Hypervisor-based interception of memory and register accesses

Description

BACKGROUND

With Internet use forming an ever greater part of day to day life, security exploits that steal or destroy system resources, data, and private information are an increasing problem. Governments and businesses devote significant resources to preventing intrusions and thefts related to these security exploits. Security exploits come in many forms, such as computer viruses, worms, trojan horses, spyware, keystroke loggers, adware, and rootkits. These exploits are delivered in or through a number of mechanisms, such as spearfish emails, clickable links, documents, executables, or archives. Some of the threats posed by security exploits are of such significance that they are described as cyber terrorism or industrial espionage.

While many activities of security exploits can be introspected using hooks or other interception techniques, certain operations cannot be hooked or intercepted in kernel-mode or user-mode. Such operations include memory accesses and individual instruction execution by the processor. Current techniques involve running guest operating systems (OSes) and applications of those guest OSes in virtual machines or running each application in a separate virtual machine. Each of these techniques involves significant overhead, and neither technique is capable of intercepting memory accesses or instructions executing on the host OS itself.

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is set forth with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items or features.

FIGS. 1a-1d illustrates an overview of a security agent configured to initiate execution of a security agent component as a hypervisor of computing device, the security agent component setting intercepts on memory locations and processor registers of the computing device.

FIGS. 2a-2b illustrate overviews of techniques for protecting memory locations through privilege attributes of pages while enabling operations on other memory locations associated with those pages.

FIG. 3 illustrates a component level view of a computing device configured with a security agent and security agent component configured to execute as a hypervisor.

FIG. 5 illustrates an example process for protecting memory locations through privilege attributes of pages while enabling operations on other memory locations associated with those pages.

FIG. 8 illustrates an example process for intercepting accesses of debug registers and, when such accesses are from the operating system, responding with operating-system-permitted values.

FIG. 9 illustrates an example process for intercepting instructions for accessing control registers.

DETAILED DESCRIPTION

This disclosure describes, in part, security agent configured to initiate a security agent component as a hypervisor for a computing device. Such initiation may involve, in some implementations, storing processor state information into a data structure and instructing the processor to initiate the security agent component as the hypervisor based on the data structure. The security agent may then determine a subset of memory locations in memory of the computing device to be intercepted or one or more processor registers to be intercepted. Such a determination may be based, for example, on a security agent configuration received from a security service. The security agent component may then set intercepts for the determined memory locations or registers. Setting such intercepts may include setting privilege attributes for pages which include the determined memory locations so as to prevent specific operations in association with those memory locations or setting intercepts for instructions affecting the registers.

In some implementations, after setting privilege attributes for pages, operations affecting memory locations in those pages may be noted. In response to one of the specific operations affecting the determined memory location associated with a page, the security agent component may return a false indication of success or allow the operation to enable monitoring of the actor associated with the operation. When an operation affects another memory location associated with that page, the security agent component may temporarily reset the privilege attribute for that page to allow the operation.

In one example, a memory location may store privileged information, and the specific operation protected against may involve writing to that memory location to modify the privileged information. Such an action is known as privilege escalation. To protect against privilege escalation, the privilege attribute of the page including the memory location storing the privileged information may be set to a read only value.

In another example, a memory location may store user credentials, and the specific operation protected against may involve reading the user credentials from the memory location. To protect against such credential reads, the privilege attribute of the page including the memory location storing the user credentials may be set to an inaccessible value. In some implementations, the physical memory location of the page may be modified by the security agent, resulting in the credential read to return data located in a different memory location. The returned user credentials would therefore be invalid as to purposefully mislead an attacker.

In a further example, a memory location may store executable code, and the specific operation protected against may involve executing the code stored at the memory location. To protect against this, the privilege attribute of the page including the memory location storing the executable code may be set to non-executable. The security agent component may then take a further action, such as returning a false indication of successful execution of the code, or redirecting to other code at another location to mislead the attacker.

In various implementations, the security agent component consults a whitelist or component, such as a virtual address space manager, to determine whether any memory locations identified by the security agent are whitelisted. The security agent component may then exclude memory pages that include the whitelisted memory locations from a set of memory pages and set intercepts of memory locations included in the remaining memory pages of the set of memory pages. In some implementations, rather than whitelisting in advance, the security agent component may consult a whitelist when intercepting a memory location to determine whether to allow an operation. Use of whitelisting memory locations may prevent the security agent and security agent component from blocking operations of permitted components known to be associated with those whitelisted memory locations.

In further implementations, the security agent may store memory addresses in debug registers of the processor of the computing device, and the security agent component may set intercepts for the debug registers. Setting the intercepts may include, for example, setting intercepts for instructions seeking to access the debug registers (e.g., reading the debug registers). In some implementations, one of the debug registers may store a memory address not permitted by the operating system of the computing device to be stored in the debug register. For instance, the operating system may prevent memory addresses associated with kernel-level components from being stored in the debug registers. In order to enable storing such a non-permitted memory address in a debug register, the security agent component may respond to a read operation from the operating system seeking to read that debug register with a false, operating-system-permitted value. In addition to setting intercepts for debug registers storing memory addresses, the security agent component may also set intercepts for the memory addresses themselves, e.g., by setting privilege attributes for memory pages that include the memory addresses.

In some implementations, the security agent component may set intercepts for control registers of the processor of the computing device. Setting the intercepts may include setting intercepts for instructions seeking to access the control registers (e.g., seeking to write to the control registers). In various implementations, one of the control registers may store an on setting for a security feature of the computing device. The security agent component may set intercepts on instructions seeking to write to that register to, for instance, turn off the security feature. In response to intercepting such an instruction, the security agent component may respond with a false indication of success, may block the operation, and/or may remember the operation for further analysis.

Overview

FIG. 1 a illustrates an overview of a security agent configured to initiate execution of a security agent component as a hypervisor of computing device, the security agent component setting intercepts on a subset of memory locations of the computing device. As illustrated, a computing device includes components implemented at the kernel-level 102 and at the user-level 104. Kernel-level 102 components include a host OS kernel 106 and a security agent 108. The security agent 108 further includes or is associated with a security agent component 110 implemented at a hypervisor-level 112 of the computing device. The security agent 108 may further include a configuration 114 and a data structure 116 for storing copies of processor state settings. Further, user-level 104 components may include a process 118. Additionally, the computing device may have a memory 120 having multiple memory locations 122 and a processor 124 having processor state settings 126. FIG. 1 a further shows, at 128, the security agent 108 storing processor state settings 126 in the data structure 116 and, at 130, initiating the security agent component 110 as a hypervisor based on the data structure 130. The security agent 108 then, at 132, determines memory locations 122 to be intercepted and the security agent component 110 sets, at 134, intercepts for the determined memory locations 122.

In various embodiments, a computing device may include the host OS kernel 106, security agent 108, security agent component 110, process 118, memory 120, and processor 124. Such a computing device may be a server or server farm, multiple, distributed server farms, a mainframe, a work station, a personal computer (PC), a laptop computer, a tablet computer, a personal digital assistant (PDA), a cellular phone, a media center, an embedded system, or any other sort of device or devices. When implemented on multiple computing devices, the host OS kernel 106, security agent 108, security agent component 110, process 118, memory 120, and processor 124 may be distributed among the multiple computing devices. An example of a computing device including the host OS kernel 106, security agent 108, security agent component 110, process 118, memory 120, and processor 124 is illustrated in FIG. 3 and described below with reference to that figure.

The computing device may implement multiple protection rings or privilege levels which provide different levels of access to system resources. For example, user-level 104 may be at an “outer” ring or level, with the least access (e.g., “ring 3”), kernel-level 102 may be at an “inner” ring or level, with greater access (e.g., “ring 0” or “ring 1”), and hypervisor-level 112 may be an “inner-most” ring or level (e.g., “ring −1” or “ring 0”), with greater access than kernel-level 102. Any component at the hypervisor-level 112 may be a hypervisor which sits “below” (and has greater access than) a host OS kernel 106.

The host OS kernel 106 may be a kernel of any sort of OS, such as a Windows® OS, a Unix OS, or any other sort of OS. Other OSes, referred to as “guest” OSes, may be implemented in virtual machines supported by the host OS. The host OS kernel 106 may provide access to hardware resources of the computing device, such as memory 120 and processor 124 for other processes of the computing device, such as process 118.

The security agent 108 may be a kernel-level security agent, which may monitor and record activity on the computing device, may analyze the activity, and may generate alerts and events and provide those alerts and events to a remote security service. The security agent 108 may be installed by and configurable by the remote security service, receiving, and applying while live, configurations of the security agent 108 and its component(s), such as security agent component 110. The configuration 114 may be an example of such a configuration. An example security agent 108 is described in greater detail in U.S. patent application Ser. No. 13/492,672, entitled “Kernel-Level Security Agent” and filed on Jun. 8, 2012, which issued as U.S. Pat. No. 9,043,903 on May 26, 2015.

The security agent component 110 may be a component of the security agent 108 that is executed at a hypervisor for the computing device at hypervisor-level 112. The security agent component 110 may perform hypervisor functions, such as adjusting privilege attributes (e.g., “read-write,” “read only,” “inaccessible,” etc.) of memory pages and managing system resources, such as memory 120. The security agent component 110 may perform at least some of its functions based on the configuration 114 of the security agent 108, which may include configuration settings for the security agent component 110. The security agent component 110 may also perform hypervisor functions to adjust the physical location of memory pages associated with memory 120.

The configuration 114 may comprise any of settings or system images for the security agent 108 and security agent component 110. As noted above, the configuration 114 may be received from a remote security service and may be applied by the security agent 108 and security agent component 110 without rebooting the computing device.

The data structure 116 may be a structure for storing processor state information. Such as data structure may be, for instance, a virtual machine control structure (VMCS). In some implementations, a subset of the settings in the data structure 116 may be set by the security agent 108 based on the OS. In such implementations, the security agent 108 may have different routines for different OSes, configuring the data structure 116 with different settings based on the OS. Such settings may typically be processor state settings which are invariant for a given OS. Other settings are then obtained from processor state settings 126. In other implementations, the security agent 108 may not have different routines for different OSes and may obtain all settings for the data structure 116 from the processor state settings 126.

In various implementations, the process 118 may be any sort of user-level 104 process of a computing device, such as an application or user-level 104 OS component. The process 118 may perform various operations, including issuing instructions for execution and making read, write, and execute requests of different memory locations. Such read, write, and execute requests may be addressed to virtual addresses, which may be mapped to physical addresses of memory pages by page tables of the OS kernel 106 or to further virtual addresses of extended or nested page tables, which are then mapped to physical addresses. Such processes 118 may include security exploits or be controlled by such exploits though vulnerabilities and may attempt malicious activity, such as privilege escalation or credential theft, through direct accesses of memory locations or indirect accesses utilizing, for example, vulnerabilities of the host OS kernel 106.

Memory 120 may be memory of any sort of memory device. As shown in FIG. 1, memory 120 may include multiple memory locations 122, the number of memory locations 122 varying based on the size of memory 120. The memory locations 122 may be addressed through addresses of memory pages and offsets, with each memory page including one or more memory locations. Privileges associated with memory locations 122, such as reading, writing, and executing may be set on a per-page granularity, with each memory page having a privilege attribute. Thus, memory locations 122 of a same page may have the same privileges associated with them. Examples of memory 120 are illustrated in FIG. 3 and described below in detail with reference to that figure.

The processor 124 may be any sort of processor, such as a central processing unit (CPU), a graphics processing unit (GPU), or both CPU and GPU, or other processing unit or component known in the art. The processor 124 may be associated with a data structure describing its state, the contents of which are referred to herein as the processor state settings 126. As described above, in some implementations, a subset of the processor state settings 126 may be invariant for a type of OS. Additionally, the processor 124 supports hardware-based virtualization (such as Intel™ VT-x) with second level address translation (SLAT).

In various implementations, the security agent 108 is configured to initiate execution of the security agent component 110 as a hypervisor. Such initiating may be performed without any rebooting of the computing device. As shown in FIG. 1, this initiating may involve, at 128, storing the processor state settings 126 in the data structure 116. If any of the processor state settings 126 are invariant, they may have already been included in the data structure 116 by the security agent 108 and thus do not need to be stored again. The initiating may then include, at 130, initiating the security agent component 110 based on the data structure 116. This may involve providing a reference to the security agent component 110 and the data structure 116 along with a “run” instruction.

Next, the security agent 108 determines, at 132, any memory locations 122 or instructions to be intercepted. The security agent 108 may utilize the configuration 114 provided by the security service to determine the memory locations 122 and instructions. Such memory locations 122 may include locations storing executable code or privilege information (e.g., indications of admin privileges) for a process or user credentials (e.g., passwords). As mentioned above, updates to the configuration 114 may be received and applied without rebooting. Upon receiving an update to the configuration 114, the security agent may repeat the determining at 132.

