks, semiconductor devices such as read-only memories (ROMs), random access memories (RAMs) such as dynamic and static RAMs, erasable programmable read-only memories (EPROMs), electrically erasable programmable read-only memories (EEPROMs), flash memories, magnetic or optical cards, or any type of media suitable for storing electronic instructions.
"Circuitry", as used in any embodiment herein, may comprise, for example, singly or in any combination, hardwired circuitry, programmable circuitry, state machine circuitry, and/or firmware that stores instructions executed by programmable circuitry.
According to one aspect there is disclosed a method. The method may include storing at least a portion of an executable application program in a host system physical memory at a first host physical address; instrumenting a copy of the portion of the executable application program and storing the instrumented copy in the host system physical memory at a second host physical address; setting a corresponding access permission to read only for the first host physical address and setting a corresponding access permission to execute only for the second host physical address; and executing the instrumented copy or reading the portion of the executable application program based, at least in part, on the access permissions.
According to another aspect there is disclosed an article, including a tangible storage medium having instructions stored thereon which when executed by a processor may result in the following operations: storing at least a portion of an executable application program in a host system physical memory at a first host physical address; instrumenting a copy of the portion of the executable application program and storing the instrumented copy in the host system physical memory at a second host physical address; setting a corresponding access permission to read only for the first host physical address and setting a corresponding access permission to execute only for the second host physical address; and executing the instrumented copy or reading the portion of the executable application program based, at least in part, on the access permissions.
In yet another aspect there is disclosed a system. The system may include host physical memory; and a processor. The processor may be configured to: store at least a portion of an executable application program in the host system physical memory at a first host physical address; instrument a copy of the portion of the executable application program and store the instrumented copy in the host system physical memory at a second host physical address; set a corresponding access permission to read only for the first host physical address and set a corresponding access permission to execute only for the second host physical address; and execute the instrumented copy or read the portion of the executable application program based, at least in part, on the access permissions.
The terms and expressions which have been employed herein are used as terms of description and not of limitation, and there is no intention, in the use of such terms and expressions, of excluding any equivalents of the features shown and described (or portions
thereof), and it is recognized that various modifications are possible within the scope of the claims. Accordingly, the claims are intended to cover all such equivalents.
Claims
1. A method, comprising:
storing at least a portion of an executable application program in a host system physical memory at a first host physical address;
instrumenting a copy of said portion of said executable application program and storing said instrumented copy in said host system physical memory at a second host physical address;
setting a corresponding access permission to read only for said first host physical address and setting a corresponding access permission to execute only for said second host physical address; and
executing said instrumented copy or reading said portion of said executable application program based, at least in part, on said access permissions.
2. The method of claim 1, further comprising:
generating a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address.
3. The method of claim 2, further comprising:
determining a type of said page fault; and
updating an extended page table entry to correspond to said second host physical address if said page fault is an execute fault or to correspond to said first host physical address if said page fault is a read fault.
4. The method of claim 1, wherein a memory scanner is configured to read said portion of said executable application program.
5. The method of claim 1, further comprising:
generating a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address; and
instrumenting a memory scanner with a first instruction, said first instruction configured to select said first extended page table,
wherein said memory scanner is configured to read said portion of said executable application program and said first instruction is configured to be executed prior to said memory scanner reading said portion of said executable application program.
6. The method of claim 5, further comprising: instrumenting said memory scanner with a second instruction, said second instruction configured to select said second extended page table,
wherein said second instruction is configured to be executed after said memory scanner has read said portion of said executable application program.
7. The method of claim 1, further comprising:
monitoring execution of said executable application program using said
instrumented copy, wherein said monitoring is configured to detect malware.
8. The method of claim 1, further comprising:
generating a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address;
generating a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address; and
selecting one of said first and second extended page tables in response to the page fault.
9. A system comprising, one or more storage mediums having stored thereon, individually or in combination, instructions that, when executed by one or more processors, result in the following operations comprising:
storing at least a portion of an executable application program in a host system physical memory at a first host physical address;
instrumenting a copy of said portion of said executable application program and storing said instrumented copy in said host system physical memory at a second host physical address;
setting a corresponding access permission to read only for said first host physical address and setting a corresponding access permission to execute only for said second host physical address; and
executing said instrumented copy or reading said portion of said executable application program based, at least in part, on said access permissions.
10. The system of claim 9, wherein the instructions result in the following additional operations comprising:
generating a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address.
11. The system of claim 10, wherein the instructions result in the following additional operations comprising:
determining a type of said page fault; and
updating an extended page table entry to correspond to said second host physical address if said page fault is an execute fault or to correspond to said first host physical address if said page fault is a read fault.
12. The system of claim 9, wherein a memory scanner is configured to read said portion of said executable application program.
13. The system of claim 9, wherein the instructions result in the following additional operations comprising:
generating a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address; and
instrumenting a memory scanner with a first instruction, said first instruction configured to select said first extended page table,
wherein said memory scanner is configured to read said portion of said executable application program and said first instruction is configured to be executed prior to said memory scanner reading said portion of said executable application program.
14. The system of claim 13, wherein the instructions result in the following additional operations comprising:
instrumenting said memory scanner with a second instruction, said second instruction configured to select said second extended page table,
wherein said second instruction is configured to be executed after said memory scanner has read said portion of said executable application program.
