How to change page permission from inside the kernel?
valdis.kletnieks at vt.edu
valdis.kletnieks at vt.edu
Fri Jul 6 17:10:30 EDT 2018
On Fri, 06 Jul 2018 21:29:40 +0200, you said:
> Implementing some kernel protection against subset of rootkits that
> manipulates kernel static data (memory pages as well as their
> mappings) by having them enforced by hypervisor which is KVM in our
Can you give an actual example of a case where *all* of the following are true?
1) It's a page that's safe to make R/O out from under the code that uses that page.
2) It's a kernel static data that's R/W (Hint: stuff known to be R/O is already set to R/O
at boot or module load time, so if it's R/W it probably *needs* to be that...)
3) the rootkit *is* able to screw with kernel pages, but somehow *is not* able to
disable your protection (remember, all it takes is one NOP or BRANCH opcode in
the right place).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 486 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20180706/91855bc4/attachment.sig>
More information about the Kernelnewbies
mailing list