<div dir="ltr"><div><div>Are u referring to this:<br><br><a href="http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker">http://kernelnewbies.org/KernelProjects/VirtRootkitBlocker</a><br><br></div>Just trying to answer your question:<br>
<p dir="ltr">--Is the method of making kernel read only to block rootkits used in linux kernel mainline?</p><p>I suspect not. How are u going to distinguish between "legitimate program" and "rootkit" program? Program includes both userland program and kernel modules. This distinction is needed, because legitimate kernel modules can call "kmalloc" and that is read/writeable kernel memory. Supposed there is a vulnerability in the kernel modules (and thus userspace program can escalate privilege and execute into) then the "kmalloc" is executed on behalf of the malware, but outwardly it looks as if the kernel module is making a memory allocation. Unless u record down all the potential legitimate kernel execution path (sequence of EIP addresses), and compare it dynamically with the redirected path (as triggered by the malware), it seemed like impossible to distinguish. And the database of path is also going to be very huge. <br>
</p>Let me know if u have alternative ideas about setting kernel memory readonly.<br><br></div><div>But on the other hand, this idea is also not new, explored before, for virtualization protection, NOT for rootkit detection.<br>
<br></div><div>When u virtualized OS, the host has to set the all the memory given to the guest as readonly. For details:<br><br>For KVM:<br><br><a href="http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf">http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf</a><br>
<br></div><div>For Xen:<br><br><a href="http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management">http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management</a><br><a href="http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html">http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html</a><br>
<br></div><div>And this page has good info:<br><br><a href="http://www.linux-kvm.org/page/Memory">http://www.linux-kvm.org/page/Memory</a><br><br></div><div>(read esp the "shadow page memory" mechanism, which is very expensive, and somewhat like the ideas proposed in the kernelnewbies mentor page).<br>
</div><div><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Wed, Jul 30, 2014 at 7:44 PM, Aniket Shinde <span dir="ltr"><<a href="mailto:universalvirus.ani@gmail.com" target="_blank">universalvirus.ani@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><p dir="ltr">Hello guys,<br>
I was going through <a href="http://kernelnewbies.org" target="_blank">kernelnewbies.org</a> and came across a project "Block Rootkits using Virtualization" by riel.<br>
Basically we have to make kernel read only after boot process completes so rootkits get blocked. <br>
I have few doubts...</p>
<p dir="ltr">--Is the method of making kernel read only to block rootkits used in linux kernel mainline?</p>
<p dir="ltr">--have anybody implenented this project already?</p>
<p dir="ltr">--what is the good way to start with above project?</p>
<p dir="ltr">--any guidelines to implemnet above project??</p>
<p dir="ltr">--can I get any menor??</p>
<p dir="ltr">--any material related to above project??</p>
<p dir="ltr">(note: i have requested to mailing list but have not been approved yet. So please reply me personely.)</p>
<br>_______________________________________________<br>
Kernel-mentors mailing list<br>
<a href="mailto:Kernel-mentors@selenic.com">Kernel-mentors@selenic.com</a><br>
<a href="http://selenic.com/mailman/listinfo/kernel-mentors" target="_blank">http://selenic.com/mailman/listinfo/kernel-mentors</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br>Peter Teoh
</div>