15. The system of claim 9, wherein the instructions result in the following additional operations comprising:
monitoring execution of said executable application program using said instrumented copy wherein said monitoring is configured to detect malware.
16. The system of claim 9, wherein the instructions result in the following additional operations comprising:
generating a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address; generating a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address; and
selecting one of said first and second extended page tables in response to the page fault.
17. A system, comprising :
host physical memory; and
a processor configured to:
store at least a portion of an executable application program in said host system physical memory at a first host physical address;
instrument a copy of said portion of said executable application program and store said instrumented copy in said host system physical memory at a second host physical address;
set a corresponding access permission to read only for said first host physical address and set a corresponding access permission to execute only for said second host physical address; and
execute said instrumented copy or read said portion of said executable application program based, at least in part, on said access permissions.
18. The system of claim 17, wherein the processor is further configured to:
generate a page fault in response to an attempt to read said second host physical address or an attempt to execute said portion of said executable application program stored at said first host physical address.
19. The system of claim 18, wherein the processor is further configured to:
determine a type of said page fault; and
updating an extended page table entry to correspond to said second host physical address if said page fault is an execute fault or to correspond to said first host physical address if said page fault is a read fault.
20. The system of claim 17, wherein the processor is further configured to:
generate a first extended page table associated with said first host physical address and a second extended page table associated with said second host physical address; and instrument a memory scanner with a first instruction, said first instruction configured to select said first extended page table, wherein said memory scanner is configured to read said portion of said executable application program and said first instruction is configured to be executed prior to said memory scanner reading said portion of said executable application program.
21. The system of claim 20, wherein the processor is further configured to:
instrument said memory scanner with a second instruction, said second instruction configured to select said second extended page table,
wherein said second instruction is configured to be executed after said memory scanner has read said portion of said executable application program.
22. The system of claim 17, wherein the processor is further configured to:
monitor execution of said executable application program using said instrumented copy, said monitoring is configured to detect malware.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201180069747.7A CN103460179B (en) | 2011-03-30 | 2011-12-29 | Method and apparatus for transparently instrumenting an application program |
EP11862405.5A EP2691851B1 (en) | 2011-03-30 | 2011-12-29 | Method and apparatus for transparently instrumenting an application program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/076,378 | 2011-03-30 | ||
US13/076,378 US8479295B2 (en) | 2011-03-30 | 2011-03-30 | Method and apparatus for transparently instrumenting an application program |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012134584A1 true WO2012134584A1 (en) | 2012-10-04 |
Family
ID=46929145
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/US2011/067796 WO2012134584A1 (en) | 2011-03-30 | 2011-12-29 | Method and apparatus for transparently instrumenting an application program |
Country Status (5)
Country | Link |
---|---|
US (1) | US8479295B2 (en) |
EP (1) | EP2691851B1 (en) |
CN (1) | CN103460179B (en) |
TW (1) | TWI464575B (en) |
WO (1) | WO2012134584A1 (en) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9104870B1 (en) | 2012-09-28 | 2015-08-11 | Palo Alto Networks, Inc. | Detecting malware |
US9143522B2 (en) | 2011-05-24 | 2015-09-22 | Palo Alto Networks, Inc. | Heuristic botnet detection |
US9215239B1 (en) | 2012-09-28 | 2015-12-15 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US9489516B1 (en) | 2014-07-14 | 2016-11-08 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9542554B1 (en) | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US9613210B1 (en) | 2013-07-30 | 2017-04-04 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US10867041B2 (en) | 2013-07-30 | 2020-12-15 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
Families Citing this family (172)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US8898788B1 (en) | 2004-04-01 | 2014-11-25 | Fireeye, Inc. | Systems and methods for malware attack prevention |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8549638B2 (en) | 2004-06-14 | 2013-10-01 | Fireeye, Inc. | System and method of containing computer worms |
