124 results about "Kernel level" patented technology

The present invention is directed towards systems and methods for dynamically deploying and executing acceleration functionality on a client to improve the performance and delivery of remotely accessed applications. In one embodiment. The client-side acceleration functionality is provided by an acceleration program that performs a plurality of the following acceleration techniques in an integrated and efficient manner: 1) multi-protocol compression 2) transport control protocol pooling, 3) transport control protocol multiplexing 4) transport control protocol buffering, and 5) caching. The acceleration program establishes a transport layer connection between the client and server, and intercepts network packets at the transport layer. The acceleration program uses a kernel-level data structure to access the network packet intercepted at the transport layer, and performs subsequently one or more of the acceleration techniques on the intercepted network packet at one interface point or point of execution of the acceleration program.

A malware prevention system monitors kernel level events of the operating system and applies user programmable or preprepared policies to those events to detect and block malware.

A system and method for efficient security protocols in a virtualized datacenter environment are contemplated. In one embodiment, a system is provided comprising a hypervisor coupled to one or more protected virtual machines (VMs) and a security VM. Within a private communication channel, a split kernel loader provides an end-to-end communication between a paravirtualized security device driver, or symbiont, and the security VM. The symbiont monitors kernel-level activities of a corresponding guest OS, and conveys kernel-level metadata to the security VM via the private communication channel. Therefore, the well-known semantic gap problem is solved. The security VM is able to read all of the memory of a protected VM, detect locations of memory compromised by a malicious rootkit, and remediate any detected problems.

Systems and methods for managing pestware on a protected computer are described. One embodiment is configured to reroute a call to create a process to a kernel-level process monitor, identify a file associated with the process and analyze the file so as to determine whether the file is a pestware file. If the file is a pestware file, then the process is prevented from being created. In variations, the kernel-level process monitor is a kernel-mode driver adapted to communicate with a pestware application residing in a user-level of memory.

An architecture and implementation for losslessly restarting subsystems in a distributed file system is described. By partitioning functionality and logging appropriately across the kernel and user-level boundaries on a client, the user-level subsystem may be made losslessly restartable. Practical mechanisms for supporting state-based recovery in replicated state machines and like replica are described. In particular, each client daemon may include an operations log and an applied log sequence number. Each client driver may include a potentially different operations log. Each client daemon may be configured to request logged operations associated with log sequence numbers in one or more ranges specified by a specification that includes the applied log sequence number. The requested logged operations may reside in the operations log maintained by a client driver. Each client daemon may operate in accordance with user-level constraints and each client driver may operate in accordance with kernel-level constraints.

A method, system, and article to support sharing resources in a computer system. An operating system within the computer system, the operating system having a kernel level and a user level, with the kernel level configured with a first container and a second container. The first container is assigned to a first namespace and the second container is assigned to a second namespace. Both the first and second namespaces are isolated from each other and at the same time in communication with at least one shared object. Communication across the containers is created through a socket in the namespace of the shared object of one or both of the containers. In addition, a conduit is formed between the containers by connecting the container absent the created socket to the container with the socket.

An event subscription and publication system for dynamically notifying user level applications of kernel level events. The kernel level events may include hardware and software events as well as system level errors that occur in the kernel. User level applications that need information on these kernel level events subscribe to the event monitoring and publication framework of the present invention and are notified of these kernel level events when they occur. Upon notification of an event, the user application also is provided with specific information classifying the nature and details of the event. The kernel event monitoring and publication system of the present invention allows user level applications to be dynamically notified of kernel level events without requiring the user level application to interrupt the normal processing states to identify these events when the events occur.

A method and system for event publication and subscription with an event channel from user level and kernel level are disclosed. The system comprises an event channel. The event channel includes an event queue for an event sent by a publisher. Additionally, the event channel has a plurality of subscriber-based queues each corresponding to a subscriber. If the corresponding subscriber has subscribed to receive delivery of the event, the subscriber-based queue includes the event. Moreover, the event channel further comprises a dispatcher for dispatching based on filtering criteria the event to the subscriber-based queue if the corresponding subscriber has subscribed to receive delivery of the event, and a delivery mechanism for delivering the event from the subscriber-based queue to the corresponding subscriber. The publisher can be a user level publisher or a kernel level publisher. The subscriber can be a user level subscriber or a kernel level subscriber.

A method for storage input/output (I/O) path configuration in a system that includes at least one storage device in network communication with at least one computer processor; the method comprising providing in the I/O path into at least: (a) a block-based kernel-level filesystem, (b) an I/O cache module controlling an I/O cache implemented on a first computer readable medium, (c) a journaling module, and (d) a storage cache module controlling a storage cache implemented on a second computer readable medium, the second computer readable medium having a lower read/write speed than the first computer readable medium. Furthermore, the steps of translating by the filesystem, based on computer executable instructions executed by the at least one processor, a file I/O request made by an application executed by the at least one computer processor into a block I/O request and fulfilling by the at least one processor the block I/O request from one of the I/O cache and the storage cache complete the I/O operation.

The invention discloses a detection method for processes, which particularly aims at detecting kernel level hidden processes and comprises the following steps: address spaces of operating system kernels are searched, and addresses of a context switch function are obtained; a header address content of the context switch function is modified as a long-distance jump instruction, and process information is acquired by accessing process struct through long-distance jump. Because the invention starts off from the context switch function of a thread which is arranged at the bottom most of an operating system, realest kernel object information can be acquired; the detection method can be in common use in various operating systems and can effectively detect DKOM hidden processes; moreover, detection accuracy of the hidden processes is guaranteed through dynamic monitoring and update of the header address content of the context switch function and alarm journals. The invention also discloses a detection device for the processes.

