Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 16 Feb 2017 17:16:19 -0800
From: Matthew Giassa <matthew@...ssa.net>
To: "Grandhi, Sainath" <sainath.grandhi@...el.com>
Cc: Steve Rutherford <srutherford@...gle.com>, Jidong Xiao <jidong.xiao@...il.com>, 
	"kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>, KVM <kvm@...r.kernel.org>, 
	Rik van Riel <riel@...hat.com>, "Nakajima, Jun" <jun.nakajima@...el.com>
Subject: Re: Introduction + new project: "rootkit detection using virtualization".

Thank you for this, Sainath. Is this module of yours already in
mainline KVM, or elsewhere in a separate repo?

Cheers!

On Wed, Feb 15, 2017 at 10:31 PM, Grandhi, Sainath
<sainath.grandhi@...el.com> wrote:
> Hi Matthew,
> We have been working on a Kernel Hardening project. Please find slides at http://events.linuxfoundation.org/sites/events/files/slides/Kernel%20Protection-Nakajima.pdf . We presented this idea in KVM Forum 2016. The idea is to protect CPU/platform resources and kernel managed resources (IDT, kernel page tables etc.) during execution of a VM. This approach is extended to baremetal/host OS by switching the execution of host OS into guest mode and monitoring the host OS with a very thin hypervisor, probably kvm module extension. Currently we have a PoC, contained in kvm module, for switching the host OS into guest mode. We are open for collaboration and feedback.
>
> Thanks
> -Sainath
>> -----Original Message-----
>> From: kvm-owner@...r.kernel.org [mailto:kvm-owner@...r.kernel.org] On
>> Behalf Of Matthew Giassa
>> Sent: Tuesday, February 14, 2017 7:32 PM
>> To: Steve Rutherford <srutherford@...gle.com>
>> Cc: Jidong Xiao <jidong.xiao@...il.com>; kernel-
>> hardening@...ts.openwall.com; KVM <kvm@...r.kernel.org>; Rik van Riel
>> <riel@...hat.com>
>> Subject: Re: Introduction + new project: "rootkit detection using
>> virtualization".
>>
>> On 2017-02-14 01:25 PM, Steve Rutherford wrote:
>> > On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@...ssa.net>
>> wrote:
>> >> Hi Jidong,
>> >>
>> >> You are correct on all the points noted above:My goal is to develop a
>> >> production-ready, non-academic implementation of such a tool. I'm in
>> >> it for the long haul.
>> > Is your goal for this to work on all architectures, or are you
>> > planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
>> >>
>> >> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@...il.com>
>> wrote:
>> >>> Thanks Matthew. So if I understand correctly, even though many
>> >>> people have proposed similar solutions, none of them have actually
>> >>> contributed their code (of their solution) into Qemu/KVM. To make it
>> >>> "real" (i.e., as a part of Qemu/KVM code) is your goal, right? That sounds
>> interesting!
>> >>>
>> >>> -Jidong
>> >>>
>> >>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@...ssa.net>
>> wrote:
>> >>>>
>> >>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>> >>>>>
>> >>>>> Sorry, I have to resend this again, as the original two emails
>> >>>>> were blocked because of the url.
>> >>>>>
>> >>>>> "Rootkit detection using virtualization" has been widely studied
>> >>>>> for a decade. Is the approach you are going to use different from
>> >>>>> all of these existing ones:
>> >>>>>
>> >>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>> >>>>> Malware Detection Techniques" - by Haofu Liao at University of
>> Rochester.
>> >>>>>
>> >>>>> -Jidong
>> >>>>
>> >>>>
>> >>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>> >>>>>
>> >>>>> One of the things that Matthew can do is build on the read-only
>> >>>>> memory protections in the kernel, and have the hypervisor enforce
>> >>>>> that the memory the kernel marks as read-only is never written
>> >>>>> from inside the virtual machine, until the next reboot.
>> >>>>>
>> >>>>> That seems like it might be a useful place to start, since it
>> >>>>> would immediately make the other read-only protections that people
>> >>>>> are working on much harder to get around, at least inside virtual
>> >>>>> machines.
>> >>>>>
>> >>>>
>> >>>>
>> >>>> My initial plan was to start with what Rik proposed, and focus on
>> >>>> additional memory protections. With respect to long-term plans, a
>> >>>> lot of my work/research so far has been focused on implementing a
>> >>>> system similar to that presented by Payne et al (ie: Lares).
>> >>>>
>> >>>> -Matthew Giassa
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> ============================================================
>> >> Matthew Giassa, MASc, BASc, EIT
>> >> Principal Developer; Security and Embedded Systems Specialist
>> >> linkedin: https://ca.linkedin.com/in/giassa
>> >> e-mail:   matthew@...ssa.net
>> >> website:  www.giassa.net
>>
>> My initial aim is x86/x64 targets, unless there are additional resources I can
>> tap into for expanding to ARM. If I can get a working prototype up and running
>> and into "staging", then expanding to ARM architecture would be viable.
>>
>



-- 
============================================================
Matthew Giassa, MASc, BASc, EIT
Principal Developer; Security and Embedded Systems Specialist
linkedin: https://ca.linkedin.com/in/giassa
e-mail:   matthew@...ssa.net
website:  www.giassa.net

Powered by blists - more mailing lists

Your e-mail address:

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.