US7587537B1 (en) | 2007-11-30 | 2009-09-08 | Altera Corporation | Serializer-deserializer circuits formed from input-output circuit registers |
US9106694B2 (en) | 2004-04-01 | 2015-08-11 | Fireeye, Inc. | Electronic message analysis for malware detection |
US8793787B2 (en) | 2004-04-01 | 2014-07-29 | Fireeye, Inc. | Detecting malicious network content using virtual environment components |
US8528086B1 (en) | 2004-04-01 | 2013-09-03 | Fireeye, Inc. | System and method of detecting computer worms |
US8881282B1 (en) | 2004-04-01 | 2014-11-04 | Fireeye, Inc. | Systems and methods for malware attack detection and identification |
US8171553B2 (en) | 2004-04-01 | 2012-05-01 | Fireeye, Inc. | Heuristic based capture with replay to virtual machine |
US9231858B1 (en) | 2006-08-11 | 2016-01-05 | Dynatrace Software Gmbh | Completeness detection of monitored globally distributed synchronous and asynchronous transactions |
US8997219B2 (en) | 2008-11-03 | 2015-03-31 | Fireeye, Inc. | Systems and methods for detecting malicious PDF network content |
US8832829B2 (en) | 2009-09-30 | 2014-09-09 | Fireeye, Inc. | Network-based binary file extraction and analysis for malware detection |
US9274919B2 (en) | 2011-04-29 | 2016-03-01 | Dynatrace Software Gmbh | Transaction tracing mechanism of distributed heterogenous transactions having instrumented byte code with constant memory consumption and independent of instrumented method call depth |
US9069586B2 (en) * | 2011-10-13 | 2015-06-30 | Mcafee, Inc. | System and method for kernel rootkit protection in a hypervisor environment |
US9256552B2 (en) | 2011-11-21 | 2016-02-09 | Cisco Technology, Inc. | Selective access to executable memory |
US9342704B2 (en) * | 2011-12-28 | 2016-05-17 | Intel Corporation | Allocating memory access control policies |
US9075913B2 (en) * | 2012-02-27 | 2015-07-07 | Qualcomm Incorporated | Validation of applications for graphics processing unit |
EP2831787B1 (en) * | 2012-03-30 | 2020-07-08 | Irdeto B.V. | Method and system for preventing and detecting security threats |
RU2510075C2 (en) * | 2012-04-11 | 2014-03-20 | Открытое Акционерное Общество "Информационные Технологии И Коммуникационные Системы" | Method of detecting malware in operating system kernel |
US9223721B2 (en) * | 2012-09-04 | 2015-12-29 | Arm Finance Overseas Limited | Embedded processor with virtualized security controls using guest identifications, a common kernel address space and operational permissions |
US10572665B2 (en) | 2012-12-28 | 2020-02-25 | Fireeye, Inc. | System and method to create a number of breakpoints in a virtual machine via virtual machine trapping events |
US9367681B1 (en) | 2013-02-23 | 2016-06-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications using symbolic execution to reach regions of interest within an application |
US9195829B1 (en) | 2013-02-23 | 2015-11-24 | Fireeye, Inc. | User interface with real-time visual playback along with synchronous textual analysis log display and event/time index for anomalous behavior detection in applications |
US9159035B1 (en) | 2013-02-23 | 2015-10-13 | Fireeye, Inc. | Framework for computer application analysis of sensitive information tracking |
US9176843B1 (en) | 2013-02-23 | 2015-11-03 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications |
US8990944B1 (en) | 2013-02-23 | 2015-03-24 | Fireeye, Inc. | Systems and methods for automatically detecting backdoors |
US9009822B1 (en) * | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for multi-phase analysis of mobile applications |
US9009823B1 (en) | 2013-02-23 | 2015-04-14 | Fireeye, Inc. | Framework for efficient security coverage of mobile software applications installed on mobile devices |
US9104867B1 (en) | 2013-03-13 | 2015-08-11 | Fireeye, Inc. | Malicious content analysis using simulated user interaction without user involvement |
US9626509B1 (en) | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9355247B1 (en) | 2013-03-13 | 2016-05-31 | Fireeye, Inc. | File extraction from memory dump for malicious content analysis |
US9311479B1 (en) | 2013-03-14 | 2016-04-12 | Fireeye, Inc. | Correlation and consolidation of analytic data for holistic view of a malware attack |
US9430646B1 (en) | 2013-03-14 | 2016-08-30 | Fireeye, Inc. | Distributed systems and methods for automatically detecting unknown bots and botnets |
US9413781B2 (en) | 2013-03-15 | 2016-08-09 | Fireeye, Inc. | System and method employing structured intelligence to verify and contain threats at endpoints |
US10713358B2 (en) | 2013-03-15 | 2020-07-14 | Fireeye, Inc. | System and method to extract and utilize disassembly features to classify software intent |
US9495180B2 (en) | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US9635039B1 (en) | 2013-05-13 | 2017-04-25 | Fireeye, Inc. | Classifying sets of malicious indicators for detecting command and control communications associated with malware |
US10133863B2 (en) | 2013-06-24 | 2018-11-20 | Fireeye, Inc. | Zero-day discovery system |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
US9736179B2 (en) | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9690936B1 (en) | 2013-09-30 | 2017-06-27 | Fireeye, Inc. | Multistage system and method for analyzing obfuscated content for malware |