A traffic control application programming interface for abstracting the use of traffic control components to client applications to provide quality of service. The traffic control interface accepts input from a client application and based on that input, communicates with the operating system to control kernel level traffic control components. The client can register with the traffic control interface, and it can open and close interfaces, add, modify, and delete flows on those interfaces, and attach or delete filters on the flows. The client can also obtain data on any currently active interface, flow, or filter. The traffic control interface will send the appropriate message to the operating system, directing that the necessary tasks be performed by either a packet scheduler or a packet classifier. Those kernel level components then return through the operating system the results of the operations requested, and that return data will be passed back to the client application.

A method and system for increasing security of a software program by obfuscation of program execution flow is disclosed, wherein the software program is executed on a computer system that includes a user-level protected mode and a kernel-level unprotected mode. The method and system include first identifying critical code segments to be hidden in the software program. The non-critical portions of the software program are then executed in the user-level protected mode, while the critical code segments are executed within respective exception handlers, thereby hiding execution of the critical code segments from a debugger program.

A novel software framework monitors server statistics for a plurality of software modules and makes its collected statistics available to those modules. Unlike prior implementations, the framework provides shared server-monitoring code through which the plurality of software modules can monitor various types of servers, such as authentication servers, ICAP servers, origin servers, hierarchical proxy servers and so forth. Because the same server-monitoring code is accessed by each of the software modules, the overall amount of code that is written, compiled and executed may be reduced. Moreover, the shared server-monitoring code is not protocol-dependant and therefore may be coded outside of the kernel-level protocol engines. Preferably, the shared server-monitoring code is implemented as a user-level thread or process.

The invention discloses a kernel level rootkit detection method in an Andriod system, comprising the following steps of statically obtaining an address and a table entry of a system call table; entering into a kernel mode from a user mode; dynamically obtaining the address of the system call table; if the addresses are not matched, then generating an intrusion reporting; obtaining a pure address of the system call table; if the system call table is not matched, then generating the intrusion reporting and restoring; intercepting a module name called by a module loading function, retrieving the dynamically loaded module name, if the name is not matched, then deleting the hidden module, and generating the intrusion reporting; obtaining all the progress information actually loaded by a system to be detected, and obtaining all the progress information by using a command query, if the progress information is not matched, then eliminating the malicious processes and generating the intrusion reporting. The invention also discloses a rootkit detection system, which can detect the intruded rootkit and delete the rootkit with an illegal act, so as to improve the safety and reliability of the system.

A hooking control manager hooks kernel level operations. The kernel level hooking control manager identifies a kernel level component for which to filter outgoing kernel level system calls. For each of a select set of outgoing kernel level system calls imported by the kernel level component, the kernel level hooking control manager locates the address of the system call in the kernel level component, stores the address, and patches the kernel level component with an address of alternative code to execute when the kernel level component makes the outgoing system call. Upon the unloading of the kernel level hooking control manager, for each call of the select set, the kernel level hooking control manager locates the address of the system call in the kernel level component, and patches the kernel level component so as to restore the stored address.

The invention discloses a trusted software base providing an active security service, comprising a trusted password module and an operating system kernel. The operating system kernel is provided with a kernel-level trusted password module driver, a kernel-level trusted software stack and a kernel-level security service module; a security manager and a security strategy server are arranged in the kernel-level security service module; the trusted password module provides a hardware engine for encryption operation and hash operation, and verifies integrity of a trusted BIOS (Basic Input/Output System); the trusted BIOS is used for verifies the integrity of PC hardware devices and an MBR (Master Boot Record); the MBR is used for guiding an OS (Operating system) Loader, and verifies the integrity of the OS Loader; and the kernel-level security service module captures security related information at a key security control point in a kernel layer of the operating system, and performs access control and least privilege control. The trusted software base effectively prevents unauthorized operations and rogue programs from performing unauthorized modification on application codes and configurations, and prevents secret disclosure of application resources, thereby guaranteeing the privacy and the integrity of an application environment.

The invention discloses a safe and reliable information anti-leakage system capable of enciphering in real time, which comprises a server and a client, wherein an operating system kernel of the client comprises an intelligent monitoring module, a dynamic enciphering and deciphering module and a log auditing module; the client enters a local safety environment after verified by the server; and the intelligent monitoring module comprises a text/binary discrimination submodule, a local file I/O monitoring submodule, a network I/O monitoring submodule, a clipboard monitoring submodule, a drag monitoring submodule and a printing monitoring submodule. The information anti-leakage system constructs a transparent use environment for users, wherein all file I/O and the all network I/O of the users in the transparent environment are automatically monitored, and all local text file I/O in the environment is automatically enciphered and deciphered. The information anti-leakage system monitors various applications and possible risks at the kernel level of the system, and has higher safety and reliability.

The invention discloses a kernel-level code reuse type attack detection method based on QEMU. The method mainly solves the problem of relying on hardware or need of modifying kernel source code in the prior art. According to the method, a function module of a QEMU virtual machine manager is expanded; each instruction which operates on the function module and in an operating system kernel is traversed and detected; jumping instructions relevant to the control flow process are recognized from the instructions, wherein the jumping instructions include ret and indirect call instructions; the jumping target addresses of the instructions are recorded; then, the target addresses are compared with legal target addresses in the system normal execution flow process for detecting whether a system is normally executed or not; and meanwhile, the interruption return addresses pushed into a stack during the interruption occurrence and the return addresses used during interruption actual return are subjected to comparison verification, so that whether attack occurs or not is judged. The kernel-level code reuse type attack detection method has the advantages that by aiming at the characteristic that the system original execution flow process needs to be changed for the code reuse type attack, the attack can be effectively discovered by monitoring the kernel execution flow process change instructions (and positions), and the kernel-level code reuse type attack detection method can be used for protecting the security of an operating system.