Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <7337582f-0007-d006-0809-cf41fd93b31e@nutanix.com>
Date: Tue, 19 Jun 2018 18:37:53 +0100
From: David Vrabel <david.vrabel@...anix.com>
To: Ahmed Soliman <ahmedsoliman0x666@...il.com>, kvm@...r.kernel.org,
        Kernel Hardening <kernel-hardening@...ts.openwall.com>,
        riel@...hat.com, Kees Cook <keescook@...omium.org>,
        Ard Biesheuvel
 <ard.biesheuvel@...aro.org>,
        Hossam Hassan <7ossam9063@...il.com>,
        Ahmed Lotfy <A7med.lotfey@...il.com>,
        virtualization@...ts.linux-foundation.org, qemu-devel@...gnu.org
Subject: Re: Design Decision for KVM based anti rootkit

On 16/06/18 12:49, Ahmed Soliman wrote:
> 
> To wrap things up, the basic design will be a method for communication
> between host and guest is guest can request certain pages to be read
> only, and then host will force them to be read-only by guest until
> next guest reboot, then it will impossible for guest OS to have them
> as RW again. The choice of which pages to be set as read only is the
> guest's. So this way mixed pages can still be mixed with R/W content
> even if holds kernel code.

It's not clear how this increases security. What threats is this
protecting again?

As an attacker, modifying the sensitive pages (kernel text?) will
require either: a) altering the existing mappings for these (to make
them read-write or user-writable for example); or b) creating aliased
mappings with suitable permissions.

If the attacker can modify page tables in this way then it can also
bypass the suggested hypervisor's read-only protection by changing the
mappings to point to a unprotected page.

David

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.