US10515214B1 (en) | 2013-09-30 | 2019-12-24 | Fireeye, Inc. | System and method for classifying malware within content created during analysis of a specimen |
US9628507B2 (en) | 2013-09-30 | 2017-04-18 | Fireeye, Inc. | Advanced persistent threat (APT) detection center |
US9171160B2 (en) | 2013-09-30 | 2015-10-27 | Fireeye, Inc. | Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses |
US9294501B2 (en) | 2013-09-30 | 2016-03-22 | Fireeye, Inc. | Fuzzy hash of behavioral results |
US9921978B1 (en) | 2013-11-08 | 2018-03-20 | Fireeye, Inc. | System and method for enhanced security of storage devices |
US9436823B1 (en) * | 2013-12-17 | 2016-09-06 | Google Inc. | System and method for detecting malicious code |
US9117081B2 (en) * | 2013-12-20 | 2015-08-25 | Bitdefender IPR Management Ltd. | Strongly isolated malware scanning using secure virtual containers |
US9747446B1 (en) | 2013-12-26 | 2017-08-29 | Fireeye, Inc. | System and method for run-time object classification |
US9756074B2 (en) | 2013-12-26 | 2017-09-05 | Fireeye, Inc. | System and method for IPS and VM-based detection of suspicious objects |
US9507935B2 (en) | 2014-01-16 | 2016-11-29 | Fireeye, Inc. | Exploit detection system with threat-aware microvisor |
US9262635B2 (en) | 2014-02-05 | 2016-02-16 | Fireeye, Inc. | Detection efficacy of virtual machine-based analysis with application specific events |
US9241010B1 (en) | 2014-03-20 | 2016-01-19 | Fireeye, Inc. | System and method for network behavior detection |
US10242185B1 (en) | 2014-03-21 | 2019-03-26 | Fireeye, Inc. | Dynamic guest image creation and rollback |
US9591015B1 (en) | 2014-03-28 | 2017-03-07 | Fireeye, Inc. | System and method for offloading packet processing and static analysis operations |
US9483295B2 (en) | 2014-03-31 | 2016-11-01 | International Business Machines Corporation | Transparent dynamic code optimization |
US9432389B1 (en) | 2014-03-31 | 2016-08-30 | Fireeye, Inc. | System, apparatus and method for detecting a malicious attack based on static analysis of a multi-flow object |
US9569115B2 (en) | 2014-03-31 | 2017-02-14 | International Business Machines Corporation | Transparent code patching |
US9720661B2 (en) | 2014-03-31 | 2017-08-01 | International Businesss Machines Corporation | Selectively controlling use of extended mode features |
US9256546B2 (en) | 2014-03-31 | 2016-02-09 | International Business Machines Corporation | Transparent code patching including updating of address translation structures |
US9715449B2 (en) | 2014-03-31 | 2017-07-25 | International Business Machines Corporation | Hierarchical translation structures providing separate translations for instruction fetches and data accesses |
US9734083B2 (en) | 2014-03-31 | 2017-08-15 | International Business Machines Corporation | Separate memory address translations for instruction fetches and data accesses |
US9858058B2 (en) | 2014-03-31 | 2018-01-02 | International Business Machines Corporation | Partition mobility for partitions with extended code |
US9223972B1 (en) | 2014-03-31 | 2015-12-29 | Fireeye, Inc. | Dynamically remote tuning of a malware content detection system |
US9824021B2 (en) | 2014-03-31 | 2017-11-21 | International Business Machines Corporation | Address translation structures to provide separate translations for instruction fetches and data accesses |
US9594912B1 (en) | 2014-06-06 | 2017-03-14 | Fireeye, Inc. | Return-oriented programming detection |
US9973531B1 (en) | 2014-06-06 | 2018-05-15 | Fireeye, Inc. | Shellcode detection |
US9438623B1 (en) | 2014-06-06 | 2016-09-06 | Fireeye, Inc. | Computer exploit detection using heap spray pattern matching |
US10084813B2 (en) | 2014-06-24 | 2018-09-25 | Fireeye, Inc. | Intrusion prevention and remedy system |
US9398028B1 (en) | 2014-06-26 | 2016-07-19 | Fireeye, Inc. | System, device and method for detecting a malicious attack based on communcations between remotely hosted virtual machines and malicious web servers |
US10805340B1 (en) | 2014-06-26 | 2020-10-13 | Fireeye, Inc. | Infection vector and malware tracking with an interactive user display |
US10002252B2 (en) | 2014-07-01 | 2018-06-19 | Fireeye, Inc. | Verification of trusted threat-aware microvisor |
US9363280B1 (en) | 2014-08-22 | 2016-06-07 | Fireeye, Inc. | System and method of detecting delivery of malware using cross-customer data |
US10671726B1 (en) | 2014-09-22 | 2020-06-02 | Fireeye Inc. | System and method for malware analysis using thread-level event monitoring |
US9886577B2 (en) * | 2014-09-26 | 2018-02-06 | Mcafee, Llc | Detection and mitigation of malicious invocation of sensitive code |
US9773112B1 (en) | 2014-09-29 | 2017-09-26 | Fireeye, Inc. | Exploit detection of malware and malware families |
US10027689B1 (en) | 2014-09-29 | 2018-07-17 | Fireeye, Inc. | Interactive infection visualization for improved exploit detection and signature generation for malware and malware families |
RU2580016C1 (en) * | 2014-10-17 | 2016-04-10 | Закрытое акционерное общество "Лаборатория Касперского" | Method for transfer of control between memory areas |
US9690933B1 (en) | 2014-12-22 | 2017-06-27 | Fireeye, Inc. | Framework for classifying an object as malicious with machine learning for deploying updated predictive models |
