this is a recent classic bug implementing ideas like you mentioned: http://xenbits.xenproject.org/xsa/advisory-98.html
All mapping are done on hosts side. But the kernelnewbies is proposing something from the guest side, but if I have control over the guest OS (as a rootkit), then I also can undo what the protection has done - potentially.....depending on available exploitable path of entry. On Thu, Jul 31, 2014 at 8:31 AM, Peter Teoh <[email protected]> wrote: > Are u referring to this: > > http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker > > Just trying to answer your question: > > --Is the method of making kernel read only to block rootkits used in linux > kernel mainline? > > I suspect not. How are u going to distinguish between "legitimate > program" and "rootkit" program? Program includes both userland program > and kernel modules. This distinction is needed, because legitimate > kernel modules can call "kmalloc" and that is read/writeable kernel memory. > Supposed there is a vulnerability in the kernel modules (and thus > userspace program can escalate privilege and execute into) then the > "kmalloc" is executed on behalf of the malware, but outwardly it looks as > if the kernel module is making a memory allocation. Unless u record down > all the potential legitimate kernel execution path (sequence of EIP > addresses), and compare it dynamically with the redirected path (as > triggered by the malware), it seemed like impossible to distinguish. And > the database of path is also going to be very huge. > Let me know if u have alternative ideas about setting kernel memory > readonly. > > But on the other hand, this idea is also not new, explored before, for > virtualization protection, NOT for rootkit detection. > > When u virtualized OS, the host has to set the all the memory given to the > guest as readonly. For details: > > For KVM: > > http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf > > For Xen: > > http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management > http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html > > And this page has good info: > > http://www.linux-kvm.org/page/Memory > > (read esp the "shadow page memory" mechanism, which is very expensive, and > somewhat like the ideas proposed in the kernelnewbies mentor page). > > > > On Wed, Jul 30, 2014 at 7:44 PM, Aniket Shinde < > [email protected]> wrote: > >> Hello guys, >> I was going through kernelnewbies.org and came across a project >> "Block Rootkits using Virtualization" by riel. >> Basically we have to make kernel read only after boot process >> completes so rootkits get blocked. >> I have few doubts... >> >> --Is the method of making kernel read only to block rootkits used in >> linux kernel mainline? >> >> --have anybody implenented this project already? >> >> --what is the good way to start with above project? >> >> --any guidelines to implemnet above project?? >> >> --can I get any menor?? >> >> --any material related to above project?? >> >> (note: i have requested to mailing list but have not been approved yet. >> So please reply me personely.) >> >> _______________________________________________ >> Kernel-mentors mailing list >> [email protected] >> http://selenic.com/mailman/listinfo/kernel-mentors >> >> > > > -- > Regards, > Peter Teoh > -- Regards, Peter Teoh
_______________________________________________ Kernelnewbies mailing list [email protected] http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
