Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 22 Feb 2018 11:13:46 +0000
From: Mark Rutland <>
To: Kees Cook <>
Cc: Ahmed Soliman <>,
	Ard Biesheuvel <>,
	Rik van Riel <>, KVM <>,
	Kernel Hardening <>
Subject: Re: Hello world! Student interested in getting involved.

On Wed, Feb 21, 2018 at 01:44:27PM -0800, Kees Cook wrote:
> On Sat, Feb 17, 2018 at 7:22 AM, Ahmed Soliman
> <> wrote:
> > well in this case I tried searching and researching more and I found
> > the idea for Rootkit blocking using KVM virtualization, it is
> > described here:
> >
> I think it's good to experiment with kernel hardening via hypervisors.
> There isn't any particular direction defined for this approach, with
> lots of different things getting tried (e.g. Samsung KNOX). One
> problem with the hypervisor-control of memory protections is things
> like kprobes, modules, etc, that need to do dynamic rewriting of
> kernel text.

FWIW, a while back, we had an intern prototype some stage-2 W^X
protections for KVM guests on arm64. For kprobes, modules, and other
things requiring text modification, we locked those down late in the
boot process, which seemed like a reasonable tradeoff.

One big issue was static keys, since those need to be flipped
occasionally. We modified those to have two patchable branches rather
than one, so that we could fall back to a slow path that read a variable
when text modification was disabled.

We didn't end up posting those patches because there were a number of
open questions about the hypervisor ABI (e.g. how we could discover that
the hypervisor provided this feature). For arm64, we'll need to do some
FW standards work for that -- I'm not sure what the deal is for x86.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.