US9703720B2 (en) | 2014-12-23 | 2017-07-11 | Intel Corporation | Method and apparatus to allow secure guest access to extended page tables |
US10075455B2 (en) | 2014-12-26 | 2018-09-11 | Fireeye, Inc. | Zero-day rotating guest image profile |
US9934376B1 (en) | 2014-12-29 | 2018-04-03 | Fireeye, Inc. | Malware detection appliance architecture |
US9838417B1 (en) | 2014-12-30 | 2017-12-05 | Fireeye, Inc. | Intelligent context aware user interaction for malware detection |
US9690606B1 (en) | 2015-03-25 | 2017-06-27 | Fireeye, Inc. | Selective system call monitoring |
US10148693B2 (en) | 2015-03-25 | 2018-12-04 | Fireeye, Inc. | Exploit detection system |
US9438613B1 (en) | 2015-03-30 | 2016-09-06 | Fireeye, Inc. | Dynamic content activation for automated analysis of embedded objects |
US10417031B2 (en) | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US9483644B1 (en) | 2015-03-31 | 2016-11-01 | Fireeye, Inc. | Methods for detecting file altering malware in VM based analysis |
US10474813B1 (en) | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US9654485B1 (en) | 2015-04-13 | 2017-05-16 | Fireeye, Inc. | Analytics-based security monitoring system and method |
US9594904B1 (en) | 2015-04-23 | 2017-03-14 | Fireeye, Inc. | Detecting malware based on reflection |
US10642753B1 (en) | 2015-06-30 | 2020-05-05 | Fireeye, Inc. | System and method for protecting a software component running in virtual machine using a virtualization layer |
US10454950B1 (en) | 2015-06-30 | 2019-10-22 | Fireeye, Inc. | Centralized aggregation technique for detecting lateral movement of stealthy cyber-attacks |
US10216927B1 (en) | 2015-06-30 | 2019-02-26 | Fireeye, Inc. | System and method for protecting memory pages associated with a process using a virtualization layer |
US11113086B1 (en) | 2015-06-30 | 2021-09-07 | Fireeye, Inc. | Virtual system and method for securing external network connectivity |
US10395029B1 (en) | 2015-06-30 | 2019-08-27 | Fireeye, Inc. | Virtual system and method with threat protection |
US10726127B1 (en) | 2015-06-30 | 2020-07-28 | Fireeye, Inc. | System and method for protecting a software component running in a virtual machine through virtual interrupts by the virtualization layer |
US10715542B1 (en) | 2015-08-14 | 2020-07-14 | Fireeye, Inc. | Mobile application risk analysis |
US10176321B2 (en) | 2015-09-22 | 2019-01-08 | Fireeye, Inc. | Leveraging behavior-based rules for malware family classification |
US10033759B1 (en) | 2015-09-28 | 2018-07-24 | Fireeye, Inc. | System and method of threat detection under hypervisor control |
US10033747B1 (en) | 2015-09-29 | 2018-07-24 | Fireeye, Inc. | System and method for detecting interpreter-based exploit attacks |
US10210329B1 (en) | 2015-09-30 | 2019-02-19 | Fireeye, Inc. | Method to detect application execution hijacking using memory protection |
US9825989B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Cyber attack early warning system |
US10706149B1 (en) | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10817606B1 (en) | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10601865B1 (en) | 2015-09-30 | 2020-03-24 | Fireeye, Inc. | Detection of credential spearphishing attacks using email analysis |
US9825976B1 (en) | 2015-09-30 | 2017-11-21 | Fireeye, Inc. | Detection and classification of exploit kits |
US10284575B2 (en) | 2015-11-10 | 2019-05-07 | Fireeye, Inc. | Launcher for setting analysis environment variations for malware detection |
US10447728B1 (en) | 2015-12-10 | 2019-10-15 | Fireeye, Inc. | Technique for protecting guest processes using a layered virtualization architecture |
US10846117B1 (en) | 2015-12-10 | 2020-11-24 | Fireeye, Inc. | Technique for establishing secure communication between host and guest processes of a virtualization architecture |
US10108446B1 (en) | 2015-12-11 | 2018-10-23 | Fireeye, Inc. | Late load technique for deploying a virtualization layer underneath a running operating system |
US10565378B1 (en) | 2015-12-30 | 2020-02-18 | Fireeye, Inc. | Exploit of privilege detection framework |
US10050998B1 (en) | 2015-12-30 | 2018-08-14 | Fireeye, Inc. | Malicious message analysis system |
US10133866B1 (en) | 2015-12-30 | 2018-11-20 | Fireeye, Inc. | System and method for triggering analysis of an object for malware in response to modification of that object |
US10621338B1 (en) | 2015-12-30 | 2020-04-14 | Fireeye, Inc. | Method to detect forgery and exploits using last branch recording registers |
US10581874B1 (en) | 2015-12-31 | 2020-03-03 | Fireeye, Inc. | Malware detection system with contextual analysis |
US9824216B1 (en) | 2015-12-31 | 2017-11-21 | Fireeye, Inc. | Susceptible environment detection system |
US11552986B1 (en) | 2015-12-31 | 2023-01-10 | Fireeye Security Holdings Us Llc | Cyber-security framework for application of virtual features |
US10616266B1 (en) | 2016-03-25 | 2020-04-07 | Fireeye, Inc. | Distributed malware detection system and submission workflow thereof |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10893059B1 (en) | 2016-03-31 | 2021-01-12 | Fireeye, Inc. | Verification and enhancement using detection systems located at the network periphery and endpoint devices |
US10826933B1 (en) | 2016-03-31 | 2020-11-03 | Fireeye, Inc. | Technique for verifying exploit/malware at malware detection appliance through correlation with endpoints |
