Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 08:41:15 +0000
From: Matthew Garrett <>
To: Rik van Riel <>
Cc: Kees Cook <>, Matthew Giassa <>,
	"" <>,
	KVM <>
Subject: Re: Introduction + new project: "rootkit
 detection using virtualization".

On Fri, Feb 10, 2017 at 08:37:01PM -0500, Rik van Riel wrote:
> One of the things that Matthew can do is build on
> the read-only memory protections in the kernel, and
> have the hypervisor enforce that the memory the kernel
> marks as read-only is never written from inside the
> virtual machine, until the next reboot.
> That seems like it might be a useful place to start,
> since it would immediately make the other read-only
> protections that people are working on much harder to
> get around, at least inside virtual machines.

I agree that this is valuable, but it feels like doing so probably 
involves designing a consistent mechanism for lightweight 
kernel‚Üíhypervisor calls - the existing vfio framework seems heavier than 
necessary for this kind of thing. Going further probably involves having 
a good way for syscalls to call into the hypervisor, but again finding a 
generic solution that doesn't add too much overhead seems like a good 
plan. My implementation of this was very special cased and didn't 
attempt to do anything in a generic way, so I'm definitely not a good 

Matthew Garrett |

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.