rootkits blocking using virtualization??

Peter Teoh htmldeveloper at gmail.com
Wed Jul 30 20:31:53 EDT 2014


Are u referring to this:

http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker

Just trying to answer your question:

--Is the method of making kernel read only to block rootkits used in linux
kernel mainline?

I suspect not.   How are u going to distinguish between "legitimate
program" and "rootkit" program?   Program includes both userland program
and kernel modules.    This distinction is needed, because legitimate
kernel modules can call "kmalloc" and that is read/writeable kernel memory.
  Supposed there is a vulnerability in the kernel modules (and thus
userspace program can escalate privilege and execute into) then the
"kmalloc" is executed on behalf of the malware, but outwardly it looks as
if the kernel module is making a memory allocation.    Unless u record down
all the potential legitimate kernel execution path (sequence of EIP
addresses), and compare it dynamically with the redirected path (as
triggered by the malware), it seemed like impossible to distinguish.   And
the database of path is also going to be very huge.
Let me know if u have alternative ideas about setting kernel memory
readonly.

But on the other hand, this idea is also not new, explored before, for
virtualization protection, NOT for rootkit detection.

When u virtualized OS, the host has to set the all the memory given to the
guest as readonly.   For details:

For KVM:

http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf

For Xen:

http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management
http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html

And this page has good info:

http://www.linux-kvm.org/page/Memory

(read esp the "shadow page memory" mechanism, which is very expensive, and
somewhat like the ideas proposed in the kernelnewbies mentor page).



On Wed, Jul 30, 2014 at 7:44 PM, Aniket Shinde <universalvirus.ani at gmail.com
> wrote:

> Hello guys,
>     I was going through kernelnewbies.org and came across a project
> "Block Rootkits using Virtualization" by riel.
>      Basically we have to make kernel read only after boot process
> completes so rootkits get blocked.
>      I have few doubts...
>
> --Is the method of making kernel read only to block rootkits used in linux
> kernel mainline?
>
> --have anybody implenented this project already?
>
> --what is the good way to start with above project?
>
> --any guidelines to implemnet above project??
>
> --can I get any menor??
>
> --any material related to above project??
>
> (note: i have requested to mailing list but have not been approved yet. So
> please reply me personely.)
>
> _______________________________________________
> Kernel-mentors mailing list
> Kernel-mentors at selenic.com
> http://selenic.com/mailman/listinfo/kernel-mentors
>
>


-- 
Regards,
Peter Teoh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140731/5b318aa5/attachment-0001.html 


More information about the Kernelnewbies mailing list