US10169585B1 (en) * | 2016-06-22 | 2019-01-01 | Fireeye, Inc. | System and methods for advanced malware detection through placement of transition events |
US10462173B1 (en) | 2016-06-30 | 2019-10-29 | Fireeye, Inc. | Malware detection verification and enhancement by coordinating endpoint and malware detection systems |
US10592678B1 (en) | 2016-09-09 | 2020-03-17 | Fireeye, Inc. | Secure communications between peers using a verified virtual trusted platform module |
US10491627B1 (en) | 2016-09-29 | 2019-11-26 | Fireeye, Inc. | Advanced malware detection using similarity analysis |
DE102016219202A1 (en) * | 2016-10-04 | 2018-04-05 | Robert Bosch Gmbh | Method and device for protecting a working memory |
US10725807B2 (en) | 2016-10-13 | 2020-07-28 | Red Hat Israel, Ltd. | Page table entry caching for virtual device emulation |
US10795991B1 (en) | 2016-11-08 | 2020-10-06 | Fireeye, Inc. | Enterprise search |
US10587647B1 (en) | 2016-11-22 | 2020-03-10 | Fireeye, Inc. | Technique for malware detection capability comparison of network security devices |
US10581879B1 (en) | 2016-12-22 | 2020-03-03 | Fireeye, Inc. | Enhanced malware detection for generated objects |
US10552610B1 (en) | 2016-12-22 | 2020-02-04 | Fireeye, Inc. | Adaptive virtual machine snapshot update framework for malware behavioral analysis |
US10523609B1 (en) | 2016-12-27 | 2019-12-31 | Fireeye, Inc. | Multi-vector malware detection and analysis |
US10904286B1 (en) | 2017-03-24 | 2021-01-26 | Fireeye, Inc. | Detection of phishing attacks using similarity analysis |
US10848397B1 (en) | 2017-03-30 | 2020-11-24 | Fireeye, Inc. | System and method for enforcing compliance with subscription requirements for cyber-attack detection service |
US10798112B2 (en) | 2017-03-30 | 2020-10-06 | Fireeye, Inc. | Attribute-controlled malware detection |
US10902119B1 (en) | 2017-03-30 | 2021-01-26 | Fireeye, Inc. | Data extraction system for malware analysis |
US10791138B1 (en) | 2017-03-30 | 2020-09-29 | Fireeye, Inc. | Subscription-based malware detection |
US20180285262A1 (en) * | 2017-03-31 | 2018-10-04 | Intel Corporation | Techniques for shared virtual memory access protection |
US10601848B1 (en) | 2017-06-29 | 2020-03-24 | Fireeye, Inc. | Cyber-security system and method for weak indicator detection and correlation to generate strong indicators |
US10855700B1 (en) | 2017-06-29 | 2020-12-01 | Fireeye, Inc. | Post-intrusion detection of cyber-attacks during lateral movement within networks |
US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
US10893068B1 (en) | 2017-06-30 | 2021-01-12 | Fireeye, Inc. | Ransomware file modification prevention technique |
US10747872B1 (en) | 2017-09-27 | 2020-08-18 | Fireeye, Inc. | System and method for preventing malware evasion |
US10805346B2 (en) | 2017-10-01 | 2020-10-13 | Fireeye, Inc. | Phishing attack detection |
US11108809B2 (en) | 2017-10-27 | 2021-08-31 | Fireeye, Inc. | System and method for analyzing binary code for malware classification using artificial neural network techniques |
US11240275B1 (en) | 2017-12-28 | 2022-02-01 | Fireeye Security Holdings Us Llc | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture |
US11005860B1 (en) | 2017-12-28 | 2021-05-11 | Fireeye, Inc. | Method and system for efficient cybersecurity analysis of endpoint events |
US11271955B2 (en) | 2017-12-28 | 2022-03-08 | Fireeye Security Holdings Us Llc | Platform and method for retroactive reclassification employing a cybersecurity-based global data store |
US10826931B1 (en) | 2018-03-29 | 2020-11-03 | Fireeye, Inc. | System and method for predicting and mitigating cybersecurity system misconfigurations |
US10956477B1 (en) | 2018-03-30 | 2021-03-23 | Fireeye, Inc. | System and method for detecting malicious scripts through natural language processing modeling |
US11003773B1 (en) | 2018-03-30 | 2021-05-11 | Fireeye, Inc. | System and method for automatically generating malware detection rule recommendations |
US11558401B1 (en) | 2018-03-30 | 2023-01-17 | Fireeye Security Holdings Us Llc | Multi-vector malware detection data sharing system for improved detection |
RU2697948C1 (en) * | 2018-04-19 | 2019-08-21 | Акционерное общество "Лаборатория Касперского" | System and method of detecting vulnerabilities using interception of function calls |
US11314859B1 (en) | 2018-06-27 | 2022-04-26 | FireEye Security Holdings, Inc. | Cyber-security system and method for detecting escalation of privileges within an access token |
US11075930B1 (en) | 2018-06-27 | 2021-07-27 | Fireeye, Inc. | System and method for detecting repetitive cybersecurity attacks constituting an email campaign |
US11228491B1 (en) | 2018-06-28 | 2022-01-18 | Fireeye Security Holdings Us Llc | System and method for distributed cluster configuration monitoring and management |
US11316900B1 (en) | 2018-06-29 | 2022-04-26 | FireEye Security Holdings Inc. | System and method for automatically prioritizing rules for cyber-threat detection and mitigation |
US11182473B1 (en) | 2018-09-13 | 2021-11-23 | Fireeye Security Holdings Us Llc | System and method for mitigating cyberattacks against processor operability by a guest process |