To free memory space, computing devices often clear memory mappings for memory pages which have not been recently accessed and write out their contents to disk, referred to as a page-out operation. When memory is accessed again, the contents are brought back from disk, referred to as a page-in operation. To ensure, then, that knowledge of memory locations 122 stays up-to-date, the security agent 108 may request that the OS kernel 106 lock page tables of mappings in page tables to memory pages which include the memory locations 122 that are to be intercepted. Alternatively, the security agent component 110 may intercept page out requests and prevent paging out of memory pages which include the memory locations 122 that are to be intercepted, or it may intercept page in requests in order to update its knowledge of memory locations 122 and repeat determining at 132.

In various implementations, the security agent component 110 then, at 134, sets intercepts for the instructions and memory locations 122 determined by the security agent 108. In some implementations, setting intercepts may involve determining the memory pages which include the determined memory locations 122 and setting privilege attributes for those pages. The privilege attribute chosen—e.g., “non-executable” or “read only” or “inaccessible”—may be a function of the memory accesses that the security agent 108 and security agent component 110 are configured to intercept. When a process 118 seeks to perform such a memory access—e.g., to execute code stored at a memory page marked “non-executable”—the security agent component 110 will receive notification.

In other implementations, setting intercepts may involve changing the physical memory location of the determined memory locations 122 to reference misleading, incorrect, or otherwise unusable data or code. When a process 118 seeks to perform such memory access—e.g., to read a memory page containing data at memory location 122, the data will instead by read from an alternate memory location.

In some implementations, upon termination of a process 118, the security agent component 110 may remove intercepts for memory locations 122 associated with the process 118. This may involve resetting privilege attributes for the memory pages including the memory locations 122 to their previous settings, or it may include resetting the physical memory location for the memory pages.

FIG. 1b illustrates an overview of a security agent and security agent component configured to determine whitelisted memory locations and to exclude memory pages that include those whitelisted memory locations from a set of memory pages including other, intercepted memory locations. As illustrated, the security agent component 110 may utilize whitelist component(s) and data 136, at 138, to determine whitelisted memory locations. The security agent component 110 then excludes memory pages having the whitelisted memory locations and, at 140, sets intercepts for the remaining memory locations that are not associated with the excluded memory pages. In other implementations, whitelisting may occur entirely or partly after the setting of intercepts, at the time of interception. In such implementations, the security agent component 110 may consult the whitelist for all or some part of the intercepted memory locations to determine whether the operation should be allowed. Whitelisting at the time of interception, rather than in advance (or in addition to advance whitelisting) allows the security service associated with the security agent component 110 to apply a more up-to-date whitelist.

In various implementations, the whitelist component(s) and data 136 may include a data structure, such as a list, received from a remote security service (e.g., as part of the security agent 108 configuration), an executable component, or both. For example, the whitelist component(s) and data 136 may comprise an executable component, such as a virtual address space manager, which categorizes address spaces of memory 120 into different regions, such as page tables, hyperspace, session-space, loader mappings, system-cache, PFN database, non-paged pool, paged pool, system PTEs, HAL heap, etc. These regions may be received in a specification from a remote security service or may be identified by the virtual address space manager based on their size and alignment specifications. Look-up tables, shadow page tables, or both, may be used to lookup the regions and identify which region a memory location 122 corresponds to, if any. Also, one of these regions, or a portion of a region, may be associated with a parameter whitelisting that region or portion of a region. In one implementation, the security agent component 110 may build or extend the whitelist component(s) and data 136 or memory regions based on memory access pattern(s) of known safe component(s).

In some implementations, one or more components of the computing device may be identified as known safe components. Such known safe components may, for instance, behave in a manner similar to a malicious process or thread, making it difficult to distinguish between the known safe component and malicious process strictly by behavior. If the known safe component is identified in advance, e.g., by the configuration 114 of the security agent 108, along with memory locations or memory regions associated with that known safe component, those memory locations or memory regions may be whitelisted, either by a component such as a virtual address space manager or in a list received from a remote security service.

As described above with respect to FIG. 1a, the security agent 108 may initiate the security agent component 110 as hypervisor and, at 132, identify memory locations 122 to be intercepted. In various implementations, once the memory locations 122 have been identified, the security agent component 110 may determine a set of memory pages that include the identified memory locations 122 and determine, at 138, any whitelisted memory locations. The determining of a set of memory pages is described above. To determine, at 138, the whitelisted memory locations, the security agent component 110 consults the whitelist component(s) and data 136. The security agent component 110 may, in some implementations, determine the set of memory pages for the identified memory locations 122 first and then determine whether any of those memory pages are associated with a whitelisted memory location or whitelisted memory region. Those whitelisted memory pages are then excluded by the security agent 110 from the set of memory pages. Alternatively, the security agent component 110 may compare the identified memory locations 122 to the whitelisted memory locations or whitelisted memory regions and then determine memory pages for any of the identified memory locations 122 that are not whitelisted. This set of memory pages with whitelisted memory locations not included is referred to herein as the set of remaining memory pages.

At 140, the security agent component 110 sets intercepts for the set of remaining memory pages. As described above, this may include setting privilege attributes for the memory pages included in the set of remaining memory pages.

Alternatively, or additionally, the security agent component 110 may, at the time of interception, determine whether a memory location is whitelisted. This comparison may be performed in addition to the whitelist comparison and exclusion described above, or in place of it, with all memory pages effectively included in the set of remaining memory pages.

FIG. 1c illustrates an overview of a security agent and security agent component configured to intercept debug registers and provide an operating-system-permitted result responsive to access by the operating system of the debug registers. As illustrated, at 142, the security agent component 110 may set intercepts for debug registers 144 and, at 146, note an access operation, such as a read operation, from the operating system (e.g., from the host OS kernel 106). At 148, the security agent component 110 then responds to the operating system's access operation with an operating-system-permitted value.

Debug register(s) 144 may be registers used by processor 124 for program debugging, among other possible uses. Processor 124 may be an x86 series processor and include, for example, six debug registers, two of which may be used for control and status. Each debug register 144 may store a memory address and may be associated with a condition that triggers a notification—e.g., reading to the memory address, writing from the memory address, executing code stored at the memory address.

In some implementations, the operating system of the computing device may prohibit the storing of memory addresses associated with kernel-mode code or data from being stored in a debug register 144. The operating system may query the debug register(s) 144 on some basis (e.g., periodic) to determine whether the debug register(s) 144 store non-permitted memory addresses.

In various implementations, the security agent 108 may store memory addresses in some or all of the available debug register(s) 144. The memory addresses stored in the debug register(s) 144 may be specified by the configuration 114 of the security agent 108.

In further implementations, at 142, the security agent component 110 (initiated by the security agent 108, as described above) then sets intercepts for the debug register(s) 144. Setting intercepts for the debug register(s) 144 may include setting intercepts for instructions for accessing the debug register(s) 144.

At 146, the security agent component 110 then notes an access operation, such as a read operation, from the operating system seeking to determine whether a debug register 144 stores an operating-system-permitted value. At 148, the security agent component 110 then responds to the operating system with an operating-system-permitted value. If the debug register 144 being read is storing a memory address not permitted by the operating system, the security agent component 110 may respond with a false, operating-system-permitted value.

In some implementations, when a process 118 attempts some access with respect to a memory address stored in a debug register 144 (e.g., reading, writing, executing, etc.), the security agent 108 is informed of the access and may respond in a manner specified by its configuration 114 (e.g., take some security action such as monitoring or killing the process 118, respond with a false indication of success, etc.).

In various implementations, the security agent 108 may also identify one or more of the memory addresses stored by the debug register(s) 144 as memory locations to be intercepted. The security agent component 110 then sets intercepts for those memory addresses by, e.g., determining the memory pages that include the memory addresses and setting privilege attributes for those memory pages. In this way, two methods may be used by the security agent 108 and security agent component 110 to detect operations associated with a memory address.

In further implementations, in addition to use of debug registers and page privilege attributes for certain memory addresses, the security agent 108 may identify other memory locations, and the security agent component 110 may set intercepts (e.g., page privilege attributes) for those other memory locations, as described above with respect to FIG. 1a.

FIG. 1d illustrates an overview of a security agent and security agent component configured to intercept control register(s) and respond to a write operation directed at one of the control registers with a false indication of success. As illustrated, at 150, the security agent component 110 sets intercepts on instructions for accessing control register(s) 152. The security agent component 110 then notes an access operation, at 154, and responds, at 156, with a false indication of success and/or with a security action.

Control registers 152 may be registers of the processor 124 which change or control the behavior of the processor 124 or another device. x86 series processors may include control registers such as CR0, CR2, CR3, and CR4, and x86-64 series processors may also include EFER and CR8 control registers. Such control registers may each have a specific or general purpose, and control registers 152 may include any, all, or none of these x86 series processor control registers.

In some implementations, at least one of the control registers 152 may include an on setting for a security feature of the computing device. For example, control registers 152 may include a CR4 register that stores an on setting for a security feature called Supervisor Mode Execution Prevention (SMEP). SMEP may prevent the processor 124 from executing code in a user mode memory range while the privilege of the processor 124 is still in kernel mode, essentially preventing kernel mode privilege escalation. If process 118 is a malicious process or thread operating in kernel mode, however, it is able to turn off SMEP, as any kernel mode process or thread can set the on setting in CR4 to an off value.

In further implementations, the security agent 108 may determine which of the control register(s) 152 to protect. For example, the configuration 114 of the security agent 108 may specify that the CR4 register of control register(s) 152 should be protected. At 150, then, the security agent component 110 (initiated by the security agent 108, as described above) may set intercepts for the control register(s) 152 that are to be protected. Setting intercepts for those control register(s) 152 may include, at 150, setting intercepts for instructions seeking to access those control register(s) 152.

In some implementations, at 154, the security agent component 110 then notes an instruction seeking to access one of the control register(s) 152, such as a write operation seeking to write an off value to a CR4 register to turn off a security feature. The security agent component 110 then responds, at 156, with a false indication of success or by initiating a security action (e.g., killing the process 118 that requested the write operation or monitoring that process 118).

FIGS. 2a-2b illustrate overviews of techniques for protecting memory locations through privilege attributes of pages while enabling operations on other memory locations associated with those pages. FIG. 2a includes a memory page 202 having at least memory location 204(a), memory location 204(b), memory location 204(c), and memory location 204(d), as well as privilege attribute 206. Further, a process 208, as shown, may make requests associated with the memory locations 204. Also, as shown in FIG. 2a, that privilege attribute 206 may be temporarily reset to privilege attribute 210. A process 208 may, at 212, request an operation not permitted by privilege attribute 206. Because the operation may be directed to memory location 204(a), which is not one of the memory locations determined by the security agent 108, the security agent component 110 may, at 214, temporarily reset the privilege attribute 206 to privilege attribute 210 to allow the operation to proceed.

In various implementations, memory page 202 may be an example of the memory pages discussed above with reference to memory 120, memory locations 204 may be examples of memory locations 122, and privilege attributes 206 and 210 may be examples of the privilege attributes discussed above with reference to memory 120. Further, process 208 may be an example of process 118.

Process 208 may request, at 212, an operation such as a read from or write to a memory location 204, or an execute operation to execute code stored at memory location 204. Upon noting the request, the security agent component 110 may determine the memory page 202 associated with the request as well as the specific memory location 204 on that memory page 202. The security agent component 110 then determines if the memory location is one of the memory locations identified by the security agent 108. In FIG. 2a, the memory location 204 identified by the security agent 108 is memory location 204(b), and the operation is a request associated with memory location 204(a). In such an example, if the operation does not conflict with the privilege attribute 206, the operation is allowed to proceed. If, on the other hand, the operation is not permitted by the privilege attribute, then the security agent component 110 may, at 212, temporarily reset the privilege attribute 206 to privilege attribute 210 to allow the operation to proceed. For example, if privilege attribute 206 is “inaccessible” (e.g., to prevent reads of user credentials stored at memory location 204(b)), the security agent component 110 may temporarily reset the privilege attribute 206 to be privilege attribute 210, which may be “read only.” Or in another example, if the privilege attribute 206 is “non-executable” (e.g., to prevent execution of code stored at memory location 204(b)), the security agent component 110 may temporarily reset the privilege attribute 206 to be privilege attribute 210, which may be “executable.” After the operation has been processed, the security agent component 110 may return the privilege attribute 210 to be privilege attribute 206.

FIG. 2b includes a memory page 202 having at least memory location 204(a), memory location 204(b), memory location 204(c), and memory location 204(d), as well as privilege attribute 206. A process 208, as shown, may make requests associated with the memory locations 204, and privilege attribute 206 may be temporarily reset to privilege attribute 210. As is further illustrated, copies of information stored in memory page 202 may be stored in a copy memory page 216. The copy memory page 216 may include copy memory location 218(a), which includes a copy of the information stored at memory location 204(a); copy memory location 218(c), which includes a copy of the information stored at memory location 204(c); and copy memory location 218(d), which includes a copy of the information stored at memory location 204(d). Rather than storing a copy of the information from memory location 204(b), the copy memory page 216 may include phony/false or deceptive data or code 220. The copy memory page 216 may also include a privilege attribute 222, which may represent elevated privileges when compared to privilege attribute 206.

