Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".

[Rik van Riel <riel@redhat.com>]

On Fri, 2017-02-10 at 15:27 -0800, Kees Cook wrote:
> On Fri, Feb 10, 2017 at 2:00 PM, Matthew Giassa <matthew@giassa.net>
> wrote:
> > Good day,
> > 
> > I am a volunteer developer taking up a project originally proposed
> > by
> > Rik van Riel, "rootkit detection using virtualization", and am
> > planning to contribute regularly to this project over the coming
> > months. I was advised to contact these mailing lists to introduce
> > myself, and I also wanted to inquire about any existing projects
> > that
> > coincide with this work. My initial work will involved diving into
> > KVM
> > + qemu source and deciding how best to approach the problem. While
> > I
> > have the attention of list members, are there any specific
> > individuals/groups I should contact directly with respect to this
> > type
> > of project?
> > 
> > Thank you.
> 
> Hi! Welcome to the list(s)!
> 
> I think this is an interesting area of research, though it may be a
> tricky cat/mouse game. Some of this kind of
> hypervisor-protects-the-kernel work has been done on some Android
> phones in small areas (see the cred protection near the end):
> 
> http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-
> Kernel/

One of the things that Matthew can do is build on
the read-only memory protections in the kernel, and
have the hypervisor enforce that the memory the kernel
marks as read-only is never written from inside the
virtual machine, until the next reboot.

That seems like it might be a useful place to start,
since it would immediately make the other read-only
protections that people are working on much harder to
get around, at least inside virtual machines.