<div dir="ltr"><div>this is a recent classic bug implementing ideas like you mentioned:<br><br><a href="http://xenbits.xenproject.org/xsa/advisory-98.html">http://xenbits.xenproject.org/xsa/advisory-98.html</a><br><br></div>
All mapping are done on hosts side. But the kernelnewbies is proposing something from the guest side, but if I have control over the guest OS (as a rootkit), then I also can undo what the protection has done - potentially.....depending on available exploitable path of entry.<br>
<br><br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Jul 31, 2014 at 8:31 AM, Peter Teoh <span dir="ltr"><<a href="mailto:htmldeveloper@gmail.com" target="_blank">htmldeveloper@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>Are u referring to this:<br><br><a href="http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker" target="_blank">http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker</a><br>
<br></div>Just trying to answer your question:<div class=""><br>
<p dir="ltr">--Is the method of making kernel read only to block rootkits used in linux kernel mainline?</p></div><p>I suspect not. How are u going to distinguish between "legitimate program" and "rootkit" program? Program includes both userland program and kernel modules. This distinction is needed, because legitimate kernel modules can call "kmalloc" and that is read/writeable kernel memory. Supposed there is a vulnerability in the kernel modules (and thus userspace program can escalate privilege and execute into) then the "kmalloc" is executed on behalf of the malware, but outwardly it looks as if the kernel module is making a memory allocation. Unless u record down all the potential legitimate kernel execution path (sequence of EIP addresses), and compare it dynamically with the redirected path (as triggered by the malware), it seemed like impossible to distinguish. And the database of path is also going to be very huge. <br>
</p>Let me know if u have alternative ideas about setting kernel memory readonly.<br><br></div><div>But on the other hand, this idea is also not new, explored before, for virtualization protection, NOT for rootkit detection.<br>
<br></div><div>When u virtualized OS, the host has to set the all the memory given to the guest as readonly. For details:<br><br>For KVM:<br><br><a href="http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf" target="_blank">http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf</a><br>
<br></div><div>For Xen:<br><br><a href="http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management" target="_blank">http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management</a><br><a href="http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html" target="_blank">http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html</a><br>
<br></div><div>And this page has good info:<br><br><a href="http://www.linux-kvm.org/page/Memory" target="_blank">http://www.linux-kvm.org/page/Memory</a><br><br></div><div>(read esp the "shadow page memory" mechanism, which is very expensive, and somewhat like the ideas proposed in the kernelnewbies mentor page).<br>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote"><div><div class="h5">On Wed, Jul 30, 2014 at 7:44 PM, Aniket Shinde <span dir="ltr"><<a href="mailto:universalvirus.ani@gmail.com" target="_blank">universalvirus.ani@gmail.com</a>></span> wrote:<br>
</div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div class="h5"><p dir="ltr">Hello guys,<br>
I was going through <a href="http://kernelnewbies.org" target="_blank">kernelnewbies.org</a> and came across a project "Block Rootkits using Virtualization" by riel.<br>
Basically we have to make kernel read only after boot process completes so rootkits get blocked. <br>
I have few doubts...</p>
<p dir="ltr">--Is the method of making kernel read only to block rootkits used in linux kernel mainline?</p>
<p dir="ltr">--have anybody implenented this project already?</p>
<p dir="ltr">--what is the good way to start with above project?</p>
<p dir="ltr">--any guidelines to implemnet above project??</p>
<p dir="ltr">--can I get any menor??</p>
<p dir="ltr">--any material related to above project??</p>
<p dir="ltr">(note: i have requested to mailing list but have not been approved yet. So please reply me personely.)</p>
<br></div></div>_______________________________________________<br>
Kernel-mentors mailing list<br>
<a href="mailto:Kernel-mentors@selenic.com" target="_blank">Kernel-mentors@selenic.com</a><br>
<a href="http://selenic.com/mailman/listinfo/kernel-mentors" target="_blank">http://selenic.com/mailman/listinfo/kernel-mentors</a><br>
<br></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br>Regards,<br>Peter Teoh
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Peter Teoh
</div>