Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAG4AFWagW_dzVRd8qsmUOaCOLBmjDNr=5DX7dFA0yFJ2pOjERw@mail.gmail.com>
Date: Fri, 10 Feb 2017 20:43:32 -0700
From: Jidong Xiao <jidong.xiao@...il.com>
To: Matthew Giassa <matthew@...ssa.net>
Cc: kernel-hardening@...ts.openwall.com, KVM <kvm@...r.kernel.org>, 
	Rik van Riel <riel@...hat.com>
Subject: Re: Introduction + new project: "rootkit detection using virtualization".

Thanks Matthew. So if I understand correctly, even though many people have
proposed similar solutions, none of them have actually contributed their
code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
of Qemu/KVM code) is your goal, right? That sounds interesting!

-Jidong

On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@...ssa.net> wrote:

> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>
>> Sorry, I have to resend this again, as the original two emails were
>> blocked because of the url.
>>
>> "Rootkit detection using virtualization" has been widely studied for a
>> decade. Is the approach you are going to use different from all of these
>> existing ones:
>>
>> "Survey: Virtual Machine Introspection Based System Monitoring and
>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>
>> -Jidong
>>
>
> On 2017-02-10 05:37 PM, Rik van Riel wrote:
> >
> > One of the things that Matthew can do is build on
> > the read-only memory protections in the kernel, and
> > have the hypervisor enforce that the memory the kernel
> > marks as read-only is never written from inside the
> > virtual machine, until the next reboot.
> >
> > That seems like it might be a useful place to start,
> > since it would immediately make the other read-only
> > protections that people are working on much harder to
> > get around, at least inside virtual machines.
> >
>
>
> My initial plan was to start with what Rik proposed, and focus on
> additional memory protections. With respect to long-term plans, a lot of my
> work/research so far has been focused on implementing a system similar to
> that presented by Payne et al (ie: Lares).
>
> -Matthew Giassa
>

Content of type "text/html" skipped

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.