Patent application number | Description | Published |
20110047542 | System and Method for Enforcing Security Policies in a Virtual Environment - A method in one example implementation includes intercepting a request associated with an execution of an object (e.g., a kernel module or a binary) in a computer configured to operate in a virtual machine environment. The request is associated with a privileged domain of the computer that operates logically below one or more operating systems. The method also includes verifying an authorization of the object by computing a checksum for the object and comparing the checksum to a plurality of stored checksums in a memory element. The execution of the object is denied if it is not authorized. In other embodiments, the method can include evaluating a plurality of entries within the memory element of the computer, wherein the entries include authorized binaries and kernel modules. In other embodiments, the method can include intercepting an attempt from a remote computer to execute code from a previously authorized binary. | 02-24-2011 |
20130097355 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page. | 04-18-2013 |
20130097356 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page. | 04-18-2013 |
20130097659 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - One or more attributes of an application in a plurality of applications is identified. A reputation score of the application is determined based at least in part on the identified attributes to determining whether the application should be included in a whitelist. The whitelist can be applied against a request to download the application on a mobile device. In some aspects, the whitelist can be generated through automated collection and analysis of applications available for download by one or more different types of mobile devices in one or more networks. In some aspects, the whitelist can be applied by blocking attempts to download applications determined not to be included in the whitelist. | 04-18-2013 |
20130097660 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - An application is identified as installed on a particular mobile device. An action involving the application is identified, the action to be performed using the particular mobile device. It is determined whether the action is an approved action based on at least one policy associated with the particular mobile device. A determination that the action is unapproved can results in an attempt to prevent the action. Further, in certain instances, a whitelist or blacklist can be generated based on determinations of whether identified application actions conform to one or more policies associated with the particular mobile device. | 04-18-2013 |
20150180908 | SYSTEM AND METHOD FOR WHITELISTING APPLICATIONS IN A MOBILE NETWORK ENVIRONMENT - A query from a particular mobile device is identified that indicates an attempt, by the particular mobile device, to access a particular application. It is determined whether the particular application has been assessed for inclusion in one or more of the plurality of whitelists and, based on the determination, an assessment of the particular application can be performed, which can include accessing a copy of the particular application and assessing the copy of the particular application to identify one or more attributes of the particular application. For each of a plurality of whitelists, a determination is made whether the particular application should be included in the whitelist based on the attributes. Each whitelist can be associated with a respective one of a plurality of entities and based on a policy corresponding to the respective entity, each entity is associated with a respective plurality of mobile devices. | 06-25-2015 |
20150234718 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method in one embodiment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page in a guest operating system in a hypervisor environment, generating a page fault when an access attempt is made to a guest kernel page, fixing the page fault to allow access and execution if the guest kernel page corresponds to one of the entries in the soft whitelist, and denying execution if the guest kernel page does not correspond to any of the entries in the soft whitelist. If the page fault is an instruction page fault, and the guest kernel page corresponds to one of the entries in the soft whitelist, the method includes marking the guest kernel page as read-only and executable. The soft whitelist includes a hash of machine page frame numbers corresponding to virtual addresses of each guest kernel page. | 08-20-2015 |
20150317178 | SYSTEM AND METHOD FOR KERNEL ROOTKIT PROTECTION IN A HYPERVISOR ENVIRONMENT - A system and method for rootkit protection in a hypervisor environment includes modules for creating a soft whitelist having entries corresponding to each guest kernel page of a guest operating system in a hypervisor environment, wherein each entry is a duplicate page of the corresponding guest kernel page, generating a page fault when a process attempts to access a guest kernel page, and redirecting the process to the corresponding duplicate page. If the page fault is a data page fault, the method includes fixing the page fault, and marking a page table entry corresponding to the guest kernel page as non-executable and writeable. If the page fault is an instruction page fault, the method includes marking a page table entry corresponding to the guest kernel page as read-only. Redirecting changing a machine page frame number in a shadow page table of the hypervisor to point to the corresponding duplicate page. | 11-05-2015 |