As illustrated, the process 208 may, at 224, request an operation affecting memory location 204(b). Because 204(b) is one of the memory locations identified by the security agent 108, the security agent component 110 may respond in one of a number of ways. At 226, the security agent component 110 may temporarily reset the privilege attribute 206 to be privilege attribute 210 in order to allow the operation to proceed. The security agent component 110 may then also identify the process, thread, or component that made the request for the operation at 224 and may monitor further activity of that process, thread, or component or terminate that process, thread, or component. Alternatively, the security agent component 110 may, at 228 generate copy memory page 216, including the phony/false or deceptive data or code 220, and may, at 230, allow the process 208 to access the phony/false or deceptive data or code 220.

Process 208 may request, at 224, an operation such as a read from or write to a memory location 204 or an execute operation to execute code stored at a memory location 204. Upon noting the request, the security agent component 110 may determine the memory page 202 associated with the request as well as the specific memory location 204 on that memory page 202. The security agent component 110 then determines whether the memory location is one of the memory locations identified by the security agent 108. In FIG. 2b, the memory location 204 identified by the security agent 108 is memory location 204(b), and the operation is a request associated with memory location 204(b). Accordingly, the security agent component 110 determines that the memory location 204(b) is one of the memory locations identified by the security agent 108. In response, the security agent component 110 may take no action, which may result in the computing device crashing and rebooting. Alternatively, the security agent component may take action to allow the operation and monitor further operation, allow the operation to occur on phony/false or deceptive data or code 220, or to provide a false indication of success to the process 208.

In a first example, the operation request at 224 may be a write operation to modify privilege information stored at memory location 204(b). In response to the request for the write operation, the security agent component 110 may allow the operation to proceed by temporarily resetting, at 226, the privilege attribute 206 to be privilege attribute 210. The security agent component 110 may also identify the process, thread, or component that made the request for the write operation (i.e., process 208) and may monitor further activity of that process, thread, or component. Alternatively, the security agent component 110 may copy, at 228, the contents of memory page 202 to copy memory page 216, set the privilege attribute 222 to read-write, and temporarily redirect from memory page 202 to copy memory page 216. The security agent component 110 may then allow the write operation to proceed, and the process 208 may modify the copy memory page 216 and receive an indication of success. The security agent component 110 may then return mapping to point to memory page 202. Thus, the memory location 204(b) is protected, the process 208 is tricked into thinking it succeeded, and both objectives are achieved without the computing device crashing.

In a second example, the operation request at 224 may be a read operation to obtain user credentials stored at memory location 204(b). In response to the request for the read operation, the security agent component 110 may allow the operation to proceed by temporarily resetting, at 226, the privilege attribute 206 to be privilege attribute 210. The security agent component 110 may also identify the process, thread, or component that made the request for the read operation (i.e., process 208) and may monitor further activity of that process, thread, or component. Alternatively, the security agent component 110 may copy, at 228, the contents of memory page 202 to copy memory page 216, set the privilege attribute 222 to read only, and temporarily redirect from memory page 202 to copy memory page 216. In addition to copying the contents of memory page 202, the security agent component 110 may store phony/false or deceptive data 220 at the same offset in copy memory page 216 as the memory location 204(b) is in memory page 202. The security agent component 110 then allows the read operation to proceed, and the process 208 read the phony/false or deceptive data 220. After the read operation, the security agent component 110 may then return mapping to point to memory page 202. If the process 208 obtained deceptive data 220, such as a username and password for a monitored account, then future use of that username and password may trigger monitoring by the security agent 108 and/or the security agent component 110.

In a third example, the operation request at 224 may be an execute operation to execute code stored at memory location 204(b). In response to the request for the execute operation, the security agent component 110 may allow the operation to proceed by temporarily resetting, at 226, the privilege attribute 206 to be privilege attribute 210. The security agent component 110 may also identify the process, thread, or component that made the request for the execute operation (i.e., process 208) and may monitor further activity of that process, thread, or component.

Alternatively, the security agent component 110 may copy, at 228, the contents of memory page 202 to copy memory page 216, set the privilege attribute 222 to execute, and temporarily redirect from memory page 202 to copy memory page 216. The security agent component 110 may then allow the execute operation to proceed, and the process 208 may execute false code stored at copy memory page 216 and receive an indication of success. The security agent component 110 may then return mapping to point to memory page 202. Thus, the memory location 204(b) is protected, the process 208 is tricked into thinking it succeeded, and both objectives are achieved without the computing device crashing.

In a further alternative, rather than allowing and monitoring or redirecting, the security agent component 110 may prohibit the execute action and/or kill the process that requested the execute operation (or a process deemed by the security service to be responsible for that execute operation).

Example System

FIG. 3 illustrates a component level view of a computing device configured with a security agent and security agent component configured to execute as a hypervisor. As illustrated, computing device 300 comprises a memory 302 storing a security agent 304, a security agent component 306, page tables 308, user credentials 310, privilege information 312, an OS 314, processes and data 316, and whitelist component(s) and data 318. Also, computing device 300 includes processor(s) 320 with register(s) 322, a removable storage 324 and non-removable storage 326, input device(s) 328, output device(s) 330 and communication connections 332 for communicating with other computing devices 334.

In various embodiments, memory 302 is volatile (such as RAM), non-volatile (such as ROM, flash memory, etc.) or some combination of the two. Memory 302 may be an example of memory 120, which is described above in detail with respect to FIG. 1. The security agent 304 may be an example of security agent 108, which is described above in detail with respect to FIG. 1. The security agent component 306 may be an example of security agent component 110, which is described above in detail with respect to FIG. 1. Page tables 308 may be any sort of page tables, such as page tables mapping virtual addresses to physical addresses of memory pages. Uses of such page tables 308 are described above in detail with respect to FIG. 1 and FIGS. 2a-2b. User credentials 310 may be any sort of user credentials, such as user names and passwords for one or more processes or components. Privilege information 312 may be indications of privileges, such as admin privileges for processes, threads, user accounts, etc. The OS 314 may be any sort of OS, such as the host OS kernel 106 described above in detail with respect to FIG. 1. The processes and data 316 may be any sort of processes and data, such as process 118, which is described above in detail with respect to FIG. 1, or process 208, which is described above in detail with respect to FIGS. 2a-2b. The whitelist component(s) and data 318 may be any sort of components and data, such as whitelist component(s) and data 136, which is described above in detail with respect to FIG. 1b.

In some embodiments, the processor(s) 320 is a central processing unit (CPU), a graphics processing unit (GPU), or both CPU and GPU, or other processing unit or component known in the art. Processor 320 supports hardware-based virtualization (such as Intel™ VT-x) with second level address translation (SLAT). Processor(s) 320 may be an example of processor 124, which is described above in detail with respect to FIGS. 1a-1d. Also, processor 320 may include one or more processor register(s) 322. Processor register(s) 322 may be example(s) of either or both of the debug registers 144, which are described above in detail with respect to FIG. 1c, or the control registers 152, which are described above in detail with respect to FIG. 1d.

Computing device 300 also includes additional data storage devices (removable and/or non-removable) such as, for example, magnetic disks, optical disks, or tape. Such additional storage is illustrated in FIG. 3 by removable storage 324 and non-removable storage 326. Non-transitory computer-readable media may include volatile and nonvolatile, removable and non-removable tangible, physical media implemented in technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. System memory 302, removable storage 324 and non-removable storage 326 are all examples of non-transitory computer-readable media. Non-transitory computer-readable media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible, physical medium which can be used to store the desired information and which can be accessed by the computing device 300. Any such non-transitory computer-readable media may be part of the computing device 300.

Computing device 300 also has input device(s) 328, such as a keyboard, a mouse, a touch-sensitive display, voice input device, etc., and output device(s) 330 such as a display, speakers, a printer, etc. These devices are well known in the art and need not be discussed at length here.

Computing device 300 also contains communication connections 332 that allow the computing device 300 to communicate with other computing devices 334, such as device(s) of a remote security service.

Example Processes

FIGS. 4-5 illustrate example processes 400 and 500. These processes are illustrated as logical flow graphs, each operation of which represents a sequence of operations that can be implemented in hardware, software, or a combination thereof. In the context of software, the operations represent computer-executable instructions stored on one or more computer-readable storage media that, when executed by one or more processors, perform the recited operations. Generally, computer-executable instructions include routines, programs, objects, components, data structures, and the like that perform particular functions or implement particular abstract data types. The order in which the operations are described is not intended to be construed as a limitation, and any number of the described operations can be combined in any order and/or in parallel to implement the processes.

FIG. 4 illustrates an example process for initiating execution of a security agent component as a hypervisor for a computing device, determining memory locations of the computing device to be intercepted, and setting intercepts for the determined memory locations. The process 400 includes, at 402, a security agent on a computing device initiating a security agent component as a hypervisor for the computing device. The initiating may include, at 404, storing processor state settings in a data structure and, at 406, instructing a processor of the computing device to initiate the security agent component as the hypervisor based on the data structure. In some implementations, the security agent may include different routines for different operating systems, each of the different routines fixing as invariant a part of the data structure associated with the respective different operating system.

At 408, the security agent may then determine a subset of memory locations in the memory to be intercepted. At 410, the security agent may determine the subset based on a security agent configuration received from a security service.

At 412, the security agent may request that an operating system kernel of the computing device lock page table mappings of the memory locations of the subset of memory location.

At 414, the security agent may determine instructions to be intercepted and, at 416, the security agent component mat set intercepts for the determined instructions. The operations at 414 and 416 may also be performed before the operations show at 408-412 or concurrently with those operations.

At 418, the security agent component may set intercepts for memory locations of the determined subset of memory locations. At 420, setting the intercepts may include setting privilege attributes for pages which include the memory locations of the determined subset of memory locations, or it may include changing the physical memory location of such pages.

At 422, the security agent may receive an updated security agent configuration and, without rebooting, repeat the determining of the subset of memory locations at 408 and cause the security agent component to repeat the setting of the intercepts at 418.

At 424, the security agent component may remove intercepts corresponding to a process upon termination of the process.

FIG. 5 illustrates an example process for protecting memory locations through privilege attributes of pages while enabling operations on other memory locations associated with those pages. The process 500 includes, at 502, identifying memory locations of a subset of memory locations in memory of the computing device to be intercepted. In some implementations, the identified memory locations include a memory location associated with privileges for a process. In further implementations, the identified memory locations include a memory location associated with user credentials.

At 504, pages of the memory which include the identified memory locations may then be determined.

At 506, privilege attributes of the pages may then be set to prevent specific types of operations from affecting the memory locations. When the identified memory locations include a memory location associated with privileges for a process, the specific types of operations may include write operations and the setting includes setting the privilege attribute for the page including the memory location to a read only value to prevent writes to the memory location. When the identified memory locations include a memory location associated with user credentials, the specific types of operations may include read operations and setting includes setting the privilege attribute for the page including the memory location to an inaccessible value to prevent reads of the memory location.

At 508, an operation affecting another memory location associated with one of the pages which differs from the identified memory location associated with that page may be noted.

At 510, the privilege attribute of the one of the pages may then be temporarily reset to allow the operation.

Before, during, or after the operations shown at 508-510, an operation affecting the identified memory location may, at 512, be noted.

At 514, a process, thread, or module that requested the operation may then be identified.

At 516, responsive to noting the operation at 512, the privilege attribute of the page including the one of the identified memory locations may be temporarily reset to allow the operation. At 518, after temporarily resetting the privilege attribute, activities of the process, thread, or module may be monitored.

At 520, responsive to noting the operation at 512, a false indication of success for the operation may be returned. At 522, returning the false indication of success includes allowing the write operation to an alternate memory location and returning an indication that the write operation was successful. At 524, the read operation may be redirected to be performed on an alternate memory location storing false or deceptive user credentials. At 526, use of the deceptive credentials may then be monitored. In some implementations, redirecting to an alternate memory location may involve copying contents of the page including the identified memory location to a page which includes the alternate memory location storing the false or deceptive user credentials.

FIG. 6 illustrates an example process for determining memory locations to be intercepted and setting privilege attributes for memory pages including those memory locations, including setting a memory page to non-executable. The process 600 includes, at 602, a security agent on a computing device initiating a security agent component as a hypervisor for the computing device. The initiating may include, at 604, storing processor state settings in a data structure and, at 606, instructing a processor of the computing device to initiate the security agent component as the hypervisor based on the data structure.

At 608, the security agent may then identify memory locations in the memory to be intercepted. At 610, the security agent may identify those memory locations based on a security agent configuration received from a security service.

At 612, the security agent component then determines pages of memory that include the identified memory locations and sets privilege attributes for those pages to prevent specific types of access to the memory locations. For example, at 614, the security agent component may set at least one of the pages to non-executable to prevent execution of code stored at an identified memory location included in that page.

At 616, the security agent component may note an operation affecting another memory location associated with one of the pages which differs from an identified memory location associated with that page. For instance, the operation may involve execution of code stored at the other memory location. At 618, the security agent component may then temporarily reset the privilege attribute of the page to allow the execution of the code stored at the other memory location.

Alternatively, or additionally, at 620, the security agent component may return a false indication of success to a process seeking to execute the code stored at an identified memory location.

Alternatively, or additionally, at 622, the security agent component may cause an execute operation intended for the code stored at an identified memory location to be performed on other code stored at an alternate memory location.

Alternatively, or additionally, at 624, the security agent component may prohibit the execute operation and/or kill the process the executed or is deemed responsible for the execute operation.

FIG. 7 illustrates an example process for determining that a memory location is whitelisted and excluding memory page(s) that include the whitelisted memory location from a set of pages to be intercepted. The process 700 includes, at 702, a security agent on a computing device initiating a security agent component as a hypervisor for the computing device and identifying memory locations in memory of the computing device to be intercepted.

At 704, the security agent component determines a set of pages of the memory, each of the pages include at least one of the identified memory locations.

At 706, the security agent component then determines that one of the memory locations is a whitelisted memory location. At 708, the determining may include consulting a component or list identifying different memory regions of the memory and indicating which memory regions are whitelisted. At 710, the determining may additionally or alternatively include receiving the list of different memory regions that are whitelisted from a security service. At 712, the determining may additionally or alternatively include building a list of whitelisted memory locations based on memory accesses of a known safe component.

At 714, the security agent component then excludes one or more pages that include a whitelisted memory location from the set of pages.

At 716, the security agent component then sets privilege attributes for remaining pages of the set of pages to prevent specific types of operations from affecting memory locations included in those pages.

At 718, the security agent component notes an operation effecting a memory location included in a remaining page of the set of pages, determines whether the memory location is a whitelisted memory location, and, in response to determining that the memory location is a whitelisted memory location, permits the operation.

FIG. 8 illustrates an example process for intercepting accesses of debug registers and, when such accesses are from the operating system, responding with operating-system-permitted values. The process 800 includes, at 802, a security agent on a computing device storing memory addresses in debug registers. At 804, such memory addresses may include memory addresses not permitted in a debug register by the operating system of the computing device. Such a memory address not permitted by the operating system to be stored in the debug registers may, for example, be associated with a kernel-mode component. Further, the security agent may initiate a security agent component as a hypervisor for the computing device.

At 806, the security agent component sets intercepts for the debug registers. At 808, setting the intercepts may include setting intercepts for instructions seeking to read the debug registers.

At 810, the security agent component notes a read operation from the operating system attempting to read one of the debug registers. At 812, in response to noting the read operation, the security agent component returns an operating-system-permitted value for the one of the debug registers to the operating system.

At 814, the security agent component may note a read operation from malware attempting to read one of the memory addresses stored in a corresponding one of the debug registers and, at 816, in response, return a false value to the malware or perform a security action.

At 818, the security agent component may further set intercepts for the memory addresses stored in the debug registers. At 820, the setting may include setting privilege attributes for memory pages which include the memory addresses.

At 822, the security agent may further identify other memory locations to be intercepted, and the security agent component may set privilege attributes for memory pages that include the other memory locations.

FIG. 9 illustrates an example process for intercepting instructions for accessing control registers. The process 900 includes, at 902, a security agent on a computing device initiating a security agent component as a hypervisor for the computing device.

At 904, the security agent then determines control registers of the computing device to be protected. Such control registers may include, at 906, a control register storing an on setting for a security feature of the computing device.

At 906, the security agent component then sets intercepts for instructions for performing write operations on the control registers.

At 908, the security agent component further notes a write operation seeking to write an off value to the control register storing the on setting for the security feature. At 910, the security agent component responds to the write operation with a false indication that the security feature has been set to the off value, kills the process or thread requesting the write operation, and/or remembers the fact that the process or thread requested the write operation, which can be used for further analysis.

CONCLUSION

Although the subject matter has been described in language specific to structural features and/or methodological acts, it is to be understood that the subject matter defined in the appended claims is not necessarily limited to the specific features or acts described. Rather, the specific features and acts are disclosed as exemplary forms of implementing the claims.

Claims

1. A computer-implemented method comprising: storing memory addresses of control registers of an operating system of the computing device in debug registers or model specific registers (MSRs) of the computing device, the memory addresses including a memory address not permitted by the operating system to be stored in the debug registers or MSRs;determining control registers to be protected;setting intercepts for the memory addresses stored in the debug registers or MSRs;monitoring a read operation from malware attempting to read one of the memory addresses stored in a corresponding one of the debug registers or MSRs;
2. The computer-implemented method of claim 1, further comprising setting privilege attributes for memory pages which include the memory addresses.
3. The computer-implemented method of claim 2, further comprising identifying other memory locations to be intercepted and setting privilege attributes for memory pages that include the other memory locations.
4. The computer-implemented method of claim 1, wherein setting the intercepts for the memory addresses stored in the debug registers or MSRs comprises setting intercepts for instructions seeking to read the debug registers or MSRs.
5. The computer-implemented method of claim 1, wherein the memory address not permitted by the operating system to be stored in the debug registers or MSRs is associated with a kernel-mode component.
6. The computer-implemented method of claim 1, wherein in response to monitoring the write operation attempting to write the off value to the one of the control registers further comprises at least one of: killing the write operation, or remembering that the process sought to write the off value.
7. The computer-implemented method of claim 6, wherein the one of the control registers includes an on setting for a security feature of the operating system.
8. The computer-implemented method of claim 1, wherein the computer-implemented method is performed by a security agent on the computing device.
9. The computer-implemented method of claim 8, wherein the security agent initiates a security agent component as a hypervisor for the computing device.
10. The computer-implemented method of claim 1, further comprising: monitoring a read operation from the operating system attempting to read one of the debug registers or MSRs; andin response to monitoring the read operation from the operating system, returning an operating-system-permitted value corresponding to a memory address permitted by the operating system for the one of the debug registers or MSRs to the operating system.
11. A non-transitory computer-readable medium having stored thereon executable instructions which, when executed by a computing device, cause the computing device to perform operations comprising: storing memory addresses of control registers of an operating system of the computing device in debug registers or model specific registers (MSRs) of the computing device, the memory addresses including a memory address not permitted by the operating system to be stored in the debug registers or MSRs;determining control registers to be protected;setting intercepts for the memory addresses stored in the debug registers or MSRs;monitoring a read operation from malware attempting to read one of the memory addresses stored in a corresponding one of the debug registers or MSRs;
12. The non-transitory computer-readable medium of claim 11, wherein the operations further comprise setting privilege attributes for memory pages which include the memory addresses.
13. The non-transitory computer-readable medium of claim 12, wherein the operations further comprise identifying other memory locations to be intercepted and setting privilege attributes for memory pages that include the other memory locations.
14. The non-transitory computer-readable medium of claim 11, wherein setting the intercepts for the debug registers or MSRs comprises setting intercepts for instructions seeking to read the debug registers or MSRs.
15. The non-transitory computer-readable medium of claim 11, wherein the memory address not permitted by the operating system to be stored in the debug registers or MSRs is associated with a kernel-mode component.
16. The non-transitory computer-readable medium of claim 11, wherein the operations further comprise: monitoring a read operation from the operating system attempting to read one of the debug registers or MSRs; and in response to monitoring the read operation from the operating system, returning an operating-system-permitted value corresponding to a memory address permitted by the operating system for the one of the debug registers or MSRs to the operating system.
17. A computing device comprising: a processor; andmemory coupled to the processor, the memory storing thereon executable instructions which, when executed by processor, cause the processor to perform operations, the operations comprising: storing memory addresses of control registers of an operating system of the computing device in debug registers or model specific registers (MSRs) of the computing device, the memory addresses including a memory address not permitted by the operating system to be stored in the debug registers or MSRs;determining control registers to be protected;setting intercepts for the memory addresses stored in the debug registers or MSRs;monitoring a read operation from malware attempting to read one of the memory addresses stored in a corresponding one of the debug registers or MSRs;in response to monitoring the read operation from the malware attempting to read the one of the memory addresses: returning deceptive data to the malware that provides a false indication of success to the malware, andperforming a security action including killing the read operation from the malware;monitoring a write operation attempting to write an off value to one of the control registers to be protected, the off value turning off a security feature that prevents a processor of the operating system from performing write operations on the control registers;in response to monitoring the write operation attempting to write the off value to the one of the control registers to be protected: allowing the write operation to write the off value to an alternate memory location different from the memory addresses of the control registers, andreturning a false indication that the security feature has been set to the off value.
18. The computing device of claim 17, wherein the operations are performed by a security agent on the computing device, and the security agent initiates a security agent component as a hypervisor for the computing device.

RELATED APPLICATIONS

This patent application is a continuation-in-part of U.S. Non-Provisional patent application Ser. No. 15/063,086, filed on Mar. 7, 2016. application Ser. No. 15/063,086 is hereby incorporated by reference, in its entirety.

US Referenced Citations (964)

Number	Name	Date	Kind
4564903	Guyette	Jan 1986	A
4783731	Miyazaki	Nov 1988	A
4787031	Karger et al.	Nov 1988	A
5179690	Ishikawa	Jan 1993	A
5239634	Buch	Aug 1993	A
5414851	Brice, Jr.	May 1995	A
5774686	Hammond et al.	Jun 1998	A
5854912	Mahalingaiah	Dec 1998	A
5909696	Reinhardt et al.	Jun 1999	A
5940876	Pickett	Aug 1999	A
6000002	Bonitz	Dec 1999	A
6044430	Macdonald	Mar 2000	A
6076156	Pickett et al.	Jun 2000	A
6154818	Christie	Nov 2000	A
6173404	Colburn et al.	Jan 2001	B1
6226749	Carloganu et al.	May 2001	B1
6275879	Goodfellow	Aug 2001	B1
6408386	Hammond et al.	Jun 2002	B1
6516395	Christie	Feb 2003	B1
6711673	Mitchell et al.	Mar 2004	B1
6807622	McGrath	Oct 2004	B1
6823433	Barnes et al.	Nov 2004	B1
6854039	Strongin et al.	Feb 2005	B1
6880068	McGrath	Apr 2005	B1
6889312	McGrath et al.	May 2005	B1
6898697	Gao et al.	May 2005	B1
6968446	McGrath	Nov 2005	B1
6986052	Mittal	Jan 2006	B1
7043616	McGrath	May 2006	B1
7082507	Christie et al.	Jul 2006	B1
7096491	Cheng	Aug 2006	B2
7130951	Christie et al.	Oct 2006	B1
7426644	Strongin et al.	Sep 2008	B1
7464255	Tan et al.	Dec 2008	B1
7478237	Costea et al.	Jan 2009	B2
7493498	Schmidt et al.	Feb 2009	B1
7496727	Ludloff et al.	Feb 2009	B1
7561571	Lovett	Jul 2009	B1
7571318	Strongin et al.	Aug 2009	B2
7571482	Polyakov	Aug 2009	B2
7633955	Saraiya	Dec 2009	B1
7664110	Lovett	Feb 2010	B1
7685281	Saraiya	Mar 2010	B1
7818808	Neiger et al.	Oct 2010	B1
7843906	Chidambaram	Nov 2010	B1
7843907	Abou-Emara	Nov 2010	B1
7860097	Lovett	Dec 2010	B1
7860961	Finkelstein	Dec 2010	B1
7865893	Omelyanchuk	Jan 2011	B1
7873693	Mehrotra	Jan 2011	B1
7895573	Bhargava	Feb 2011	B1
7895655	Saito	Feb 2011	B2
7953903	Finkelstein	May 2011	B1
7990994	Yeh	Aug 2011	B1
7992144	Hendel	Aug 2011	B1
7996836	McCorkendale et al.	Aug 2011	B1
8065712	Cheng	Nov 2011	B1
8117554	Grechishkin	Feb 2012	B1
8127098	Klaiber	Feb 2012	B1
8132003	Durham et al.	Mar 2012	B2
8136158	Sehr et al.	Mar 2012	B1
8145785	Finkelstein	Mar 2012	B1
8176336	Mao	May 2012	B1
8250653	Wang et al.	Aug 2012	B2
8266633	Saulsbury	Sep 2012	B1
8285999	Ghose et al.	Oct 2012	B1
8341736	Reasor	Dec 2012	B2
8353031	Rajan	Jan 2013	B1
8381284	Dang et al.	Feb 2013	B2
8386788	Kozuch et al.	Feb 2013	B2
8448165	Conover	May 2013	B1
8473724	Kenville et al.	Jun 2013	B1
8490086	Cook	Jul 2013	B1
8510369	Ekke et al.	Aug 2013	B1
8510756	Koryakin	Aug 2013	B1
8566944	Peinado	Oct 2013	B2
8607009	Nicholas et al.	Dec 2013	B2
8621628	Zeitlin	Dec 2013	B2
8656482	Tosa	Feb 2014	B1
8689333	Aziz	Apr 2014	B2
8738860	Griffin	May 2014	B1
8793787	Ismael	Jul 2014	B2
8832820	Barjatiya et al.	Sep 2014	B2
8832829	Manni	Sep 2014	B2
8844036	Saidi	Sep 2014	B2
8850571	Staniford	Sep 2014	B2
8881145	Chiueh	Nov 2014	B2
8881282	Aziz	Nov 2014	B1
8893258	Rao et al.	Nov 2014	B2
8893300	Ramachandran	Nov 2014	B2
8904477	Barton	Dec 2014	B2
8924964	Kodi	Dec 2014	B2
8938723	Tormasov	Jan 2015	B1
8955115	Sabetta et al.	Feb 2015	B2
8984478	Epstein	Mar 2015	B2
8990944	Singh	Mar 2015	B1
8990946	Yarykin	Mar 2015	B1
8996807	Joshi	Mar 2015	B2
8997219	Staniford	Mar 2015	B2
9003402	Carbone	Apr 2015	B1
9003533	Gummerman	Apr 2015	B1
9009822	Ismael	Apr 2015	B1
9009823	Ismael	Apr 2015	B1
9009836	Yarykin	Apr 2015	B1
9015838	Northup	Apr 2015	B1
9021498	Thimmappa	Apr 2015	B1
9043580	Henry et al.	May 2015	B2
9047463	Porras	Jun 2015	B2
9053216	Coleman	Jun 2015	B1
9064130	Asheghian	Jun 2015	B1
9075720	Blinick et al.	Jul 2015	B2
9087189	Koeten et al.	Jul 2015	B1
9088569	Arroyo	Jul 2015	B2
9092625	Kashyap	Jul 2015	B1
9104544	Uchronski	Aug 2015	B1
9104867	Thioux	Aug 2015	B1
9128743	Bondalapati	Sep 2015	B1
9135038	Uchronski	Sep 2015	B1
9148428	Banga	Sep 2015	B1
9159035	Ismael	Oct 2015	B1
9171146	Vipat	Oct 2015	B2
9172724	Reddy	Oct 2015	B1
9176843	Ismael	Nov 2015	B1
9177153	Perrig et al.	Nov 2015	B1
9178904	Gangadharan	Nov 2015	B1
9183028	Brandwine	Nov 2015	B1
9183399	Muff et al.	Nov 2015	B2
9201677	Joshi	Dec 2015	B2
9203855	Mooring et al.	Dec 2015	B1
9203862	Kashyap	Dec 2015	B1
9213567	Barde	Dec 2015	B2
9223966	Satish	Dec 2015	B1
9223972	Vincent	Dec 2015	B1
9223980	Bao	Dec 2015	B1
9244705	Bondalapati	Jan 2016	B1
9251343	Vincent	Feb 2016	B1
9262635	Paithane	Feb 2016	B2
9274823	Koryakin	Mar 2016	B1
9274839	Schluessler	Mar 2016	B2
9274974	Chen	Mar 2016	B1
9292350	Pendharkar et al.	Mar 2016	B1
9294501	Mesdaq	Mar 2016	B2
9300686	Pidathala	Mar 2016	B2
9300693	Manmohan	Mar 2016	B1
9311126	Edwards	Apr 2016	B2
9317452	Forschmiedt	Apr 2016	B1
9342550	Manmohan	May 2016	B1
9354906	Uchronski	May 2016	B1
9355247	Thioux	May 2016	B1
9356944	Aziz	May 2016	B1
9378044	Gaurav	Jun 2016	B1
9383934	Lukacs	Jul 2016	B1
9386021	Pratt	Jul 2016	B1
9398028	Karandikar et al.	Jul 2016	B1
9424058	Wasson	Aug 2016	B1
9424155	Pizel	Aug 2016	B1
9430646	Mushtaq	Aug 2016	B1
9436751	Serebrin	Sep 2016	B1
9438634	Ross	Sep 2016	B1
9460284	Hajmasan	Oct 2016	B1
9465617	Warkentin	Oct 2016	B1
9467476	Shieh	Oct 2016	B1
9501137	Kruglick	Nov 2016	B2
9503482	Hugenbruch et al.	Nov 2016	B1
9531735	Lukacs	Dec 2016	B1
9536084	Lukacs	Jan 2017	B1
9536091	Paithane	Jan 2017	B2
9542554	Salsamendi	Jan 2017	B1
9552481	Guo	Jan 2017	B1
9558051	Taylor	Jan 2017	B1
9563464	Ramasubramanian	Feb 2017	B1
9563569	Tsirkin	Feb 2017	B2
9565202	Kindlund	Feb 2017	B1
9571509	Satish	Feb 2017	B1
9575781	Suit	Feb 2017	B1
9594598	Brouwer	Mar 2017	B1
9594904	Jain	Mar 2017	B1
9594912	Thioux	Mar 2017	B1
9596261	Lukacs	Mar 2017	B1
9600664	Roth	Mar 2017	B1
9612966	Joshi	Apr 2017	B2
9613211	Chen	Apr 2017	B1
9619393	B T	Apr 2017	B1
9626509	Khalid	Apr 2017	B1
9628507	Haq	Apr 2017	B2
9639379	Suit	May 2017	B1
9648045	Mooring et al.	May 2017	B2
9652615	Watson	May 2017	B1
9659182	Roundy	May 2017	B1
9672354	Lutas	Jun 2017	B2
9679134	Jing	Jun 2017	B1
9680805	Rodgers	Jun 2017	B1
9686171	Vemuri	Jun 2017	B1
9690606	Ha	Jun 2017	B1
9690936	Malik	Jun 2017	B1
9697026	Liu	Jul 2017	B1
9747172	Epstein	Aug 2017	B2
9747446	Pidathala	Aug 2017	B1
9753758	Oldenburg	Sep 2017	B1
9754109	Parker-Wood	Sep 2017	B1
9756069	Li	Sep 2017	B1
9792131	Uchronski	Oct 2017	B1
9792431	Dalal et al.	Oct 2017	B1
9805193	Salsamendi	Oct 2017	B1
9811658	Martini	Nov 2017	B2
9824209	Ismael et al.	Nov 2017	B1
9846588	Ghosh	Dec 2017	B2
9881157	Lukacs et al.	Jan 2018	B1
9912681	Ismael	Mar 2018	B1
9921860	Banga	Mar 2018	B1
9921978	Chan	Mar 2018	B1
9922192	Kashyap	Mar 2018	B1
9934376	Ismael	Apr 2018	B1
9935829	Miller	Apr 2018	B1
9942268	Danileiko	Apr 2018	B1
9959188	Krishnan	May 2018	B1
9959214	Habusha	May 2018	B1
9959224	Serebrin	May 2018	B1
9973531	Thioux	May 2018	B1
9996279	Gonzalez Diaz et al.	Jun 2018	B2
9996370	Khafizov	Jun 2018	B1
10033747	Paithane	Jul 2018	B1
10033759	Kabra	Jul 2018	B1
10049211	Lukacs	Aug 2018	B1
10051008	Mooring et al.	Aug 2018	B2
10061915	Roth	Aug 2018	B1
10095530	Banga	Oct 2018	B1
10103959	Klein	Oct 2018	B2
10104185	Sharifi Mehr et al.	Oct 2018	B1
10116688	Yun	Oct 2018	B1
10133863	Bu	Nov 2018	B2
10140454	Spath	Nov 2018	B1
10152600	Rozas et al.	Dec 2018	B2
10162665	Eidelman	Dec 2018	B1
10181034	Harrison et al.	Jan 2019	B2
10192052	Singh	Jan 2019	B1
10210031	Chiueh	Feb 2019	B2
10242185	Goradia	Mar 2019	B1
10303879	Potlapally	May 2019	B1
10310696	Taylor	Jun 2019	B1
10417025	Bosch	Sep 2019	B2
10423435	Khafizov et al.	Sep 2019	B1
10440000	Kumar et al.	Oct 2019	B2
10445516	Mao	Oct 2019	B1
10452837	Roth	Oct 2019	B1
10474589	Raskin	Nov 2019	B1
10474813	Ismael	Nov 2019	B1
10491574	Jung	Nov 2019	B1
10515019	Iyigun	Dec 2019	B1
10515214	Vincent	Dec 2019	B1
10540524	Dementiev	Jan 2020	B2
10616127	Suit	Apr 2020	B1
10642501	Patel	May 2020	B1
10684908	Poledna	Jun 2020	B2
10846145	Xu	Nov 2020	B2
10963280	Kaplan	Mar 2021	B2
11003577	Kazama	May 2021	B2
11120406	Mody	Sep 2021	B2
11150927	Sharifi Mehr et al.	Oct 2021	B1
11227056	Tang	Jan 2022	B2
11593482	Ahmed	Feb 2023	B2
11635960	DeHon	Apr 2023	B2
11640689	Nikitenko	May 2023	B1
11783055	Hoogerbrugge	Oct 2023	B2
12057959	Konda	Aug 2024	B2
20010044891	McGrath et al.	Nov 2001	A1
20020019902	Christie	Feb 2002	A1
20020124194	Dawkins	Sep 2002	A1
20020169979	Zimmer	Nov 2002	A1
20020194389	William et al.	Dec 2002	A1
20030033507	McGrath	Feb 2003	A1
20030093579	Zimmer et al.	May 2003	A1
20030093686	Barnes et al.	May 2003	A1
20030126349	Nalawadi et al.	Jul 2003	A1
20030135504	Elvanoglu et al.	Jul 2003	A1
20040117539	Bennett et al.	Jun 2004	A1
20040123288	Bennett et al.	Jun 2004	A1
20050027914	Hammalund et al.	Feb 2005	A1
20050076186	Traut	Apr 2005	A1
20050223199	Grochowski et al.	Oct 2005	A1
20050228631	Maly et al.	Oct 2005	A1
20050228980	Brokish et al.	Oct 2005	A1
20050246453	Erlingsson	Nov 2005	A1
20060010282	Kim	Jan 2006	A1
20060026385	Dinechin	Feb 2006	A1
20060026577	Dinechin	Feb 2006	A1
20060064567	Jacobson	Mar 2006	A1
20060075402	Neiger et al.	Apr 2006	A1
20060136608	Gilbert et al.	Jun 2006	A1
20060161719	Bennett et al.	Jul 2006	A1
20060161918	Giers	Jul 2006	A1
20060206892	Vega	Sep 2006	A1
20060242700	Fischer et al.	Oct 2006	A1
20060282624	Yokota	Dec 2006	A1
20070022474	Rowett	Jan 2007	A1
20070022479	Sikdar	Jan 2007	A1
20070028244	Landis	Feb 2007	A1
20070050763	Kagan	Mar 2007	A1
20070050764	Traut	Mar 2007	A1
20070061441	Landis	Mar 2007	A1
20070074208	Ling	Mar 2007	A1
20070079090	Rajagopal et al.	Apr 2007	A1
20070156978	Dixon et al.	Jul 2007	A1
20070180436	Travostino et al.	Aug 2007	A1
20070261102	Spataro	Nov 2007	A1
20070266389	Ganguly	Nov 2007	A1
20070300219	Devaux	Dec 2007	A1
20080005297	Kjos	Jan 2008	A1
20080016570	Capalik	Jan 2008	A1
20080028461	Pouliot	Jan 2008	A1
20080040715	Cota-Robles	Feb 2008	A1
20080046679	Bennett et al.	Feb 2008	A1
20080072223	Cowperthwaite	Mar 2008	A1
20080077767	Khosravi et al.	Mar 2008	A1
20080082772	Savagaonkar et al.	Apr 2008	A1
20080114985	Savagaonkar et al.	May 2008	A1
20080148259	Hankins et al.	Jun 2008	A1
20080163254	Cota-Robles	Jul 2008	A1
20080163366	Chinya et al.	Jul 2008	A1
20080184373	Traut et al.	Jul 2008	A1
20080222309	Shanbhogue	Sep 2008	A1
20080244155	Lee et al.	Oct 2008	A1
20080250222	Gokhale	Oct 2008	A1
20080271014	Serebrin	Oct 2008	A1
20080320594	Jiang	Dec 2008	A1
20090037682	Armstrong	Feb 2009	A1
20090037908	Armstrong	Feb 2009	A1
20090037936	Serebrin	Feb 2009	A1
20090037941	Armstrong	Feb 2009	A1
20090044274	Budko	Feb 2009	A1
20090063835	Yao	Mar 2009	A1
20090070760	Khatri et al.	Mar 2009	A1
20090083522	Boggs et al.	Mar 2009	A1
20090113425	Ports	Apr 2009	A1
20090119087	Ang	May 2009	A1
20090119748	Yao	May 2009	A1
20090133016	Brown	May 2009	A1
20090138729	Hashimoto et al.	May 2009	A1
20090164709	Lee et al.	Jun 2009	A1
20090172328	Sahita et al.	Jul 2009	A1
20090182928	Becker	Jul 2009	A1
20090183173	Becker	Jul 2009	A1
20090198862	Okitsu	Aug 2009	A1
20090204964	Foley	Aug 2009	A1
20090204965	Tanaka	Aug 2009	A1
20090210888	Lee	Aug 2009	A1
20090216984	Gainey, Jr.	Aug 2009	A1
20090217098	Farrell	Aug 2009	A1
20090217264	Heller	Aug 2009	A1
20090228673	Waters et al.	Sep 2009	A1
20090249053	Zimmer	Oct 2009	A1
20090254990	McGee	Oct 2009	A1
20090259875	Check	Oct 2009	A1
20090288167	Freericks	Nov 2009	A1
20090313445	Pandey	Dec 2009	A1
20090327576	Oshins	Dec 2009	A1
20090328035	Ganguly	Dec 2009	A1
20090328074	Oshins	Dec 2009	A1
20100023666	Mansell	Jan 2010	A1
20100031325	Maigne	Feb 2010	A1
20100031360	Seshadri	Feb 2010	A1
20100064117	Henry et al.	Mar 2010	A1
20100088771	Heller	Apr 2010	A1
20100094613	Biles	Apr 2010	A1
20100131729	Fulcheri et al.	May 2010	A1
20100161875	Chang	Jun 2010	A1
20100169948	Budko et al.	Jul 2010	A1
20100169968	Shanbhogue et al.	Jul 2010	A1
20100191889	Serebrin	Jul 2010	A1
20100199351	Protas	Aug 2010	A1
20100223447	Serebrin	Sep 2010	A1
20100223612	Osisek	Sep 2010	A1
20100235645	Henry et al.	Sep 2010	A1
20100241734	Miyajima	Sep 2010	A1
20100241974	Rubin	Sep 2010	A1
20100242039	Noguchi	Sep 2010	A1
20100250230	Ganguly et al.	Sep 2010	A1
20100250824	Belay	Sep 2010	A1
20100250869	Adams	Sep 2010	A1
20100250895	Adams	Sep 2010	A1
20100251235	Ganguly	Sep 2010	A1
20100251363	Todorovic	Sep 2010	A1
20100262722	Vauthier	Oct 2010	A1
20100262743	Zimmer et al.	Oct 2010	A1
20100281273	Lee	Nov 2010	A1
20100299665	Adams	Nov 2010	A1
20100306456	Schmidberger	Dec 2010	A1
20100313201	Warton	Dec 2010	A1
20110010533	Buford et al.	Jan 2011	A1
20110016508	Wallace	Jan 2011	A1
20110047542	Dang	Feb 2011	A1
20110047543	Mohinder	Feb 2011	A1
20110055469	Natu et al.	Mar 2011	A1
20110067105	Wolfe	Mar 2011	A1
20110078361	Chen	Mar 2011	A1
20110082962	Horovitz	Apr 2011	A1
20110102443	Dror	May 2011	A1
20110107331	Evans et al.	May 2011	A1
20110141124	Halls et al.	Jun 2011	A1
20110145916	McKenzie	Jun 2011	A1
20110153909	Dong	Jun 2011	A1
20110153926	Fang et al.	Jun 2011	A1
20110154133	Ganti	Jun 2011	A1
20110167195	Scales	Jul 2011	A1
20110173251	Sandhu	Jul 2011	A1
20110197004	Serebrin et al.	Aug 2011	A1
20110197190	Hattori	Aug 2011	A1
20110202917	Laor	Aug 2011	A1
20110202919	Hayakawa et al.	Aug 2011	A1
20110219208	Asaad	Sep 2011	A1
20110219447	Horovitz et al.	Sep 2011	A1
20110225458	Zuo	Sep 2011	A1
20110225624	Sawhney	Sep 2011	A1
20110231839	Bennett	Sep 2011	A1
20110239213	Aswani	Sep 2011	A1
20110239306	Avni et al.	Sep 2011	A1
20110246171	Cleeton	Oct 2011	A1
20110246986	Nicholas	Oct 2011	A1
20110265082	Ashok	Oct 2011	A1
20110295984	Kunze	Dec 2011	A1
20110296412	Banga	Dec 2011	A1
20110302577	Reuther	Dec 2011	A1
20110307681	Piry	Dec 2011	A1
20110307888	Raj	Dec 2011	A1
20110320413	Roman	Dec 2011	A1
20110320652	Craddock	Dec 2011	A1
20110320682	McDougall	Dec 2011	A1
20110320772	Craddock	Dec 2011	A1
20110321158	Craddock	Dec 2011	A1
20120023494	Harrison	Jan 2012	A1
20120030518	Rajwar et al.	Feb 2012	A1
20120030731	Bhargava	Feb 2012	A1
20120042034	Goggin	Feb 2012	A1
20120042145	Sehr et al.	Feb 2012	A1
20120047313	Sinha et al.	Feb 2012	A1
20120047369	Henry et al.	Feb 2012	A1
20120054740	Chakraborty	Mar 2012	A1
20120054741	Ali	Mar 2012	A1
20120054744	Singh	Mar 2012	A1
20120066681	Levy	Mar 2012	A1
20120072638	Grubb	Mar 2012	A1
20120075314	Malakapalli	Mar 2012	A1
20120079164	Hakewill	Mar 2012	A1
20120079267	Lee	Mar 2012	A1
20120079479	Hakewill	Mar 2012	A1
20120102258	Hepkin	Apr 2012	A1
20120102334	O'Loughlin et al.	Apr 2012	A1
20120131309	Johnson	May 2012	A1
20120131575	Yehuda	May 2012	A1
20120144489	Jarrett et al.	Jun 2012	A1
20120151117	Tuch	Jun 2012	A1
20120173842	Frey	Jul 2012	A1
20120179855	Tsirkin	Jul 2012	A1
20120180042	Tsirkin	Jul 2012	A1
20120185688	Thornton	Jul 2012	A1
20120198278	Williams	Aug 2012	A1
20120216281	Uner	Aug 2012	A1
20120222015	Bennett	Aug 2012	A1
20120227045	Knauth et al.	Sep 2012	A1
20120233434	Starks	Sep 2012	A1
20120233608	Toeroe	Sep 2012	A1
20120240181	McCorkendale et al.	Sep 2012	A1
20120246641	Gehrmann	Sep 2012	A1
20120254982	Sallam	Oct 2012	A1
20120254993	Sallam	Oct 2012	A1
20120254994	Sallam	Oct 2012	A1
20120254995	Sallam	Oct 2012	A1
20120254999	Sallam	Oct 2012	A1
20120255000	Sallam	Oct 2012	A1
20120255001	Sallam	Oct 2012	A1
20120255002	Sallam	Oct 2012	A1
20120255003	Sallam	Oct 2012	A1
20120255004	Sallam	Oct 2012	A1
20120255010	Sallam	Oct 2012	A1
20120255011	Sallam	Oct 2012	A1
20120255012	Sallam	Oct 2012	A1
20120255013	Sallam	Oct 2012	A1
20120255014	Sallam	Oct 2012	A1
20120255016	Sallam	Oct 2012	A1
20120255017	Sallam	Oct 2012	A1
20120255018	Sallam	Oct 2012	A1
20120255021	Sallam	Oct 2012	A1
20120255031	Sallam	Oct 2012	A1
20120260065	Henry et al.	Oct 2012	A1
20120278525	Serebrin	Nov 2012	A1
20120278800	Nicholas	Nov 2012	A1
20120290702	Vincent	Nov 2012	A1
20120297057	Ghosh	Nov 2012	A1
20120311307	Chynoweth et al.	Dec 2012	A1
20120317570	Dalcher	Dec 2012	A1
20120317585	Elko	Dec 2012	A1
20120324236	Srivastava	Dec 2012	A1
20120324442	Barde	Dec 2012	A1
20120331464	Saito	Dec 2012	A1
20130007469	Aratsu et al.	Jan 2013	A1
20130007470	Violleau et al.	Jan 2013	A1
20130031291	Edwards	Jan 2013	A1
20130031292	Van Riel	Jan 2013	A1
20130031293	Van Riel	Jan 2013	A1
20130042115	Sweet et al.	Feb 2013	A1
20130055256	Banga	Feb 2013	A1
20130055340	Kanai et al.	Feb 2013	A1
20130061096	McCoy	Mar 2013	A1
20130067199	Henry et al.	Mar 2013	A1
20130067245	Horovitz et al.	Mar 2013	A1
20130081142	McDougal	Mar 2013	A1
20130086299	Epstein	Apr 2013	A1
20130086550	Epstein	Apr 2013	A1
20130086581	Frazier	Apr 2013	A1
20130091318	Bhattacharjee	Apr 2013	A1
20130091500	Earl	Apr 2013	A1
20130091543	Wade et al.	Apr 2013	A1
20130091568	Sharif	Apr 2013	A1
20130097356	Dang	Apr 2013	A1
20130107872	Lovett	May 2013	A1
20130117766	Bax	May 2013	A1
20130117848	Golshan	May 2013	A1
20130117849	Golshan	May 2013	A1
20130132691	Banga	May 2013	A1
20130133061	Fainkichen	May 2013	A1
20130138863	Tsirkin	May 2013	A1
20130145375	Kang	Jun 2013	A1
20130148669	Noguchi	Jun 2013	A1
20130152207	Cui	Jun 2013	A1
20130160084	Hansen	Jun 2013	A1
20130160114	Greenwood	Jun 2013	A1
20130167149	Mitsugi	Jun 2013	A1
20130174144	Cheng	Jul 2013	A1
20130174148	Amit	Jul 2013	A1
20130179892	Frazier	Jul 2013	A1
20130185720	Tuch	Jul 2013	A1
20130185721	Ikegami	Jul 2013	A1
20130185737	Farrell	Jul 2013	A1
20130185739	Farrell	Jul 2013	A1
20130191824	Muff	Jul 2013	A1
20130219389	Serebrin et al.	Aug 2013	A1
20130227559	Tsirkin	Aug 2013	A1
20130227568	Anderson	Aug 2013	A1
20130229421	Cheng	Sep 2013	A1
20130232238	Cohn	Sep 2013	A1
20130237204	Buck	Sep 2013	A1
20130246995	Ferrão et al.	Sep 2013	A1
20130257594	Collins	Oct 2013	A1
20130276056	Epstein	Oct 2013	A1
20130276057	Smith et al.	Oct 2013	A1
20130283370	Vipat et al.	Oct 2013	A1
20130312098	Aditya	Nov 2013	A1
20130312099	Edwards	Nov 2013	A1
20130316754	Skog	Nov 2013	A1
20130326504	Tsirkin	Dec 2013	A1
20130326625	Anderson	Dec 2013	A1
20130333033	Khesin	Dec 2013	A1
20130333040	Diehl	Dec 2013	A1
20130339960	Greiner	Dec 2013	A1
20130340077	Salsamendi	Dec 2013	A1
20130347095	Barjatiya	Dec 2013	A1
20130347131	Mooring	Dec 2013	A1
20140006661	Chappell et al.	Jan 2014	A1
20140006734	Li	Jan 2014	A1
20140006804	Tkacik	Jan 2014	A1
20140007091	Arges	Jan 2014	A1
20140032758	Barton	Jan 2014	A1
20140033266	Kim et al.	Jan 2014	A1
20140033271	Barton	Jan 2014	A1
20140053272	Lukacs	Feb 2014	A1
20140059302	Hayakawa	Feb 2014	A1
20140059642	Deasy et al.	Feb 2014	A1
20140068601	Simms	Mar 2014	A1
20140068612	Torrey	Mar 2014	A1
20140089916	Gross	Mar 2014	A1
20140096131	Sonnek	Apr 2014	A1
20140096134	Barak	Apr 2014	A1
20140101402	Gschwind	Apr 2014	A1
20140101406	Gschwind	Apr 2014	A1
20140101657	Bacher	Apr 2014	A1
20140104287	Nalluri et al.	Apr 2014	A1
20140115652	Kapoor	Apr 2014	A1
20140115701	Moshchuk et al.	Apr 2014	A1
20140130158	Wang	May 2014	A1
20140137114	Bolte	May 2014	A1
20140149634	Tosatti	May 2014	A1
20140149779	Allen-Ware	May 2014	A1
20140149795	Musha	May 2014	A1
20140156872	Buer et al.	Jun 2014	A1
20140157258	Dow	Jun 2014	A1
20140165056	Ghai	Jun 2014	A1
20140173169	Liu et al.	Jun 2014	A1
20140173293	Kaplan	Jun 2014	A1
20140181533	Boivie et al.	Jun 2014	A1
20140189194	Sahita et al.	Jul 2014	A1
20140189687	Jung	Jul 2014	A1
20140195484	Wang	Jul 2014	A1
20140215467	Niesser	Jul 2014	A1
20140229938	Tsirkin	Aug 2014	A1
20140229943	Tian et al.	Aug 2014	A1
20140230077	Muff	Aug 2014	A1
20140237586	Itani	Aug 2014	A1
20140244949	Abali	Aug 2014	A1
20140245444	Lutas	Aug 2014	A1
20140245446	Shanmugavelayutham et al.	Aug 2014	A1
20140250286	Kondo	Sep 2014	A1
20140258663	Zeng et al.	Sep 2014	A1
20140258716	MacMillan	Sep 2014	A1
20140258720	Black	Sep 2014	A1
20140281469	Ali	Sep 2014	A1
20140281694	Gotsubo	Sep 2014	A1
20140282507	Plondke	Sep 2014	A1
20140282526	Basavaiah	Sep 2014	A1
20140282539	Sonnek	Sep 2014	A1
20140282542	Smith et al.	Sep 2014	A1
20140282543	Ignatchenko	Sep 2014	A1
20140283036	Salamat et al.	Sep 2014	A1
20140283040	Wilkerson	Sep 2014	A1
20140283056	Bachwani	Sep 2014	A1
20140283077	Gallella	Sep 2014	A1
20140298003	Ali	Oct 2014	A1
20140304814	Ott	Oct 2014	A1
20140317731	Ionescu	Oct 2014	A1
20140317745	Kolbitsch	Oct 2014	A1
20140325681	Kleidermacher	Oct 2014	A1
20140337558	Powers	Nov 2014	A1
20140337836	Ismael	Nov 2014	A1
20140351930	Sun et al.	Nov 2014	A1
20140358972	Guarrieri	Dec 2014	A1
20140359229	Cota-Robles	Dec 2014	A1
20140372719	Lange et al.	Dec 2014	A1
20140372751	Silverstone	Dec 2014	A1
20140373005	Agrawal	Dec 2014	A1
20140379955	Dong	Dec 2014	A1
20140379956	Chang	Dec 2014	A1
20150013008	Lukacs	Jan 2015	A1
20150026807	Lutas	Jan 2015	A1
20150032946	Goss et al.	Jan 2015	A1
20150033227	Lin	Jan 2015	A1
20150033305	Shear	Jan 2015	A1
20150039891	Ignatchenko	Feb 2015	A1
20150046425	Lin	Feb 2015	A1
20150046908	Salsamendi	Feb 2015	A1
20150052519	Yu	Feb 2015	A1
20150052607	Al Hamami	Feb 2015	A1
20150058619	Sweet et al.	Feb 2015	A1
20150058997	Lee	Feb 2015	A1
20150067672	Mitra	Mar 2015	A1
20150074665	Kamino	Mar 2015	A1
20150082305	Hepkin	Mar 2015	A1
20150095548	Tsirkin	Apr 2015	A1
20150096022	Vincent	Apr 2015	A1
20150096025	Ismael	Apr 2015	A1
20150100791	Chen	Apr 2015	A1
20150101049	Lukacs	Apr 2015	A1
20150106572	Stone et al.	Apr 2015	A1
20150121135	Pape	Apr 2015	A1
20150121366	Neiger	Apr 2015	A1
20150121449	Cp	Apr 2015	A1
20150128266	Tosa	May 2015	A1
20150143055	Guthrie	May 2015	A1
20150143362	Lukacs	May 2015	A1
20150143374	Banga	May 2015	A1
20150146715	Olivier	May 2015	A1
20150146716	Olivier	May 2015	A1
20150149997	Tsirkin	May 2015	A1
20150160998	Anvin	Jun 2015	A1
20150161384	Gu et al.	Jun 2015	A1
20150172300	Cochenour	Jun 2015	A1
20150178078	Anvin et al.	Jun 2015	A1
20150178497	Lukacs	Jun 2015	A1
20150199198	Ven	Jul 2015	A1
20150199514	Tosa	Jul 2015	A1
20150199516	Dalcher	Jul 2015	A1
20150199532	Ismael	Jul 2015	A1
20150205962	Swidowski	Jul 2015	A1
20150205964	Eytan	Jul 2015	A1
20150220354	Nair	Aug 2015	A1
20150220455	Chen et al.	Aug 2015	A1
20150220745	Nellitheertha	Aug 2015	A1
20150242233	Brewerton	Aug 2015	A1
20150242628	Burt	Aug 2015	A1
20150244730	Vu	Aug 2015	A1
20150248554	Dumitru	Sep 2015	A1
20150254017	Soja	Sep 2015	A1
20150261559	Sliwa	Sep 2015	A1
20150261560	Sliwa	Sep 2015	A1
20150261690	Epstein	Sep 2015	A1
20150261713	Kuch	Sep 2015	A1
20150261952	Sliwa	Sep 2015	A1
20150263993	Kuch	Sep 2015	A1
20150268979	Komarov	Sep 2015	A1
20150269085	Gainey, Jr.	Sep 2015	A1
20150277872	Gschwind	Oct 2015	A1
20150277946	Busaba	Oct 2015	A1
20150277947	Busaba	Oct 2015	A1
20150277948	Bradbury	Oct 2015	A1
20150278085	Bybell	Oct 2015	A1
20150278106	Gschwind	Oct 2015	A1
20150278126	Maniatis et al.	Oct 2015	A1
20150281267	Danahy	Oct 2015	A1
20150286583	Kanai	Oct 2015	A1
20150288659	Lukacs	Oct 2015	A1
20150288710	Zeitlin	Oct 2015	A1
20150293774	Persson	Oct 2015	A1
20150293776	Persson	Oct 2015	A1
20150294117	Cucinotta	Oct 2015	A1
20150295945	Canzanese, Jr.	Oct 2015	A1
20150301761	Sijstermans et al.	Oct 2015	A1
20150304343	Cabrera	Oct 2015	A1
20150317479	Jiang	Nov 2015	A1
20150317495	Rodgers	Nov 2015	A1
20150319160	Ferguson	Nov 2015	A1
20150326531	Cui et al.	Nov 2015	A1
20150334126	Mooring	Nov 2015	A1
20150339475	Feroz	Nov 2015	A1
20150339480	Lutas	Nov 2015	A1
20150347052	Grisenthwaite	Dec 2015	A1
20150347166	Noel	Dec 2015	A1
20150356297	Guri et al.	Dec 2015	A1
20150358309	Edwards, Jr. et al.	Dec 2015	A1
20150358338	Zeitlin	Dec 2015	A1
20150363763	Chang et al.	Dec 2015	A1
20150370590	Tuch	Dec 2015	A1
20150370591	Tuch	Dec 2015	A1
20150370592	Tuch	Dec 2015	A1
20150371042	Mooring	Dec 2015	A1
20150373023	Walker	Dec 2015	A1
20150379265	Lutas	Dec 2015	A1
20150381442	Delgado et al.	Dec 2015	A1
20150381578	Thota	Dec 2015	A1
20160004863	Lazri et al.	Jan 2016	A1
20160011893	Strong	Jan 2016	A1
20160011895	Tsirkin	Jan 2016	A1
20160021142	Gafni	Jan 2016	A1
20160029221	Suarez Garcia	Jan 2016	A1
20160034295	Cochran	Feb 2016	A1
20160034702	Sikka	Feb 2016	A1
20160041881	Simoncelli	Feb 2016	A1
20160048458	Lutas	Feb 2016	A1
20160048460	Kadi et al.	Feb 2016	A1
20160048464	Nakajima	Feb 2016	A1
20160048680	Lutas	Feb 2016	A1
20160050071	Collart et al.	Feb 2016	A1
20160055108	Williamson	Feb 2016	A1
20160062784	Chai et al.	Mar 2016	A1
20160063660	Spector et al.	Mar 2016	A1
20160077847	Hunter	Mar 2016	A1
20160077858	Hunter	Mar 2016	A1
20160077884	Hunter	Mar 2016	A1
20160077981	Kegel	Mar 2016	A1
20160077984	Steinert	Mar 2016	A1
20160078342	Tang	Mar 2016	A1
20160085568	Dupre	Mar 2016	A1
20160092382	Anvin et al.	Mar 2016	A1
20160094570	Hunt	Mar 2016	A1
20160098273	Bartik	Apr 2016	A1
20160098367	Etsion	Apr 2016	A1
20160099811	Hawblitzel	Apr 2016	A1
20160110291	Gordon	Apr 2016	A1
20160117183	Baumeister	Apr 2016	A1
20160117497	Saxena	Apr 2016	A1
20160117498	Saxena	Apr 2016	A1
20160124751	Li	May 2016	A1
20160132349	Bacher	May 2016	A1
20160135048	Huxham et al.	May 2016	A1
20160139962	Tsirkin	May 2016	A1
20160147551	Tsirkin	May 2016	A1
20160147556	Hu	May 2016	A1
20160148001	Bacher	May 2016	A1
20160154663	Guthrie	Jun 2016	A1
20160156665	Mooring et al.	Jun 2016	A1
20160162685	Feroz	Jun 2016	A1
20160164880	Colesa	Jun 2016	A1
20160170769	LeMay	Jun 2016	A1
20160170816	Warkentin	Jun 2016	A1
20160170881	Guthrie	Jun 2016	A1
20160170912	Warkentin	Jun 2016	A1
20160179558	Busaba	Jun 2016	A1
20160179564	Chen et al.	Jun 2016	A1
20160179696	Zmudzinski	Jun 2016	A1
20160180079	Sahita	Jun 2016	A1
20160180090	Dalcher	Jun 2016	A1
20160180115	Yamada et al.	Jun 2016	A1
20160188353	Shu	Jun 2016	A1
20160188354	Goldsmith	Jun 2016	A1
20160188880	Smith	Jun 2016	A1
20160191521	Feroz	Jun 2016	A1
20160191547	Zafar	Jun 2016	A1
20160191550	Ismael	Jun 2016	A1
20160196432	Main	Jul 2016	A1
20160202980	Henry et al.	Jul 2016	A1
20160210069	Lutas	Jul 2016	A1
20160210179	Hans	Jul 2016	A1
20160210465	Craske	Jul 2016	A1
20160212620	Paczkowski et al.	Jul 2016	A1
20160216982	Variath	Jul 2016	A1
20160224474	Harriman	Aug 2016	A1
20160224786	Swidowski	Aug 2016	A1
20160224789	Feroz	Aug 2016	A1
20160224794	Roberts et al.	Aug 2016	A1
20160232354	Fraser	Aug 2016	A1
20160232872	Yoo	Aug 2016	A1
20160239323	Tsirkin	Aug 2016	A1
20160239328	Kaplan	Aug 2016	A1
20160239333	Cowperthwaite	Aug 2016	A1
20160246630	Tsirkin	Aug 2016	A1
20160246636	Tsirkin	Aug 2016	A1
20160246637	Divakarla	Aug 2016	A1
20160246644	Canton	Aug 2016	A1
20160253110	Tsirkin	Sep 2016	A1
20160253196	van Riel	Sep 2016	A1
20160259750	Keidar	Sep 2016	A1
20160259939	Bobritsky	Sep 2016	A1
20160283246	Fleming	Sep 2016	A1
20160283258	Bacher	Sep 2016	A1
20160283259	Mehta	Sep 2016	A1
20160283260	Bacher	Sep 2016	A1
20160283404	Xing et al.	Sep 2016	A1
20160283736	Allen	Sep 2016	A1
20160285638	Pearson et al.	Sep 2016	A1
20160285913	Itskin et al.	Sep 2016	A1
20160285970	Cai	Sep 2016	A1
20160292816	Dong	Oct 2016	A1
20160299712	Kishan et al.	Oct 2016	A1
20160306643	Klee	Oct 2016	A1
20160306749	Tsirkin	Oct 2016	A1
20160314009	Tsirkin	Oct 2016	A1
20160314309	Rozak-Draicchio	Oct 2016	A1
20160321156	Zhang	Nov 2016	A1
20160328254	Ahmed	Nov 2016	A1
20160328348	Iba	Nov 2016	A1
20160328561	Tamir	Nov 2016	A1
20160328562	Saxena	Nov 2016	A1
20160330215	Gafni	Nov 2016	A1
20160335436	Vipat	Nov 2016	A1
20160337329	Sood et al.	Nov 2016	A1
20160350534	Poornachandran	Dec 2016	A1
20160352518	Ford et al.	Dec 2016	A1
20160357647	Shirai et al.	Dec 2016	A1
20160359896	Hay et al.	Dec 2016	A1
20160364304	Hanumantharaya	Dec 2016	A1
20160364338	Zmudzinski et al.	Dec 2016	A1
20160364341	Banginwar	Dec 2016	A1
20160364349	Okada	Dec 2016	A1
20160371105	Sieffert	Dec 2016	A1
20160371106	Hepkin	Dec 2016	A1
20160378498	Caprioli et al.	Dec 2016	A1
20160378522	Kaplan	Dec 2016	A1
20160378527	Zamir	Dec 2016	A1
20160378528	Zamir	Dec 2016	A1
20160378684	Zmudzinski et al.	Dec 2016	A1
20170004302	Derbeko	Jan 2017	A1
20170006057	Perez Lafuente et al.	Jan 2017	A1
20170006060	Venkataramani	Jan 2017	A1
20170010981	Cambou	Jan 2017	A1
20170024560	Linde	Jan 2017	A1
20170026181	Chhabra et al.	Jan 2017	A1
20170031699	Banerjee	Feb 2017	A1
20170032119	Dore	Feb 2017	A1
20170039080	Chadha	Feb 2017	A1
20170046187	Tsirkin	Feb 2017	A1
20170046212	Fernandez	Feb 2017	A1
20170046518	Chen	Feb 2017	A1
20170060781	Soja et al.	Mar 2017	A1
20170068575	Hardage, Jr. et al.	Mar 2017	A1
20170083703	Abbasi	Mar 2017	A1
20170091487	LeMay	Mar 2017	A1
20170093578	Zimmer et al.	Mar 2017	A1
20170097851	Chen	Apr 2017	A1
20170102957	Marquardt	Apr 2017	A1
20170103201	Fox	Apr 2017	A1
20170109189	Swidowski	Apr 2017	A1
20170109251	Das	Apr 2017	A1
20170109525	Sistany	Apr 2017	A1
20170109530	Diehl et al.	Apr 2017	A1
20170123992	Bradbury	May 2017	A1
20170124326	Wailly et al.	May 2017	A1
20170126677	Kumar	May 2017	A1
20170126706	Minea	May 2017	A1
20170126726	Han	May 2017	A1
20170132156	Axnix	May 2017	A1
20170134176	Kim et al.	May 2017	A1
20170139777	Gehrmann	May 2017	A1
20170147370	Williamson	May 2017	A1
20170147819	Vasilenko	May 2017	A1
20170153987	Gaonkar	Jun 2017	A1
20170161089	Frazier	Jun 2017	A1
20170168737	Kumar	Jun 2017	A1
20170168865	Swidowski	Jun 2017	A1
20170171159	Kumar	Jun 2017	A1
20170177365	Doshi et al.	Jun 2017	A1
20170177377	Thiyagarajah et al.	Jun 2017	A1
20170177392	Bacher	Jun 2017	A1
20170177398	Bacher et al.	Jun 2017	A1
20170177415	Dhanraj et al.	Jun 2017	A1
20170177429	Stark et al.	Jun 2017	A1
20170177441	Chow	Jun 2017	A1
20170177854	Gligor	Jun 2017	A1
20170177860	Suarez	Jun 2017	A1
20170177877	Suarez	Jun 2017	A1
20170177909	Sarangdhar	Jun 2017	A1
20170180346	Suarez	Jun 2017	A1
20170185436	Deng	Jun 2017	A1
20170185529	Chhabra	Jun 2017	A1
20170185536	Li	Jun 2017	A1
20170185784	Madou et al.	Jun 2017	A1
20170192801	Barlev	Jul 2017	A1
20170192810	Lukacs	Jul 2017	A1
20170199768	Arroyo	Jul 2017	A1
20170206104	Sliwa	Jul 2017	A1
20170206175	Sliwa	Jul 2017	A1
20170206177	Tsai	Jul 2017	A1
20170213031	Diehl et al.	Jul 2017	A1
20170220369	Kaplan	Aug 2017	A1
20170220447	Brandt	Aug 2017	A1
20170220795	Suginaka	Aug 2017	A1
20170222815	Meriac	Aug 2017	A1
20170228271	Tsirkin	Aug 2017	A1
20170228535	Shanbhogue et al.	Aug 2017	A1
20170235966	Ray	Aug 2017	A1
20170235967	Ray	Aug 2017	A1
20170243183	Soeder	Aug 2017	A1
20170249176	Elias	Aug 2017	A1
20170255778	Ionescu	Sep 2017	A1
20170257399	Mooring et al.	Sep 2017	A1
20170262306	Wang	Sep 2017	A1
20170293581	Villatel	Oct 2017	A1
20170323113	El-Moussa	Nov 2017	A1
20170329623	Dong	Nov 2017	A1
20170331884	Colle et al.	Nov 2017	A1
20170353485	Brown et al.	Dec 2017	A1
20170364685	Shah	Dec 2017	A1
20180004868	Adam	Jan 2018	A1
20180011729	Yu	Jan 2018	A1
20180033116	Tian	Feb 2018	A1
20180034781	Jaeger et al.	Feb 2018	A1
20180048660	Paithane	Feb 2018	A1
20180139237	Smith	May 2018	A1
20180152469	Smith	May 2018	A1
20180165791	Dong	Jun 2018	A1
20180203805	Hatta et al.	Jul 2018	A1
20180248878	El-Moussa	Aug 2018	A1
20180268130	Ghosh	Sep 2018	A1
20180285143	Bacher et al.	Oct 2018	A1
20180285561	Frank	Oct 2018	A1
20180336348	Ng et al.	Nov 2018	A1
20180349162	Tian	Dec 2018	A1
20180373556	Tian	Dec 2018	A1
20180373570	Xu	Dec 2018	A1
20190005224	Oliver et al.	Jan 2019	A1
20190005267	Soman et al.	Jan 2019	A1
20190034633	Seetharamaiah	Jan 2019	A1
20190163513	Noorshams	May 2019	A1
20190325133	Goodridge et al.	Oct 2019	A1
20200036602	Leibovici et al.	Jan 2020	A1
20200159558	Bak et al.	May 2020	A1
20200213355	Ogan	Jul 2020	A1
20200241902	Freche	Jul 2020	A1
20200319884	Rohleder	Oct 2020	A1
20200394065	Bak et al.	Dec 2020	A1
20210026950	Ionescu	Jan 2021	A1
20210049028	Price	Feb 2021	A1
20210049292	Ionescu	Feb 2021	A1
20220358049	Tsirkin	Nov 2022	A1
20230027826	Sharma	Jan 2023	A1
20230280930	Song	Sep 2023	A1
20240005044	Neve De Mevergnies	Jan 2024	A1
20240048593	Hebert	Feb 2024	A1

Foreign Referenced Citations (3)

Number	Date	Country
3017392	May 2016	EP
WO2012135192	Oct 2012	WO
WO2013055499	Apr 2013	WO

Non-Patent Literature Citations (31)

Entry
Jin et al “H-SVM: Hardware-Assisted Secure Virtual Machines under a Vulnerable Hypervisor,” IEEE Transactions on Computers, vol. 64, No. 10, Oct. 2015, pp. 2833-2846 (Year: 2015).
Kienzle et al “Endpoint Configuration Compliance Monitoring via Virtual Machine Introspection,” Proceedings of the 43rd Hawaii International Conference on System Sciences, IEEE Computer Society, pp. 1-10 (Year: 2010).
Nguyen et al “MAVMM: Lightweight and Purpose Built VMM for Malware Analysis,” 2009 Annual Computer Security Applications Conference, IEEE Computer Society, pp. 441-450 (Year: 2009).
Qingbo et al “System Monitoring and Controlling Mechanism based on Hypervisor,” 2009 IEEE International Symposium on Parallel and Distributed Processing with Applications, IEEE Computer Society, pp. 549-554.
Branco et al “Architecture for Automation of Malware Analysis,” IEEE, pp. 106-112 (Year: 2010).
Wen et al FVisor: Towards Thwarting Unauthorized File Accesses with a Light-Weight Hypervisor, 2014 IEEE 17th International Conference on Computational Science and Engineering, IEEE Computer Society, pp. 620-626 (Year: 2014).
Hsiao et al “A Cooperative Botnet Profiling and Detection in Virtualized Environment,” 2013 IEEE Conference on Communications and Network Security (CNS), pp. 154-162 (Year: 2013).
Hsu et al “Divergence Detector: A Fine-grained Approach to Detecting VM-Awareness Malware,” 2013 7th International Conference on Software Security and Reliability, IEEE Computer Society, pp. 80-89 (Year: 2013).
Wong et al “Zygaria: Storage Performance as a Managed Resource,” IEEE Computer Society, pp. 1-10 (Year: 2006).
Wang et al “A Resource Allocation Model for Hybrid Storage Systems,” 2015 15th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing, IEEE Computer Society, pp. 91-100 (Year: 2015).
Hebbal et al “Virtual Machine Introspection: Techniques and Applications,” 2015 10th International Conference on Availability, Reliability and Security, IEEE, pp. 676-685 (Year: 2015).
Engdahl et al “Device Register Classes for Embedded Systems,” 2011 11th International Conference on Control, Automation and Systems, pp. 773-778 (Year: 2011).
The Extended European Search Report mailed Apr. 16, 2021 for European Patent Application No. 20206917.5, 10 pages.
Wang, et al., “Countering Kernel Rootkits with Lightweight Hook Protection”, Computer and Communications Security, Nov. 9, 2009, pp. 545-554.
The European Office Action mailed on Jul. 25, 2019 for European U.S. Appl. No. 15/063,086, a counterpart of U.S. Appl. No. 15/063,086, 8 pages.
The Extended European Search Report mailed Jul. 13, 2017 for European patent application No. 17156043.6, 10 pages.
Office action for U.S. Appl. No. 15/063,086, mailed on Oct. 6, 2017, Ionescu, “Hypervisor-Based Interception of Memory Accesses”, 36 pages.
Office action for U.S. Appl. No. 15/063,086, mailed on May 9, 2018, Ionescu, “Hypervisor-Based Interception of Memory Accesses”, 27 pages.
Wen, et al., “FVisor: Towards Thwarting Unauthorized File Accesses with A Light-weght Hypervisor”, 2014 IEEE 17th International Conference on Computational Science and Engineering, Dec. 2014, pp. 620-626.
Office Action for U.S. Appl. No. 17/062,237, mailed on Nov. 29, 2023, Ion-Alexandru Ionescu, “Hypervisor-Based Redirection of System Calls and Interrupt-Based Task Offloading”, 23 pages.
Azab et al., “HIMA: A hypervisor-Based Integrity Measurement Agent”, IEEE Computer Society, pp. 461.
Binun, et al., “Self-Stabilizing Virtual Machine Hypervisor Architecture for Resilent Cloud”, 2014 IEEE 10th World Congress on Services, 2014, pp. 200-207.
Chiueh et al., “Surreptitious Depolyment and Execution of Kernel Agents in Windows Guiests”, IEEE Computer Society, pp. 507-514.
Datta et al., “A Logic Secure Systems and its Application to Trusted Computing”, IEEE Computer Society, pp. 221-236.
Huin, et al., “An Agent-Based Architecture to Add Security In a Cooperative Information System”, Third International IEEE Conference on Signal-Image Technologies and Internet-Based System, 2008, pp. 262-271.
Kornaros et al., “Hardware Support for Cost-Effective System-Level Protection in Multi-Core SoCs”, IEEE, pp. 41-48.
Moratelli, et al., “Hardware-Assisted Interrupt Delivery Optimization For Virtualized Embedded Platforms,” IEEE, 2015, pp. 304-307.
Office Action for U.S. Appl. No. 17/062,237, mailed on May 25, 2023, lon-Alexandru Ionescu, “Hypervisor-Based Redirection of System Calls and Interrupt-Based Task Offloading”, 18 pages.
Office Action for U.S. Appl. No. 17/062,237, mailed on Nov. 29, 2023, lon-Alexandru Ionescu, “Hypervisor-Based Redirection of System Calls and Interrupt-Based Task Offloading”, 23 pages.
Pham, et al., “Reliability and Security Monitoring of Virtual Machines Using Hardware Architectural Invariants”, 2014 44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2014, pp. 13-24.
Zhang, et al., “Formal Verification of Interrupt Injection in a Hypervisor,” 2014 Theoretical Aspects of Software EngineeringConference, IEEE Computer Society, 2014, pp. 74-81.

Related Publications (1)

	Number	Date	Country
	20210049292 A1	Feb 2021	US

Continuation in Parts (1)

	Number	Date	Country
Parent	15063086	Mar 2016	US
Child	17060355		US

Hypervisor-based interception of memory and register accesses

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

Field of Search

US

International Classifications

Term Extension

Abstract