This disclosure describes techniques that leverage memory organization in virtual machines and their hosts to emplace code that protects against malware. Malware detection instrumentation is emplaced in guest kernel space, which is relatively privileged and better protected than other guest memory spaces. Malware behavioral analysis logic, which classifies a guest process as benign or malign, is emplaced in host ring 3 space, to take advantage of the virtualization boundary.

Even if unaffected by the attack, the protected kernel may still not be able to quickly communicate knowledge of the attack to the malware behavioral analysis logic, which resides in the host. This is because such communication normally travels through guest userspace, which may be compromised. This disclosure further describes techniques that enable the guest kernel to communicate sensitive information to the host while bypassing guest userspace, e.g., by using a virtio-vsock channel.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.