CN110928737B (en) * | 2018-09-19 | 2021-05-18 | 华为技术有限公司 | Method and device for monitoring memory access behavior of sample process |
US11763004B1 (en) | 2018-09-27 | 2023-09-19 | Fireeye Security Holdings Us Llc | System and method for bootkit detection |
US11368475B1 (en) | 2018-12-21 | 2022-06-21 | Fireeye Security Holdings Us Llc | System and method for scanning remote services to locate stored objects with malware |
US11258806B1 (en) | 2019-06-24 | 2022-02-22 | Mandiant, Inc. | System and method for automatically associating cybersecurity intelligence to cyberthreat actors |
US11556640B1 (en) | 2019-06-27 | 2023-01-17 | Mandiant, Inc. | Systems and methods for automated cybersecurity analysis of extracted binary string sets |
US11392700B1 (en) | 2019-06-28 | 2022-07-19 | Fireeye Security Holdings Us Llc | System and method for supporting cross-platform data verification |
US11221962B2 (en) | 2019-09-04 | 2022-01-11 | Apple Inc. | Unified address translation |
US11886585B1 (en) | 2019-09-27 | 2024-01-30 | Musarubra Us Llc | System and method for identifying and mitigating cyberattacks through malicious position-independent code execution |
US11637862B1 (en) | 2019-09-30 | 2023-04-25 | Mandiant, Inc. | System and method for surfacing cyber-security threats with a self-learning recommendation engine |
CN110795358B (en) * | 2020-01-06 | 2020-04-07 | 同盾控股有限公司 | Code instrumentation detection method, apparatus, device and medium |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7146607B2 (en) * | 2002-09-17 | 2006-12-05 | International Business Machines Corporation | Method and system for transparent dynamic optimization in a multiprocessing environment |
US20100031353A1 (en) * | 2008-02-04 | 2010-02-04 | Microsoft Corporation | Malware Detection Using Code Analysis and Behavior Monitoring |
US7797747B1 (en) * | 2006-02-21 | 2010-09-14 | Symantec Corporation | Detection of malicious code in non-paged pool unused pages |
Family Cites Families (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5440710A (en) * | 1994-03-08 | 1995-08-08 | Exponential Technology, Inc. | Emulation of segment bounds checking using paging with sub-page validity |
US5710724A (en) * | 1995-04-20 | 1998-01-20 | Digital Equipment Corp. | Dynamic computer performance monitor |
US6918110B2 (en) * | 2001-04-11 | 2005-07-12 | Hewlett-Packard Development Company, L.P. | Dynamic instrumentation of an executable program by means of causing a breakpoint at the entry point of a function and providing instrumentation code |
US6898785B2 (en) * | 2001-08-16 | 2005-05-24 | Hewlett-Packard Development Company, L.P. | Handling calls from relocated instrumented functions to functions that expect a return pointer value in an original address space |
US7249349B2 (en) * | 2001-12-13 | 2007-07-24 | Hewlett-Packard Development Company, L.P. | Uninstrumenting in-line code instrumentation on-the-fly |
US7313734B2 (en) * | 2002-01-14 | 2007-12-25 | International Business Machines Corporation | Method and system for instruction tracing with enhanced interrupt avoidance |
US6993665B2 (en) | 2002-05-01 | 2006-01-31 | Sun Microsystems, Inc. | Applet permissions manager |
US7886293B2 (en) * | 2004-07-07 | 2011-02-08 | Intel Corporation | Optimizing system behavior in a virtual machine environment |
US7886126B2 (en) * | 2005-01-14 | 2011-02-08 | Intel Corporation | Extended paging tables to map guest physical memory addresses from virtual memory page tables to host physical memory addresses in a virtual machine system |
JP2009512939A (en) * | 2005-10-21 | 2009-03-26 | ヴァー2アス インコーポレイテッド | Computer security method having operating system virtualization that allows multiple operating system instances to securely share a single machine resource |
US20070240141A1 (en) * | 2006-03-30 | 2007-10-11 | Feng Qin | Performing dynamic information flow tracking |
US7555628B2 (en) | 2006-08-15 | 2009-06-30 | Intel Corporation | Synchronizing a translation lookaside buffer to an extended paging table |
US7797748B2 (en) | 2007-12-12 | 2010-09-14 | Vmware, Inc. | On-access anti-virus mechanism for virtual machine architecture |
CN101299192B (en) * | 2008-06-18 | 2010-06-02 | 中国科学院计算技术研究所 | Non-aligning access and storage processing method |
-
2011
- 2011-03-30 US US13/076,378 patent/US8479295B2/en not_active Expired - Fee Related
- 2011-12-29 CN CN201180069747.7A patent/CN103460179B/en not_active Expired - Fee Related
- 2011-12-29 TW TW100149561A patent/TWI464575B/en not_active IP Right Cessation
- 2011-12-29 EP EP11862405.5A patent/EP2691851B1/en not_active Not-in-force
- 2011-12-29 WO PCT/US2011/067796 patent/WO2012134584A1/en active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7146607B2 (en) * | 2002-09-17 | 2006-12-05 | International Business Machines Corporation | Method and system for transparent dynamic optimization in a multiprocessing environment |
US7797747B1 (en) * | 2006-02-21 | 2010-09-14 | Symantec Corporation | Detection of malicious code in non-paged pool unused pages |
US20100031353A1 (en) * | 2008-02-04 | 2010-02-04 | Microsoft Corporation | Malware Detection Using Code Analysis and Behavior Monitoring |
Non-Patent Citations (2)
Title |
---|
See also references of EP2691851A4 * |
