On Fri, 06 Jul 2018 21:29:40 +0200, you said: > Implementing some kernel protection against subset of rootkits that > manipulates kernel static data (memory pages as well as their > mappings) by having them enforced by hypervisor which is KVM in our
Can you give an actual example of a case where *all* of the following are true?
1) It's a page that's safe to make R/O out from under the code that uses that
page.
2) It's a kernel static data that's R/W (Hint: stuff known to be R/O is
already set to R/O
at boot or module load time, so if it's R/W it probably *needs* to be that...)
3) the rootkit *is* able to screw with kernel pages, but somehow *is not* able
to
disable your protection (remember, all it takes is one NOP or BRANCH opcode
in
the right place).
pgpmFEpvNHt7u.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list [email protected] https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
