rootkits blocking using virtualization??

Peter Teoh htmldeveloper at gmail.com
Wed Jul 30 20:52:59 EDT 2014


this is a recent classic bug implementing ideas like you mentioned:

http://xenbits.xenproject.org/xsa/advisory-98.html

All mapping are done on hosts side.   But the kernelnewbies is proposing
something from the guest side, but if I have control over the guest OS (as
a rootkit), then I also can undo what the protection has done -
potentially.....depending on available exploitable path of entry.




On Thu, Jul 31, 2014 at 8:31 AM, Peter Teoh <htmldeveloper at gmail.com> wrote:

> Are u referring to this:
>
> http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker
>
> Just trying to answer your question:
>
> --Is the method of making kernel read only to block rootkits used in linux
> kernel mainline?
>
> I suspect not.   How are u going to distinguish between "legitimate
> program" and "rootkit" program?   Program includes both userland program
> and kernel modules.    This distinction is needed, because legitimate
> kernel modules can call "kmalloc" and that is read/writeable kernel memory.
>   Supposed there is a vulnerability in the kernel modules (and thus
> userspace program can escalate privilege and execute into) then the
> "kmalloc" is executed on behalf of the malware, but outwardly it looks as
> if the kernel module is making a memory allocation.    Unless u record down
> all the potential legitimate kernel execution path (sequence of EIP
> addresses), and compare it dynamically with the redirected path (as
> triggered by the malware), it seemed like impossible to distinguish.   And
> the database of path is also going to be very huge.
> Let me know if u have alternative ideas about setting kernel memory
> readonly.
>
> But on the other hand, this idea is also not new, explored before, for
> virtualization protection, NOT for rootkit detection.
>
> When u virtualized OS, the host has to set the all the memory given to the
> guest as readonly.   For details:
>
> For KVM:
>
> http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf
>
> For Xen:
>
> http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management
> http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html
>
> And this page has good info:
>
> http://www.linux-kvm.org/page/Memory
>
> (read esp the "shadow page memory" mechanism, which is very expensive, and
> somewhat like the ideas proposed in the kernelnewbies mentor page).
>
>
>
> On Wed, Jul 30, 2014 at 7:44 PM, Aniket Shinde <
> universalvirus.ani at gmail.com> wrote:
>
>> Hello guys,
>>     I was going through kernelnewbies.org and came across a project
>> "Block Rootkits using Virtualization" by riel.
>>      Basically we have to make kernel read only after boot process
>> completes so rootkits get blocked.
>>      I have few doubts...
>>
>> --Is the method of making kernel read only to block rootkits used in
>> linux kernel mainline?
>>
>> --have anybody implenented this project already?
>>
>> --what is the good way to start with above project?
>>
>> --any guidelines to implemnet above project??
>>
>> --can I get any menor??
>>
>> --any material related to above project??
>>
>> (note: i have requested to mailing list but have not been approved yet.
>> So please reply me personely.)
>>
>> _______________________________________________
>> Kernel-mentors mailing list
>> Kernel-mentors at selenic.com
>> http://selenic.com/mailman/listinfo/kernel-mentors
>>
>>
>
>
> --
> Regards,
> Peter Teoh
>



-- 
Regards,
Peter Teoh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20140731/08900db1/attachment.html 


More information about the Kernelnewbies mailing list