Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 14 Feb 2017 10:06:04 -0800
From: Matthew Giassa <>
To: Jidong Xiao <>
Cc:, KVM <>, 
	Rik van Riel <>
Subject: Re: Introduction + new project: "rootkit detection using virtualization".

Hi Jidong,

You are correct on all the points noted above:My goal is to develop a
production-ready, non-academic implementation of such a tool. I'm in
it for the long haul.

On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <> wrote:
> Thanks Matthew. So if I understand correctly, even though many people have
> proposed similar solutions, none of them have actually contributed their
> code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
> of Qemu/KVM code) is your goal, right? That sounds interesting!
> -Jidong
> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <> wrote:
>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>>> Sorry, I have to resend this again, as the original two emails were
>>> blocked because of the url.
>>> "Rootkit detection using virtualization" has been widely studied for a
>>> decade. Is the approach you are going to use different from all of these
>>> existing ones:
>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>> -Jidong
>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>> >
>> > One of the things that Matthew can do is build on
>> > the read-only memory protections in the kernel, and
>> > have the hypervisor enforce that the memory the kernel
>> > marks as read-only is never written from inside the
>> > virtual machine, until the next reboot.
>> >
>> > That seems like it might be a useful place to start,
>> > since it would immediately make the other read-only
>> > protections that people are working on much harder to
>> > get around, at least inside virtual machines.
>> >
>> My initial plan was to start with what Rik proposed, and focus on
>> additional memory protections. With respect to long-term plans, a lot of my
>> work/research so far has been focused on implementing a system similar to
>> that presented by Payne et al (ie: Lares).
>> -Matthew Giassa

Matthew Giassa, MASc, BASc, EIT
Principal Developer; Security and Embedded Systems Specialist

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.