Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 13 Feb 2017 08:41:15 +0000
From: Matthew Garrett <mjg59@...f.ucam.org>
To: Rik van Riel <riel@...hat.com>
Cc: Kees Cook <keescook@...omium.org>, Matthew Giassa <matthew@...ssa.net>,
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
	KVM <kvm@...r.kernel.org>
Subject: Re: Introduction + new project: "rootkit
 detection using virtualization".

On Fri, Feb 10, 2017 at 08:37:01PM -0500, Rik van Riel wrote:
> One of the things that Matthew can do is build on
> the read-only memory protections in the kernel, and
> have the hypervisor enforce that the memory the kernel
> marks as read-only is never written from inside the
> virtual machine, until the next reboot.
> 
> That seems like it might be a useful place to start,
> since it would immediately make the other read-only
> protections that people are working on much harder to
> get around, at least inside virtual machines.

I agree that this is valuable, but it feels like doing so probably 
involves designing a consistent mechanism for lightweight 
kernel‚Üíhypervisor calls - the existing vfio framework seems heavier than 
necessary for this kind of thing. Going further probably involves having 
a good way for syscalls to call into the hypervisor, but again finding a 
generic solution that doesn't add too much overhead seems like a good 
plan. My implementation of this was very special cased and didn't 
attempt to do anything in a generic way, so I'm definitely not a good 
model!

-- 
Matthew Garrett | mjg59@...f.ucam.org

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.