WILLEMS, CARSTEN ET AL.: "TOWARD AUTOMATED DYNAMIC MALWARE ANALYSIS USING CWSANDBOX", IEEE SECURITY AND PRIVACY ARCHIVE IEEE SECURITY AND PRIVACY ARCHIVE, vol. 5, no. 2, March 2007 (2007-03-01), pages 32 - 39, XP011175985 * |
Cited By (21)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9143522B2 (en) | 2011-05-24 | 2015-09-22 | Palo Alto Networks, Inc. | Heuristic botnet detection |
US9104870B1 (en) | 2012-09-28 | 2015-08-11 | Palo Alto Networks, Inc. | Detecting malware |
US9215239B1 (en) | 2012-09-28 | 2015-12-15 | Palo Alto Networks, Inc. | Malware detection based on traffic analysis |
US10678918B1 (en) | 2013-07-30 | 2020-06-09 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US10867041B2 (en) | 2013-07-30 | 2020-12-15 | Palo Alto Networks, Inc. | Static and dynamic security analysis of apps for mobile devices |
US9613210B1 (en) | 2013-07-30 | 2017-04-04 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US9804869B1 (en) | 2013-07-30 | 2017-10-31 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using dynamic patching |
US10019575B1 (en) | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US10515210B2 (en) | 2014-07-14 | 2019-12-24 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9489516B1 (en) | 2014-07-14 | 2016-11-08 | Palo Alto Networks, Inc. | Detection of malware using an instrumented virtual machine environment |
US9805193B1 (en) | 2014-12-18 | 2017-10-31 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US10846404B1 (en) | 2014-12-18 | 2020-11-24 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US9542554B1 (en) | 2014-12-18 | 2017-01-10 | Palo Alto Networks, Inc. | Deduplicating malware |
US11036859B2 (en) | 2014-12-18 | 2021-06-15 | Palo Alto Networks, Inc. | Collecting algorithmically generated domains |
US11010474B2 (en) | 2018-06-29 | 2021-05-18 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US10956573B2 (en) | 2018-06-29 | 2021-03-23 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11604878B2 (en) | 2018-06-29 | 2023-03-14 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11620383B2 (en) | 2018-06-29 | 2023-04-04 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11960605B2 (en) | 2018-06-29 | 2024-04-16 | Palo Alto Networks, Inc. | Dynamic analysis techniques for applications |
US11196765B2 (en) | 2019-09-13 | 2021-12-07 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
US11706251B2 (en) | 2019-09-13 | 2023-07-18 | Palo Alto Networks, Inc. | Simulating user interactions for malware analysis |
Also Published As
Publication number | Publication date |
---|---|
US20120255015A1 (en) | 2012-10-04 |
US8479295B2 (en) | 2013-07-02 |
EP2691851B1 (en) | 2017-05-17 |
EP2691851A1 (en) | 2014-02-05 |
TW201243575A (en) | 2012-11-01 |
EP2691851A4 (en) | 2015-01-14 |
CN103460179A (en) | 2013-12-18 |
CN103460179B (en) | 2017-05-17 |
TWI464575B (en) | 2014-12-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2691851B1 (en) | Method and apparatus for transparently instrumenting an application program | |
US11841966B2 (en) | Inhibiting memory disclosure attacks using destructive code reads | |
US8578483B2 (en) | Systems and methods for preventing unauthorized modification of an operating system | |
Azab et al. | HIMA: A hypervisor-based integrity measurement agent | |
Stüttgen et al. | Anti-forensic resilient memory acquisition | |
US8856789B2 (en) | Facilitating execution of a self-modifying executable | |
Wojtczuk | Subverting the Xen hypervisor | |
Payne et al. | Secure and flexible monitoring of virtual machines | |
CN109923546B (en) | Event filtering for virtual machine security applications | |
US7418584B1 (en) | Executing system management mode code as virtual machine guest | |
US7984304B1 (en) | Dynamic verification of validity of executable code | |
US8479195B2 (en) | Dynamic selection and application of multiple virtualization techniques | |
US20060010440A1 (en) | Optimizing system behavior in a virtual machine environment | |
Wu et al. | Taming hosted hypervisors with (mostly) deprivileged execution. | |
US9424427B1 (en) | Anti-rootkit systems and methods | |
More et al. | Virtual machine introspection: towards bridging the semantic gap | |
Srivastava et al. | Efficient protection of kernel data structures via object partitioning | |
Proskurin et al. | Hiding in the shadows: Empowering arm for stealthy virtual machine introspection | |
US10740462B2 (en) | Instruction and/or data verification before execution | |
Barthe et al. | System-level non-interference of constant-time cryptography. Part I: model | |
Luțaș et al. | U-HIPE: hypervisor-based protection of user-mode processes in Windows | |
Zhong et al. | A virtualization based monitoring system for mini-intrusive live forensics | |
Lutas et al. | Hypervisor based Memory Introspection: Challenges, Problems and Limitations. | |
US20210157601A1 (en) | Exception interception | |
Suzaki et al. | Kernel memory protection by an insertable hypervisor which has VM introspection and stealth breakpoints |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11862405 Country of ref document: EP Kind code of ref document: A1 |
|
REEP | Request for entry into the european phase |
Ref document number: 2011862405 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011862405 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |