Patent Grant
8973144
This disclosure relates in general to the field of computer networks and, more particularly, to a system and a method for kernel rootkit protection in a hypervisor environment.
The field of computer network security has become increasingly important and complicated in today's society. Computer network environments are configured for virtually every enterprise or organization, typically with multiple interconnected computers (e.g., end user computers, laptops, servers, printing devices, etc.). Moreover, cloud service providers (and other organizations that run multiple applications and operating systems) may use hypervisor technology to run various different guest operating systems concurrently on a host device. A hypervisor is computer software/hardware platform virtualization software that allows multiple operating systems to run on a host computer concurrently. Security threats can originate externally and internally in the hypervisor environment. These threats in the hypervisor environment can present further challenges to IT administrators.
To provide a more complete understanding of the present disclosure and features and advantages thereof, reference is made to the following description, taken in conjunction with the accompanying figures, wherein like reference numerals represent like parts, in which:
Overview
A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. In example embodiments, the soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page.
Other example embodiments include marking the guest kernel page as read-only and executable if the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist. If the page fault is a data page fault and the guest kernel page does not correspond any of the entries in the soft whitelist, the method includes fixing the page fault, and marking the guest kernel page as non-executable.
More specific embodiments include marking page table entries corresponding to each guest kernel page as NOT_PRESENT in a shadow page table of the hypervisor. In yet other example embodiments, the method includes denying execution by causing the guest OS to loop indefinitely, injecting an exception in the guest OS, or fixing the page fault and pointing a corresponding PTE in the shadow page table to a crafted page instead of the guest kernel page. The crafted page can include code that either causes the guest OS to crash, or a set of No Operations (NOP) instructions that execute harmlessly.
In yet other example embodiments, creating the soft whitelist may be performed after the guest OS has loaded substantially all its kernel components at boot. If the guest OS has not loaded substantially all its kernel components, each guest kernel page may be from a paged pool range or a non-paged pool range. Yet another embodiment includes setting a lockdown feature bit in the hypervisor during domain creation to enable rootkit protection and other features.
Hypervisor 12 controls and manages hardware 16 of a host device (not shown) that is allocated for use by guest 14. Guest 14 may run a guest OS 18 on hypervisor 12. Guest OS 18 may support one or more applications 20 (referred to herein in the singular as application 20 to refer to one of the applications). As used herein, the term “application” is used in a broad sense to refer generically to any software file, library module, function, subroutine, binary, instruction set, code block, or other similar operating unit that comprises instructions that can be understood and processed by a computer with or without assistance (e.g., compilation, interpretation, etc.).
Hypervisor 12 may manage access of applications 20 to underlying hardware 16, such as a processor 22 and a machine memory 24. As used herein, “machine memory” refers to a memory element that is visible to hypervisor 12 as available on the host device. Guest OS 18 may present to applications 20 a guest virtual memory 26, which accesses a guest physical memory 28. As used herein, the term “guest virtual memory” refers to a substantially continuous virtual address space that is visible to applications 20 running inside guest 14. An address space refers to a range of discrete addresses, each of which may correspond to a memory location (i.e., address) at which an application (e.g., application 20) can store data and retrieve data later. As used herein, the term “guest physical memory” refers to the virtual memory that is visible to guest OS 18.
Guest physical memory 28 may create kernel pages 30 during operation. When guest OS loads its guest kernel into memory, the guest kernel is divided into pages (e.g., guest kernel pages 30), with some pages containing kernel instructions, and other pages containing kernel data. Each page, including each of guest kernel pages 30, is typically of standard size (e.g., 4 kB), and is associated with an address (e.g., guest virtual address). Guest OS 18 maps the virtual address of each page to a corresponding “physical” address through page tables. Although the guest memory (e.g., guest virtual memory 26 and guest physical memory 28) is virtual, guest OS 18 assumes that guest physical memory 28 is real or “physical.” However, the guest physical memory (e.g., guest physical memory 28) is merely an abstraction utilized by hypervisor 12 for maintaining correct mapping to the (real) host physical address (also called machine address).
A page table is a data structure used by guest OS 18 to store a mapping between virtual addresses and “physical” addresses. A page table contains several page table entries (PTEs), each PTE mapping a virtual address to a corresponding “physical” address (e.g., from guest virtual address to guest physical address or from guest physical address to machine address). The PTE includes the “physical” address (e.g., guest physical address or machine address) and other information relevant to a page in the appropriate memory element (e.g., guest physical memory 28 or machine memory 24), such as whether the page is present, the page is read-only or read/write, etc.
Shadow page table 32 can be used by hypervisor 12 to map guest physical memory 28 to machine memory 24 for a currently executing process. A “process” is an instance of an application (or a portion thereof), whose instructions are being executed. Shadow page table 32 includes page table entries (PTEs) 34 corresponding to guest kernel pages 30. Each of PTEs 34 includes the machine address and other information relevant to the respective kernel page that is loaded into machine memory 24. According to an example embodiment, PTEs 34 may be marked as NOT_PRESENT in shadow page table 32. In example embodiments, whenever any new kernel page is created in guest OS 18, the corresponding PTE 34 in shadow page table 32 may be marked as NOT_PRESENT by default.
A rootkit protection module 36 in hypervisor 12 can add machine frame numbers (MFNs) corresponding to virtual addresses of guest kernel pages 30 into a hash 36. In one example implementation MFN refers to the page number allocated in machine memory 24 for corresponding virtual addresses. A page fault handler 40 may conditionally allow or deny access to or execution of appropriate guest kernel pages 30. A domain 0 (DOM0) 42 running on hypervisor 12 may have special rights to access physical hardware 16 as well as to interact with other guests running on the system. DOM042 may have a lockdown module 44 for controlling certain lockdown features of rootkit protection module 36 in hypervisor 12.
For purposes of illustrating the techniques of system 10, it is important to understand the activities and security concerns that may be present in a given system such as the system shown in
Typical computing architecture supports four rings (numbered 0 to 3) of privilege levels to protect system code and data from being unintentionally or maliciously overwritten by lower privileged code. Ring 0 is the highest privilege level, while ring 3 is the lowest. OSs may use different privilege levels for different processes. For example, Windows OS uses two privilege levels (rings 0 and 3) for process and data security. Code for applications such as Internet Explorer and Microsoft Word and a number of Windows services (e.g., Service Control Manager, Local System Security Authority, Winlogon, Session Manager, and RPC Server, etc.) run within ring 3.
Kernel-level code runs within ring 0 and is used in device drivers and kernel components such as managers for virtual memory, cache, Input/Output, object, plug and play, a hardware abstraction layer, graphics subsystem, file systems, and network protocol implementations. A kernel connects applications to the hardware of a computing device. In general, a kernel comprises several components that could vary depending on the OS. For example, Linux OS may include components such as low level drivers (e.g., architecture specific drivers responsible for central processing unit (CPU), memory management unit (MMU) and on-board devices initialization); process scheduler (e.g., component responsible for fair CPU time slice allocation to different processes); memory manager (e.g., component responsible for allocating and sharing memory to different processes); file system (e.g., components that abstract underlying file systems so as to present a unified file system interface to a user); network interface (e.g., component that provides access and control to different networking devices); device drivers (e.g., high level drivers), etc. Applications generally use system function calls (e.g., Win 32 API calls) to communicate with the kernel.
A rootkit alters the flow of a normal execution path (e.g., of a process in an application) to make its stealth implementation successful. A rootkit is software that enables continued privileged access to a device while actively hiding its presence by subverting standard OS functionality. Rootkits normally modify the data returned by system function calls to hide their binary files, processes, and registry entries. Depending on where they run and what area in the system they hook, rootkits can generally be classified in one of two types: user mode rootkits and kernel rootkits. User-mode rootkits are relatively easy to detect and repair because they execute with user-mode privileges. Kernel rootkits, on the other hand, execute with system privileges, making them more challenging to detect and repair. Kernel rootkits load (i.e., inject) their code into the kernel address space, typically by installing a kernel-mode device driver. For example, kernel rootkits may be installed by injecting kernel code into a running kernel using a kernel module, or by writing new code to a piece of unused kernel memory, or by inserting a kernel module file, etc. Once the delivery mechanism is in place, kernel rootkits can disrupt the flow of the normal execution path of a process.
Kernel rootkits are a significant challenge in desktop security. Kernel rootkits can launch various attacks such as opening system backdoors, stealing private information, disabling security measures, and executing other malware applications. Typically, an attacker installs a kernel rootkit on a computer after first obtaining root-level access, either by exploiting a known vulnerability or by obtaining a password (e.g., by cracking the encryption, through social engineering, etc.). Once a kernel rootkit is installed, it allows an attacker to mask the ongoing intrusion and maintain privileged access to the computer by circumventing normal authentication and authorization mechanisms. Kernel rootkits may be hard to detect because a kernel rootkit may be able to subvert the software that is intended to find it. Detection methods include using an alternate, trusted operating system; behavioral-based methods; signature scanning; difference scanning; and memory dump analysis. Removal can be complicated or practically impossible, especially in cases where the kernel rootkit resides in the kernel.
In a hypervisor environment, effects of an attack may be severe. One infected guest could infect all other guests on the host device. For example, an attacker can get administrator privileges on hardware by infecting a guest, and can move from one guest to another over the hypervisor environment. In situations where the hypervisor hosts tens of hundreds of guests, such a guest-to-guest attack can have catastrophic results.
Hypervisor environments present an opportunity to provide kernel rootkit protection without the need for a guest-resident protective software. Guests run on top of the hypervisor in a virtualized host device. Traditional kernel rootkit protection mechanisms can be installed on each instance of the guest running on the hypervisor; however such methods result in significant overhead in terms of memory, run time performance and management. Ideally, kernel rootkit protection mechanisms would sit outside the kernel (which is being protected by it), which may not be possible in non-virtualized environments. Moreover, customers running guests in cloud (virtualized) environments may like the cloud service providers to provide kernel rootkit protection transparently.
In one method of kernel rootkit protection, a hash function can be used to compute a digital signature of on-disk code libraries. The hash function creates a message digest, which is a fixed size bit string that may be calculated for an arbitrary block of data such that a change to the data can change the hash value. By recalculating and comparing the message digest of the on-disk code libraries at regular intervals against a trusted list of fingerprints, changes in the system can be detected and monitored. However, current methods check only whether the code has been modified since the last release by the code's publisher. Also, kernel rootkits may subvert this process by loading from memory, rather than making modifications on disk. Other rootkit protection solutions may be based on commodity OS. There is a need for software for virtualized environments that provides agent-less protection.
A system for kernel rootkit protection in a hypervisor environment outlined by
According to an example embodiment, the soft-whitelist may be created after guest OS 18 has booted and has loaded its kernel components (e.g., process scheduler, memory manager, file systems, etc.). As used herein, the term “boot” refers to a boot sequence, which is the initial set of operations that a computer performs when power is switched on. Thereafter, system 10 can ensure that code cannot be executed from any new kernel page that is not present in the soft-whitelist. According to another example embodiment, the soft whitelist may be created before guest OS 18 has booted and loaded its kernel components. Kernel pages 30 may be in paged and non-paged pools (because all kernel drivers are loaded in these pages). The page start addresses for each faulting virtual address in the paged pool and non-paged pool range may be stored in a hash table (e.g., in hash 38) in hypervisor 12.
System 10 can protect against day-zero threats, for example, as it is based on white-listing. In example embodiments, system 10 may be implemented by public cloud infrastructure providers and companies employing private clouds. System 10 may provide a transparent layer of security. The solution may be especially useful for customers who do not change their base OS configuration frequently, but rather change the data stored on it (e.g., a web host service provider).
Turning to memory management in a hypervisor environment, the guest OS (e.g., guest OS 18) provides a virtual address space layout in guest virtual memory (e.g., guest virtual memory 26) to applications (e.g., application 20). The address space of the guest virtual memory may be divided into user space, which is accessible to applications (e.g., applications 20), and system space, which includes boot drivers, process page tables, system cache, paged and non-paged pools, etc. Typically, the address locations of the system pages are hardcoded (or known apriori). For example, a 4 GB of the guest virtual memory may be separated into 3 GB of user space, with addresses ranging from 0xBFFFFFFF to 0x00000000, and system space, with addresses ranging from 0xFFFFFFFF to 0xC0000000.
The guest OS handles virtual to physical address mappings through page tables. While virtual address space (e.g., guest virtual memory 26) is generally contiguous, the addresses may be mapped to non-contiguous blocks in the physical address space (e.g., guest physical memory 28). Virtual to physical mapping information is placed in a page table in structures called page table entries (PTEs). The format of the PTEs may vary with the OS, for example, Linux OS may specify one format, and Windows XP OS may specify another format. In general, PTEs typically contain a bit to indicate whether the page referenced by the PTE is present (or valid). For example, when a process begins loading into machine memory (e.g., machine memory 24), the guest OS assumes that the pages are loading into guest physical memory (e.g., guest physical memory 28), and generates corresponding page tables. The present bit for the pages being loaded into machine memory are set to 0 (indicating NOT_PRESENT) until all the pages are loaded into memory. Once all the pages are loaded, the present bit for the pages may be set to 1 (indicating PRESENT) in the respective PTEs. During the loading, if an attempt is made to access a page marked NOT_PRESENT, a page fault may be generated.
In example embodiments, any page table maintained by guest 14 may have a corresponding shadow page table (e.g., shadow page table 32), which is generated and maintained by hypervisor 12. Guest OS 18 does not have access to shadow page table 32. At boot, guest OS 18 may load its kernel to memory (e.g., in the form of guest kernel pages 30) from the computer's hard disk. Rootkit protection module 36 may mark PTEs 34 corresponding to guest kernel pages 30 as NOT_PRESENT in shadow page table 32. In one example, rootkit protection module 36 may determine that a page is one of guest kernel pages 30 by reading a virtual address of the page. If the virtual address lies within a particular range (e.g., predetermined range), the page may be one of guest kernel pages 30, and corresponding PTE 34 may be marked as NOT_PRESENT.
When a page fault occurs, control transfers from the processor (e.g., processor 22) executing the instruction that caused the page fault to the hypervisor (e.g., hypervisor 12). The hypervisor's page fault handler (e.g., page fault handler 40) can determine the instruction pointer and the faulting address, for example, to determine whether the page fault is an instruction page fault or a data page fault. For example, if the instruction pointer (i.e., the pointer pointing to the memory address, which the processor will next attempt to execute) points to the faulting address, then the page fault is an instruction page fault.
Turning to the infrastructure of
Control tools for managing hypervisor 12 can run on DOM042. DOM042 may provide a unified interface to manage guests (e.g., guest 14) on hypervisor 12. DOM042 may provide a means for an administrator to configure hypervisor 12, including managing storage, controlling aspects of guest behavior, setting up virtual networks, configuring a hypervisor and one or more guests, and creating, deleting, shutting down, booting up, etc. guests. For example, this kind of setup can be popular in data centers where servers run Xen, which in turn hosts multiple instances of guests. DOM042 may include modified Linux kernel, and can have special rights to access physical I/O resources, as well as interact with the other virtual machines running on the system. Typically, DOM042 is the first domain launched when the system is booted, and it can be used to create and configure all other regular guests (e.g., guest 14). The hypervisor environments can require DOM042 to be running before other guests can be started.
Turning to
If rootkit protection has been enabled (e.g., guest OS 18 has booted up and loaded its kernel components), page fault handler 40 may perform activities such as walking shadow page table 32 in hypervisor 12 and adding virtual addresses (e.g., corresponding to pages that have not been previously accessed) into hash 38. In an example embodiment, the activities occur one time after guest OS 18 has completed booting up, and subsequently, system 10 may be considered locked.
In 120, an application 20 in guest OS 14 may attempt to access guest kernel pages 30. Attempting to access guest kernel pages 30 can cause a page fault in 122 (as guest kernel pages 30 have been marked as NOT_PRESENT). Note that if rootkit protection is not enabled (e.g., guest OS 18 has not booted up and loaded its kernel components) and if the page fault is outside a paged pool and non-paged pool range, then page fault handler 40 may simply fix the page fault and store the page start address for each faulting virtual address (e.g., in paged pool and non paged pool range) in hash 38. Access may be allowed to these addresses, which are outside the paged pool and non paged pool range, because kernel drivers are generally loaded within the paged pool and non paged pool range.
When a page fault is encountered in 122, a determination is made in 124 if the page fault is an instruction page fault or a data page fault. If the page fault is a data page fault, then the soft whitelist (i.e., hash 38) is searched for an MFN corresponding to the faulting virtual address. If the MFN of the faulting virtual address is present in hash 38, then the page associated with the page fault is legitimate. Accordingly, in 126, page fault handler 40 may permanently fix the page fault to allow future access/execution of the page. On the other hand, if an MFN corresponding to the faulting virtual address is not present in hash 38, then the kernel page is new and any attempts to write to it could include code or data. Accordingly, page fault handler 40 may fix the page fault permanently and mark the page NX (no-execute) in 126. This can ensure that minimum page faults occur, while preventing any new kernel pages from being accessed or executed. Other pages can continue to be read/writable without any page fault until an attempt is made to execute the page. Application 20 may be allowed to access shadow page table 32 in 128 and the process ends in 130.
If the determination in 124 is that the page fault is an instruction fault, page fault handler 40 may check in 132 if the MFN for the faulting virtual address is present in hash 38. If present, page fault handler 40 may fix the page fault permanently (e.g., allow future access/execution) in 134, and mark the page read-only, remove any NX and allow access/execution. If the page is not present in hash 38, it can mean that the page is a new kernel page and page fault handler 40 may deny execution in 136. Denial of execution can be done in several ways: (i) page fault is not fixed, causing faulting thread in guest 14 to loop indefinitely; (ii) page fault is not fixed and an exception may be injected in guest 14. The exception may be caught by the faulting process. If the process does not handle this exception, it may be killed; (iii) page fault may be fixed, but the shadow PTE 34 associated with the faulting page may be made to point to a crafted page instead of the desired page. The crafted page can be configured with code that either causes guest 14 to crash, or causes No Operations Performed (NOPs) instructions to be executed harmlessly. Other examples are “blue-screening” guest 14, inserting a dummy page that causes an exit gracefully, etc. The process may end in 138.
Software for kernel rootkit protection (as well as inhibiting dangerous code from being executed) can be provided at various locations (e.g., within rootkit protection module 36). In one example implementation, this software is resident in a computer sought to be protected from a security attack (or protected from unwanted, or unauthorized manipulations of a writeable memory area). In a more detailed configuration, this software is specifically resident in a security layer of the hypervisor, which may include (or otherwise interface with) the components depicted by
In other examples, the kernel rootkit protection functions could involve a proprietary element (e.g., as part of an antivirus solution), which could be provided in (or be proximate to) these identified elements, or be provided in any other device, server, network appliance, console, firewall, switch, information technology (IT) device, etc., or be provided as a complementary solution (e.g., in conjunction with a firewall), or provisioned somewhere in the network. As used herein in this Specification, the term ‘computer’ is meant to encompass these possible elements (VMMs, hypervisors, Xen devices, virtual devices, network appliances, routers, switches, gateway, processors, servers, loadbalancers, firewalls, or any other suitable device, component, element, or object) operable to affect or process electronic information in a security environment. Moreover, this computer may include any suitable hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof. This may be inclusive of appropriate algorithms and communication protocols that allow for the effective protection against kernel rootkits. In addition, the kernel rootkit protection functions can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules and components of the various FIGURES may be combined in various possible configurations: all of which are clearly within the broad scope of this Specification.
Any of these elements (e.g., a computer, a server, a network appliance, a firewall, a hypervisor, any other type of virtual element, etc.) may include a processor that can execute software or an algorithm to perform the kernel rootkit protection activities as discussed in this Specification. Additionally, each of these elements (e.g., a computer, a server, a network appliance, a firewall, a hypervisor, any other type of virtual element, etc.) can include memory elements (random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.), software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. The information being tracked, sent, received, or stored in system 10 could be provided in any database, register, table, cache, queue, control list, or storage structure, based on particular needs and implementations, all of which could be referenced in any suitable timeframe.
These elements and/or modules can cooperate with each other in order to perform the activities in connection with kernel rootkit protection in a hypervisor environment as discussed herein. In other embodiments, these features may be provided external to these elements, included in other devices to achieve these intended functionalities, or consolidated in any appropriate manner. For example, some of the processors associated with the various elements may be removed, or otherwise consolidated such that a single processor and a single memory location are responsible for certain activities. In a general sense, the arrangement depicted in FIGURES may be more logical in its representation, whereas a physical architecture may include various permutations, combinations, and/or hybrids of these elements.
Any of the memory items discussed herein (e.g., guest kernel pages 30, shadow page table 32, machine memory 24, guest virtual memory 26, guest physical memory 28, hash 38, etc.) should be construed as being encompassed within the broad term ‘memory element.’ Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term ‘processor.’ Each of the computers, network appliances, virtual elements, etc. can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a hypervisor environment.
A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, the processor (as shown in the FIGURES) could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array (FPGA), an erasable programmable read-only memory (EPROM), an electrically erasable programmable ROM (EEPROM)) or an ASIC that includes digital logic, software, code, electronic instructions, or any suitable combination thereof.
In certain example implementations, the kernel rootkit protection functions outlined herein may be implemented by logic encoded in one or more tangible, nontransitory media (e.g., embedded logic provided in an application specific integrated circuit (ASIC), digital signal processor (DSP) instructions, software (potentially inclusive of object code and source code) to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (as shown in the FIGURES) can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. In various embodiments, some or all of these elements include software (or reciprocating software) that can coordinate, manage, or otherwise cooperate in order to achieve the operations as outlined herein. One or more of these elements may include any suitable algorithms, hardware, software, components, modules, interfaces, or objects that facilitate the operations thereof.
Note that with the numerous examples provided herein, interaction may be described in terms of two, three, four, or more network elements and modules. However, this has been done for purposes of clarity and example only. It should be appreciated that the system can be consolidated in any suitable manner. Along similar design alternatives, any of the illustrated modules, components, and elements of
It is also important to note that the operations described with reference to the preceding FIGURES illustrate only some of the possible scenarios that may be executed by, or within, the system. Some of these operations may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the discussed concepts. In addition, the timing of these operations may be altered considerably and still achieve the results taught in this disclosure. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by the system in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the discussed concepts.
| Number | Name | Date | Kind |
|---|---|---|---|
| 4688169 | Joshi | Aug 1987 | A |
| 4982430 | Frezza et al. | Jan 1991 | A |
| 5155847 | Kirouac et al. | Oct 1992 | A |
| 5222134 | Waite et al. | Jun 1993 | A |
| 5390314 | Swanson | Feb 1995 | A |
| 5521849 | Adelson et al. | May 1996 | A |
| 5560008 | Johnson et al. | Sep 1996 | A |
| 5699513 | Feigen et al. | Dec 1997 | A |
| 5778226 | Adams et al. | Jul 1998 | A |
| 5778349 | Okonogi | Jul 1998 | A |
| 5787427 | Benantar et al. | Jul 1998 | A |
| 5842017 | Hookway et al. | Nov 1998 | A |
| 5907709 | Cantey et al. | May 1999 | A |
| 5907860 | Garibay et al. | May 1999 | A |
| 5926832 | Wing et al. | Jul 1999 | A |
| 5974149 | Leppek | Oct 1999 | A |
| 5987610 | Franczek et al. | Nov 1999 | A |
| 5987611 | Freund | Nov 1999 | A |
| 5991881 | Conklin et al. | Nov 1999 | A |
| 6064815 | Hohensee et al. | May 2000 | A |
| 6073142 | Geiger et al. | Jun 2000 | A |
| 6141698 | Krishnan et al. | Oct 2000 | A |
| 6192401 | Modiri et al. | Feb 2001 | B1 |
| 6192475 | Wallace | Feb 2001 | B1 |
| 6256773 | Bowman-Amuah | Jul 2001 | B1 |
| 6275938 | Bond et al. | Aug 2001 | B1 |
| 6321267 | Donaldson | Nov 2001 | B1 |
| 6338149 | Ciccone, Jr. et al. | Jan 2002 | B1 |
| 6356957 | Sanchez, II et al. | Mar 2002 | B2 |
| 6393465 | Leeds | May 2002 | B2 |
| 6442686 | McArdle et al. | Aug 2002 | B1 |
| 6449040 | Fujita | Sep 2002 | B1 |
| 6453468 | D'Souza | Sep 2002 | B1 |
| 6460050 | Pace et al. | Oct 2002 | B1 |
| 6587877 | Douglis et al. | Jul 2003 | B1 |
| 6611925 | Spear | Aug 2003 | B1 |
| 6662219 | Nishanov et al. | Dec 2003 | B1 |
| 6748534 | Gryaznov et al. | Jun 2004 | B1 |
| 6769008 | Kumar et al. | Jul 2004 | B1 |
| 6769115 | Oldman | Jul 2004 | B1 |
| 6795966 | Lim et al. | Sep 2004 | B1 |
| 6832227 | Seki et al. | Dec 2004 | B2 |
| 6834301 | Hanchett | Dec 2004 | B1 |
| 6847993 | Novaes et al. | Jan 2005 | B1 |
| 6895491 | Kjos et al. | May 2005 | B2 |
| 6907600 | Neiger et al. | Jun 2005 | B2 |
| 6918110 | Hundt et al. | Jul 2005 | B2 |
| 6930985 | Rathi et al. | Aug 2005 | B1 |
| 6934755 | Saulpaugh et al. | Aug 2005 | B1 |
| 6988101 | Ham et al. | Jan 2006 | B2 |
| 6988124 | Douceur et al. | Jan 2006 | B2 |
| 7007302 | Jagger et al. | Feb 2006 | B1 |
| 7010796 | Strom et al. | Mar 2006 | B1 |
| 7024548 | O'Toole, Jr. | Apr 2006 | B1 |
| 7039949 | Cartmell et al. | May 2006 | B2 |
| 7043616 | McGrath | May 2006 | B1 |
| 7065767 | Kambhammettu et al. | Jun 2006 | B2 |
| 7069330 | McArdle et al. | Jun 2006 | B1 |
| 7082456 | Mani-Meitav et al. | Jul 2006 | B2 |
| 7093239 | van der Made | Aug 2006 | B1 |
| 7124409 | Davis et al. | Oct 2006 | B2 |
| 7139916 | Billingsley et al. | Nov 2006 | B2 |
| 7152148 | Williams et al. | Dec 2006 | B2 |
| 7159036 | Hinchliffe et al. | Jan 2007 | B2 |
| 7177267 | Oliver et al. | Feb 2007 | B2 |
| 7203864 | Goin et al. | Apr 2007 | B2 |
| 7251655 | Kaler et al. | Jul 2007 | B2 |
| 7290266 | Gladstone et al. | Oct 2007 | B2 |
| 7302558 | Campbell et al. | Nov 2007 | B2 |
| 7330849 | Gerasoulis et al. | Feb 2008 | B2 |
| 7346781 | Cowle et al. | Mar 2008 | B2 |
| 7349931 | Horne | Mar 2008 | B2 |
| 7350204 | Lambert et al. | Mar 2008 | B2 |
| 7353501 | Tang et al. | Apr 2008 | B2 |
| 7363022 | Whelan et al. | Apr 2008 | B2 |
| 7370360 | van der Made | May 2008 | B2 |
| 7401358 | Christie et al. | Jul 2008 | B1 |
| 7406517 | Hunt et al. | Jul 2008 | B2 |
| 7441265 | Staamann et al. | Oct 2008 | B2 |
| 7464408 | Shah et al. | Dec 2008 | B1 |
| 7506155 | Stewart et al. | Mar 2009 | B1 |
| 7506170 | Finnegan | Mar 2009 | B2 |
| 7546333 | Alon et al. | Jun 2009 | B2 |
| 7546594 | McGuire et al. | Jun 2009 | B2 |
| 7552479 | Conover et al. | Jun 2009 | B1 |
| 7603552 | Sebes et al. | Oct 2009 | B1 |
| 7607170 | Chesla | Oct 2009 | B2 |
| 7657599 | Smith | Feb 2010 | B2 |
| 7669195 | Qumei | Feb 2010 | B1 |
| 7685635 | Vega et al. | Mar 2010 | B2 |
| 7698744 | Fanton et al. | Apr 2010 | B2 |
| 7703090 | Napier et al. | Apr 2010 | B2 |
| 7757269 | Roy-Chowdhury et al. | Jul 2010 | B1 |
| 7765538 | Zweifel et al. | Jul 2010 | B2 |
| 7783735 | Sebes et al. | Aug 2010 | B1 |
| 7809704 | Surendran et al. | Oct 2010 | B2 |
| 7818377 | Whitney et al. | Oct 2010 | B2 |
| 7823148 | Deshpande et al. | Oct 2010 | B2 |
| 7836504 | Ray et al. | Nov 2010 | B2 |
| 7840968 | Sharma et al. | Nov 2010 | B1 |
| 7849507 | Bloch et al. | Dec 2010 | B1 |
| 7856661 | Sebes et al. | Dec 2010 | B1 |
| 7865931 | Stone et al. | Jan 2011 | B1 |
| 7870387 | Bhargava et al. | Jan 2011 | B1 |
| 7873955 | Sebes et al. | Jan 2011 | B1 |
| 7895573 | Bhargava et al. | Feb 2011 | B1 |
| 7908653 | Brickell et al. | Mar 2011 | B2 |
| 7917724 | Dewan et al. | Mar 2011 | B2 |
| 7937455 | Saha et al. | May 2011 | B2 |
| 7966659 | Wilkinson et al. | Jun 2011 | B1 |
| 7996836 | McCorkendale et al. | Aug 2011 | B1 |
| 8015388 | Rihan et al. | Sep 2011 | B1 |
| 8015563 | Araujo et al. | Sep 2011 | B2 |
| 8028340 | Sebes et al. | Sep 2011 | B2 |
| 8074276 | Beloussov et al. | Dec 2011 | B1 |
| 8195931 | Sharma et al. | Jun 2012 | B1 |
| 8234713 | Roy-Chowdhury et al. | Jul 2012 | B2 |
| 8307437 | Sebes et al. | Nov 2012 | B2 |
| 8321932 | Bhargava et al. | Nov 2012 | B2 |
| 8332929 | Bhargava et al. | Dec 2012 | B1 |
| 8341627 | Mohinder | Dec 2012 | B2 |
| 8381284 | Dang et al. | Feb 2013 | B2 |
| 8515075 | Saraf et al. | Aug 2013 | B1 |
| 8561061 | Adams et al. | Oct 2013 | B2 |
| 8566935 | Lagar-Cavilla et al. | Oct 2013 | B2 |
| 8572371 | Gassoway | Oct 2013 | B2 |
| 8578080 | Sahita et al. | Nov 2013 | B2 |
| 8607020 | Jacobs et al. | Dec 2013 | B2 |
| 8621605 | Burugula et al. | Dec 2013 | B2 |
| 8694738 | Bhattacharjee et al. | Apr 2014 | B2 |
| 8701189 | Saraf et al. | Apr 2014 | B2 |
| 8719543 | Kaminski et al. | May 2014 | B2 |
| 20020056076 | van der Made | May 2002 | A1 |
| 20020069367 | Tindal et al. | Jun 2002 | A1 |
| 20020083175 | Afek et al. | Jun 2002 | A1 |
| 20020099671 | Mastin Crosbie et al. | Jul 2002 | A1 |
| 20030014667 | Kolichtchak | Jan 2003 | A1 |
| 20030023736 | Abkemeier | Jan 2003 | A1 |
| 20030033510 | Dice | Feb 2003 | A1 |
| 20030073894 | Chiang et al. | Apr 2003 | A1 |
| 20030074552 | Olkin et al. | Apr 2003 | A1 |
| 20030120601 | Ouye et al. | Jun 2003 | A1 |
| 20030120811 | Hanson et al. | Jun 2003 | A1 |
| 20030120935 | Teal et al. | Jun 2003 | A1 |
| 20030145232 | Poletto et al. | Jul 2003 | A1 |
| 20030163718 | Johnson et al. | Aug 2003 | A1 |
| 20030167292 | Ross | Sep 2003 | A1 |
| 20030167399 | Audebert et al. | Sep 2003 | A1 |
| 20030200332 | Gupta et al. | Oct 2003 | A1 |
| 20030212902 | van der Made | Nov 2003 | A1 |
| 20030220944 | Lyman Schottland et al. | Nov 2003 | A1 |
| 20030221190 | Deshpande et al. | Nov 2003 | A1 |
| 20040003258 | Billingsley et al. | Jan 2004 | A1 |
| 20040015554 | Wilson | Jan 2004 | A1 |
| 20040051736 | Daniell | Mar 2004 | A1 |
| 20040054928 | Hall | Mar 2004 | A1 |
| 20040064668 | Kjos et al. | Apr 2004 | A1 |
| 20040143749 | Tajalli et al. | Jul 2004 | A1 |
| 20040167906 | Smith et al. | Aug 2004 | A1 |
| 20040230963 | Rothman et al. | Nov 2004 | A1 |
| 20040243678 | Smith et al. | Dec 2004 | A1 |
| 20040255161 | Cavanaugh | Dec 2004 | A1 |
| 20050018651 | Yan et al. | Jan 2005 | A1 |
| 20050086047 | Uchimoto et al. | Apr 2005 | A1 |
| 20050108516 | Balzer et al. | May 2005 | A1 |
| 20050108562 | Khazan et al. | May 2005 | A1 |
| 20050114672 | Duncan et al. | May 2005 | A1 |
| 20050132346 | Tsantilis | Jun 2005 | A1 |
| 20050228990 | Kato et al. | Oct 2005 | A1 |
| 20050235360 | Pearson | Oct 2005 | A1 |
| 20050257207 | Blumfield et al. | Nov 2005 | A1 |
| 20050257265 | Cook et al. | Nov 2005 | A1 |
| 20050260996 | Groenendaal | Nov 2005 | A1 |
| 20050262558 | Usov | Nov 2005 | A1 |
| 20050273858 | Zadok et al. | Dec 2005 | A1 |
| 20050283823 | Okajo et al. | Dec 2005 | A1 |
| 20050289538 | Black-Ziegelbein et al. | Dec 2005 | A1 |
| 20060004875 | Baron et al. | Jan 2006 | A1 |
| 20060015501 | Sanamrad et al. | Jan 2006 | A1 |
| 20060037016 | Saha et al. | Feb 2006 | A1 |
| 20060080656 | Cain et al. | Apr 2006 | A1 |
| 20060085785 | Garrett | Apr 2006 | A1 |
| 20060101277 | Meenan et al. | May 2006 | A1 |
| 20060107020 | Stillwell et al. | May 2006 | A1 |
| 20060133223 | Nakamura et al. | Jun 2006 | A1 |
| 20060136910 | Brickell et al. | Jun 2006 | A1 |
| 20060136911 | Robinson et al. | Jun 2006 | A1 |
| 20060150256 | Fanton et al. | Jul 2006 | A1 |
| 20060195906 | Jin et al. | Aug 2006 | A1 |
| 20060200863 | Ray et al. | Sep 2006 | A1 |
| 20060230314 | Sanjar et al. | Oct 2006 | A1 |
| 20060236398 | Trakic et al. | Oct 2006 | A1 |
| 20060259734 | Sheu et al. | Nov 2006 | A1 |
| 20060282892 | Jonnala et al. | Dec 2006 | A1 |
| 20070011746 | Malpani et al. | Jan 2007 | A1 |
| 20070028303 | Brennan | Feb 2007 | A1 |
| 20070039049 | Kupferman et al. | Feb 2007 | A1 |
| 20070050579 | Hall et al. | Mar 2007 | A1 |
| 20070050764 | Traut | Mar 2007 | A1 |
| 20070074199 | Schoenberg | Mar 2007 | A1 |
| 20070083522 | Nord et al. | Apr 2007 | A1 |
| 20070101435 | Konanka et al. | May 2007 | A1 |
| 20070136579 | Levy et al. | Jun 2007 | A1 |
| 20070143851 | Nicodemus et al. | Jun 2007 | A1 |
| 20070169079 | Keller et al. | Jul 2007 | A1 |
| 20070192329 | Croft et al. | Aug 2007 | A1 |
| 20070220061 | Tirosh et al. | Sep 2007 | A1 |
| 20070220507 | Back et al. | Sep 2007 | A1 |
| 20070253430 | Minami et al. | Nov 2007 | A1 |
| 20070256138 | Gadea et al. | Nov 2007 | A1 |
| 20070271561 | Winner et al. | Nov 2007 | A1 |
| 20070300215 | Bardsley | Dec 2007 | A1 |
| 20070300241 | Prakash et al. | Dec 2007 | A1 |
| 20080005737 | Saha et al. | Jan 2008 | A1 |
| 20080005798 | Ross | Jan 2008 | A1 |
| 20080010304 | Vempala et al. | Jan 2008 | A1 |
| 20080022384 | Yee et al. | Jan 2008 | A1 |
| 20080034416 | Kumar et al. | Feb 2008 | A1 |
| 20080052468 | Speirs et al. | Feb 2008 | A1 |
| 20080082977 | Araujo et al. | Apr 2008 | A1 |
| 20080120499 | Zimmer et al. | May 2008 | A1 |
| 20080163207 | Reumann et al. | Jul 2008 | A1 |
| 20080163210 | Bowman et al. | Jul 2008 | A1 |
| 20080165952 | Smith et al. | Jul 2008 | A1 |
| 20080184373 | Traut et al. | Jul 2008 | A1 |
| 20080235534 | Schunter et al. | Sep 2008 | A1 |
| 20080294703 | Craft et al. | Nov 2008 | A1 |
| 20080301770 | Kinder | Dec 2008 | A1 |
| 20090006805 | Anderson et al. | Jan 2009 | A1 |
| 20090007100 | Field et al. | Jan 2009 | A1 |
| 20090038017 | Durham et al. | Feb 2009 | A1 |
| 20090043993 | Ford et al. | Feb 2009 | A1 |
| 20090055693 | Budko et al. | Feb 2009 | A1 |
| 20090113110 | Chen et al. | Apr 2009 | A1 |
| 20090144300 | Chatley et al. | Jun 2009 | A1 |
| 20090150639 | Ohata | Jun 2009 | A1 |
| 20090172822 | Sahita et al. | Jul 2009 | A1 |
| 20090249053 | Zimmer et al. | Oct 2009 | A1 |
| 20090249438 | Litvin et al. | Oct 2009 | A1 |
| 20090300612 | Devine et al. | Dec 2009 | A1 |
| 20090307445 | Jacobs et al. | Dec 2009 | A1 |
| 20100031360 | Seshadri et al. | Feb 2010 | A1 |
| 20100071035 | Budko et al. | Mar 2010 | A1 |
| 20100094948 | Ganesh et al. | Apr 2010 | A1 |
| 20100114825 | Siddegowda | May 2010 | A1 |
| 20100250895 | Adams et al. | Sep 2010 | A1 |
| 20100281133 | Brendel | Nov 2010 | A1 |
| 20100293225 | Sebes et al. | Nov 2010 | A1 |
| 20100332910 | Ali et al. | Dec 2010 | A1 |
| 20110029772 | Fanton et al. | Feb 2011 | A1 |
| 20110035423 | Kobayashi et al. | Feb 2011 | A1 |
| 20110047543 | Mohinder | Feb 2011 | A1 |
| 20110077948 | Sharma et al. | Mar 2011 | A1 |
| 20110078550 | Nabutovsky | Mar 2011 | A1 |
| 20110082962 | Horovitz et al. | Apr 2011 | A1 |
| 20110093842 | Sebes | Apr 2011 | A1 |
| 20110113467 | Agarwal et al. | May 2011 | A1 |
| 20110119760 | Sebes et al. | May 2011 | A1 |
| 20110138461 | Bhargava et al. | Jun 2011 | A1 |
| 20110167422 | Eom et al. | Jul 2011 | A1 |
| 20110219447 | Horovitz et al. | Sep 2011 | A1 |
| 20120030731 | Bhargava et al. | Feb 2012 | A1 |
| 20120030750 | Bhargava et al. | Feb 2012 | A1 |
| 20120179874 | Chang et al. | Jul 2012 | A1 |
| 20120204263 | Jonnala et al. | Aug 2012 | A1 |
| 20120278853 | Roy-Chowdhury et al. | Nov 2012 | A1 |
| 20120290827 | Bhargava et al. | Nov 2012 | A1 |
| 20120297176 | Bhargava et al. | Nov 2012 | A1 |
| 20120311341 | Paris et al. | Dec 2012 | A1 |
| 20120331464 | Saito et al. | Dec 2012 | A1 |
| 20130024934 | Sebes et al. | Jan 2013 | A1 |
| 20130054917 | Ludwig et al. | Feb 2013 | A1 |
| 20130086550 | Epstein | Apr 2013 | A1 |
| 20130091318 | Bhattacharjee et al. | Apr 2013 | A1 |
| 20130097355 | Dang et al. | Apr 2013 | A1 |
| 20130097356 | Dang et al. | Apr 2013 | A1 |
| 20130117823 | Dang et al. | May 2013 | A1 |
| 20130132690 | Epstein | May 2013 | A1 |
| 20130174147 | Sahita et al. | Jul 2013 | A1 |
| 20130219462 | Aratsu et al. | Aug 2013 | A1 |
| 20130283004 | Devine et al. | Oct 2013 | A1 |
| 20140089450 | Raindel et al. | Mar 2014 | A1 |
| 20140089451 | Eran et al. | Mar 2014 | A1 |
| 20140143774 | Adams et al. | May 2014 | A1 |
| Number | Date | Country |
|---|---|---|
| 1 482 394 | Dec 2004 | EP |
| 2 037 657 | Mar 2009 | EP |
| WO 9844404 | Oct 1998 | WO |
| WO 0184285 | Nov 2001 | WO |
| WO 2006012197 | Feb 2006 | WO |
| WO 2006124832 | Nov 2006 | WO |
| WO 2008054997 | May 2008 | WO |
| WO 2011059877 | May 2011 | WO |
| WO 2012015485 | Feb 2012 | WO |
| WO 2012015489 | Feb 2012 | WO |
| 2013055498 | Apr 2013 | WO |
| 2013055499 | Apr 2013 | WO |
| 2013055502 | Apr 2013 | WO |
| Entry |
|---|
| International Search Report and Written Opinion, International Application No. PCT/US2012/055660, mailed Feb. 18, 2013, 10 pages. |
| Final Office Action for U.S. Appl. No. 13/273,002, mailed on Jan. 31, 2014, 17 pages. |
| International Preliminary Report on Patentability in International Application No. PCT/US2012/055660, mailed Apr. 15, 2014, 6 pages. |
| International Preliminary Report on Patentability in International Application No. PCT/US2012/055670, mailed Apr. 15, 2014, 5 pages. |
| International Preliminary Report on Patentability in International Application No. PCT/US2012/055674, mailed on Apr. 15, 2014, 5 pages. |
| Kurt Gutzmann, “Access Control and Session Management in the HTTP Environment,” Jan./Feb. 2001, pp. 26-35, IEEE Internet Computing. |
| Eli M. Dow, et al., “The Xen Hypervisor,” INFORMIT, dated Apr. 10, 2008, http://www.informit.com/articles/printerfriendly.aspx?p=1187966, printed Aug. 11, 2009 (13 pages). |
| U.S. Appl. No. 10/651,591, entitled “Method and System for Containment of Networked Application Client Software by Explicit Human Input,” filed Aug. 29, 2003, Inventor(s): Rosen Sharma et al. |
| U.S. Appl. No. 11/060,683, entitled “Distribution and Installation of Solidified Software on a Computer,” filed Feb. 16, 2005, Inventor(s): Bakul Shah et al. |
| U.S. Appl. No. 11/379,953, entitled “Software Modification by Group to Minimize Breakage,” filed Apr. 24, 2006, Inventor(s): E. John Sebes et al. |
| U.S. Appl. No. 12/291,232, entitled “Method of and System for Computer System State Checks,” filed Nov. 7, 2008, inventor(s): Rishi Bhargava et al. |
| U.S. Appl. No. 12/426,859, entitled “Method of and System for Reverse Mapping Vnode Pointers,” filed Apr. 20, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/322,220, entitled “Method of and System for Malicious Software Detection Using Critical Address Space Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al. |
| U.S. Appl. No. 12/322,321, entitled “Method of and System for Computer System Denial-of-Service Protection,” filed Jan. 29, 2009, Inventor(s): Suman Saraf et al. |
| Desktop Management and Control, Website: http://www.vmware.com/solutions/desktop/, printed Oct. 12, 2009, 1 page. |
| Secure Mobile Computing, Website: http://www.vmware.com/solutions/desktop/mobile.html, printed Oct. 12, 2009, 2 pages. |
| U.S. Appl. No. 12/636,414, entitled “System and Method for Managing Virtual Machine Configurations,” filed Dec. 11, 2009, Inventor(s): Harvinder Singh Sawhney, et al. |
| U.S. Appl. No. 12/880,125, entitled “System and Method for Clustering Host Inventories,” filed Sep. 12, 2010, Inventor(s) Rishi Bhargava, et al. |
| Barrantes et al., “Randomized Instruction Set Emulation to Dispurt Binary Code Injection Attacks,” Oct. 27-31, 2003, ACM, pp. 281-289. |
| Gaurav et al., “Countering Code-Injection Attacks with Instruction-Set Randomization,” Oct. 27-31, 2003, ACM, pp. 272-280. |
| U.S. Appl. No. 12/903,993, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Oct. 13, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 12/946,344, entitled “Method and System for Containment of Usage of Language Interfaces,” filed Nov. 15, 2010, Inventor(s) Rosen Sharma, et al. |
| U.S. Appl. No. 13/012,138, entitled “System and Method for Selectively Grouping and Managing Program Files,” filed Jan. 24, 2011, Inventor(s) Rishi Bhargava, et al. |
| Check Point Software Technologies Ltd.: “ZoneAlarm Security Software User Guide Version 9”, Aug. 24, 2009, XP002634548, 259 pages, retrieved from Internet: URL:http://download.zonealarm.com/bin/media/pdf/zaclient91—user—manual.pdf. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority (1 page), International Search Report (4 pages), and Written Opinion (3 pages), mailed Mar. 2, 2011, International Application No. PCT/US2010/055520. |
| Notification of Transmittal of the International Search Report and the Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (6 pages), and Written Opinion of the International Searching Authority (10 pages) for International Application No. PCT/US2011/020677 mailed Jul. 22, 2011. |
| Notification of Transmittal of the International Search Report and Written Opinion of the International Searching Authority, or the Declaration (1 page), International Search Report (3 pages), and Written Opinion of the International Search Authority (6 pages) for International Application No. PCT/US2011/024869 mailed Jul. 14, 2011. |
| Tal Garfinkel, et al., “Terra: A Virtual Machine-Based Platform for Trusted Computing,” XP-002340992, SOSP'03, Oct. 19-22, 2003, 14 pages. |
| U.S. Appl. No. 13/037,988, entitled “System and Method for Botnet Detection by Comprehensive Email Behavioral Analysis,” filed Mar. 1, 2011, Inventor(s) Sven Krasser, et al. |
| IA-32 Intel® Architecture Software Developer's Manual, vol. 3B; Jun. 2006; pp. 13, 15, 22 and 145-146. |
| Notification of International Preliminary Report on Patentability and Written Opinion mailed May 24, 2012 for International Application No. PCT/US2010/055520, 5 pages. |
| Sailer et al., sHype: Secure Hypervisor Approach to Trusted Virtualized Systems, IBM research Report, Feb. 2, 2005, 13 pages. |
| U.S. Appl. No. 13/558,277, entitled “Method and Apparatus for Process Enforced Configuration Management,” filed Jul. 25, 2012, Inventor(s) Rishi Bhargava et al. |
| U.S. Appl. No. 11/437,317, entitled “Connectivity-Based Authorization,” filed May 18, 2006, Inventor(s): E. John Sebes et al. |
| Myung-Sup Kim et al., “A load cluster management system using SNMP and web”, [Online], May 2002, pp. 367-378, [Retrieved from Internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/nem.453/pdf>. |
| G. Pruett et al., “BladeCenter systems management software”, [Online], Nov. 2005, pp. 963-975, [Retrieved from Internet on Oct. 24, 2012], <http://citeseerx.lst.psu.edu/viewdoc/download?doi=10.1.1.91.5091&rep=rep1&type=pdf>. |
| Philip M. Papadopoulos et al., “NPACI Rocks: tools and techniques for easily deploying manageable Linux clusters” [Online], Aug. 2002, pp. 707-725, [Retrieved from internet on Oct. 24, 2012], <http://onlinelibrary.wiley.com/doi/10.1002/cpe.722/pdf>. |
| Thomas Staub et al., “Secure Remote Management and Software Distribution for Wireless Mesh Networks”, [Online], Sep. 2007, pp. 1-8, [Retrieved from Internet on Oct. 24, 2012], <http://cds.unibe.ch/research/pub—files/B07.pdf>. |
| “What's New: McAfee VirusScan Enterprise, 8.8,” copyright 2010, retrieved on Nov. 23, 2012 at https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT—DOCUMENTATION/22000/PD22973/en—US/VSE%208.8%20-%20What's%20New.pdf, 4 pages. |
| “McAfee Management for Optimized Virtual Environments,” copyright 2012, retrieved on Nov. 26, 2012 at AntiVirushttp://www.mcafee.com/us/resources/data-sheets/ds-move-anti-virus.pdf, 2 pages. |
| Rivest, R., “The MD5 Message-Digest Algorithm”, RFC 1321, Apr. 1992, retrieved on Dec. 14, 2012 from http://www.ietf.org/rfc/rfc1321.txt, 21 pages. |
| Hinden, R. and B. Haberman, “Unique Local IPv6 Unicast Addresses”, RFC 4193, Oct. 2005, retrieved on Nov. 20, 2012 from http://tools.ietf.org/pdf/rfc4193.pdf, 17 pages. |
| “Secure Hash Standard (SHS)”, Federal Information Processing Standards Publication, FIPS PUB 180-4, Mar. 2012, retrieved on Dec. 14, 2012 from http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf, 35 pages. |
| U.S. Appl. No. 13/728,705, filed Dec. 27, 2012, entitled “Herd Based Scan Avoidance System in a Network Environment,” Inventor(s) Venkata Ramanan, et al. |
| An Analysis of Address Space Layout Randomization on Windows Vista™, Symantec Advanced Threat Research, copyright 2007 Symantec Corporation, available at http://www.symantec.com/avcenter/reference/Address—Space—Layout—Randomization.pdf, 19 pages. |
| Bhatkar, et al., “Efficient Techniques for Comprehensive Protection from Memory Error Exploits,” USENIX Association, 14th USENIX Security Symposium, Aug. 1-5, 2005, Baltimore, MD, 16 pages. |
| Dewan, et al., “A Hypervisor-Based System for Protecting Software Runtime Memory and Persistent Storage,” Spring Simulation Multiconference 2008, Apr. 14-17, 2008, Ottawa, Canada, (available at website: www.vodun.org/papers/2008—secure—locker—submit—v1-1.pdf, printed Oct. 11, 2011), 8 pages. |
| Shacham, et al., “On the Effectiveness of Address-Space Randomization,” CCS'04, Oct. 25-29, 2004, Washington, D.C., Copyright 2004, 10 pages. |
| International Search Report and Written Opinion mailed Dec. 14, 2012 for International Application No. 04796-1087WO, 9 pages. |
| International Search Report and Written Opinion mailed Jan. 25, 2013 for International Application No. PCT/US2012/055670 (7 pages). |
| Lecture Embedded System Security, Chapter 6: Return-oriented Programming, Prof. Dr.-Ing. Ahmad-Reza Sadeghi, et al., Technische Universitat Damstadt (CASED), Germany, Summer Term 2011, http://www.trust.informatik.tu-darmstadt.de/fileadmin/user—upload/Group—TRUST/LectureSlides/ESS-SS2011/rop-grayscale.pdf[Background on Butter Overflow Attacks/Sadeghi et al./2011, 51 pages. |
| Notice of Allowance received for U.S. Appl. No. 12/322,220, mailed on Apr. 17, 2013, 14 pages. |
| Final Office Action received for U.S. Appl. No. 12/545,745, mailed on Jun. 7, 2012, 14 pages. |
| Non Final Office Action received for U.S. Appl. No. 12/545,745, mailed on Jan. 5, 2012, 12 pages. |
| Notice of Allowance received for U.S. Appl. No. 12/545,745, mailed on Aug. 29, 2012, 8 pages. |
| Response to Final Office Action and RCE for U.S. Appl. No. 12/545,745, filed Jul. 31, 2012, 15 pages. |
| Response to Non Final Office Action for U.S. Appl. No. 12/545,745, filed Mar. 28, 2012, 12 pages. |
| “Shadow Walker” Raising the Bar for Rootkit Detection by Sherri Sparks and Jamie Butler, Black Hat Japan 2005, Tokyp, Japan, Oct. 17-18, 2005, 55 pages. |
| Countering Kernel Rootkits with Lightweight Hook Protection, available at http://research.microsoft.com/en-us/um/people/wdcui/papers/hooksafe-ccs09.pdf, 16th ACM Conference on Computer and Communications Security (CCS 2009) Chicago, IL, Nov. 2009, 10 pages. |
| Detecting Kernel Rootkits, by Rainer Whichmann, available at http://www.la-samhna.de/library/rootkits/detect.html, copyright 2006, 2 pages. |
| Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing, 11th International Symposium on Recent Advances in Intrusion Detection, Cambridge, Massachusetts (Sep. 15-17, 2008), 20 pages. |
| McAfee Proven Security, Rootkits, Part 1 of 3: The Growing Threat (Apr. 2006), available at www.mcafee.com, 8 pages. |
| Multi-Aspect Profiling of Kernel Rootkit Behavior, Eurosys Conference 2009, Nuremberg, Germany, Mar. 30-Apr. 3, 2009, 14 pages. |
| Rootkits Part 2: A Technical Primer, available at www.mcafee.com (http://www.mcafee.com/cf/about/news/2007/20070418—174400—d.aspx) Apr. 18, 2007, 16 pages. |
| SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes, Proceedings of the 21st ACM SIGOPS Symposium on Operating Systems Principles, Stevenson, WA (Oct. 14-17, 2007), 16 pages. |
| Stopping Rootkits at the Network Edge (Jan. 2007) http://www.trustedcomputinggroup.org/files/resource—files/C2426F48-1D09-3519-AD02D13C71B888A6/Whitepaper—Rootkit—Strom—v3.pdf, 3 pages. |
| Transparent Protection of Commodity OS Kernels Using Hardware Virtualization, 6th International ICST Conference on Security and Privacy in Communication Networks, Singapore, Sep. 7-9, 2010, 18 pages. |
| Xen Architecture Overview, Feb. 13, 2008, available at http://wiki.xen.org/xenwiki/XenArchitecture?action=AttachFile&do=get&target=Xen+Architecture—Q1+2008.pdf, 9 pages. |
| USPTO Nov. 27, 2013 Notice of Allowance in U.S. Appl. No. 12/322,321, 15 pages. |
| “A Linear-Time Heuristic for Improving Network Partitions,” http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=1585498; Fiduccia et al., pp. 175-181, 1982, 7 pages. |
| USPTO Nov. 12, 2013 Notice of Allowance in U.S. Appl. No. 13/271,102, 11 pages. |
| International Search Report received for PCT Application No. PCT/US2012/055674, mailed on Dec. 14, 2012, 2 pages. |
| Nonfinal Office Action for U.S. Appl. No. 13/273,002, mailed on Oct. 4, 2013, 17 pages. |
| Grace, Michael, et al., “Transparent Protection of Commodity OS Kernels Using Hardware Virtualization,” 2010, SecureComm 2010, LNICST 50, pp. 162-180, 19 pages. |
| Riley, Ryan, et al., “Guest-Transparent Prevention of Kernel Rootkits with VMM-Based Memory Shadowing,” 2008, RAID 2008, LNCS 5230, pp. 1-20, 20 pages. |
| Milos, Grzegorz, et al., “Satori: Enlightened page sharing,” Proceedings of the 2009 conference on USENIX Annual technical conference, 14 pages. |
| USPTO Notice of Allowance for U.S. Appl. No. 13/273,002, mailed on Apr. 24, 2014, 9 pages. |
| USPTO Notice of Allowance for U.S. Appl. No. 13/273,002, mailed on Oct. 1, 2014, 8 pages. |
| Number | Date | Country | |
|---|---|---|---|
| 20130097355 A1 | Apr 2013 | US |
