From: Matthew Garrett <mjg59@srcf.ucam.org>
To: Rik van Riel <riel@redhat.com>
Cc: Kees Cook <keescook@chromium.org>,
Matthew Giassa <matthew@giassa.net>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>, KVM <kvm@vger.kernel.org>
Subject: Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".
Date: Mon, 13 Feb 2017 08:41:15 +0000 [thread overview]
Message-ID: <20170213084115.GA16815@srcf.ucam.org> (raw)
In-Reply-To: <1486777021.2096.36.camel@redhat.com>
On Fri, Feb 10, 2017 at 08:37:01PM -0500, Rik van Riel wrote:
> One of the things that Matthew can do is build on
> the read-only memory protections in the kernel, and
> have the hypervisor enforce that the memory the kernel
> marks as read-only is never written from inside the
> virtual machine, until the next reboot.
>
> That seems like it might be a useful place to start,
> since it would immediately make the other read-only
> protections that people are working on much harder to
> get around, at least inside virtual machines.
I agree that this is valuable, but it feels like doing so probably
involves designing a consistent mechanism for lightweight
kernel→hypervisor calls - the existing vfio framework seems heavier than
necessary for this kind of thing. Going further probably involves having
a good way for syscalls to call into the hypervisor, but again finding a
generic solution that doesn't add too much overhead seems like a good
plan. My implementation of this was very special cased and didn't
attempt to do anything in a generic way, so I'm definitely not a good
model!
--
Matthew Garrett | mjg59@srcf.ucam.org
prev parent reply other threads:[~2017-02-13 8:41 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-10 22:00 [kernel-hardening] Introduction + new project: "rootkit detection using virtualization" Matthew Giassa
2017-02-10 22:00 ` Matthew Giassa
2017-02-10 23:14 ` [kernel-hardening] " Jidong Xiao
2017-02-10 23:14 ` Jidong Xiao
2017-02-10 23:18 ` [kernel-hardening] " Jidong Xiao
2017-02-10 23:18 ` Jidong Xiao
2017-02-11 3:21 ` [kernel-hardening] " Matthew Giassa
2017-02-11 3:21 ` Matthew Giassa
2017-02-11 3:43 ` [kernel-hardening] " Jidong Xiao
2017-02-11 3:43 ` Jidong Xiao
2017-02-14 18:06 ` [kernel-hardening] " Matthew Giassa
2017-02-14 18:06 ` Matthew Giassa
2017-02-14 21:25 ` [kernel-hardening] " Steve Rutherford
2017-02-14 21:25 ` Steve Rutherford
2017-02-15 3:31 ` [kernel-hardening] " Matthew Giassa
2017-02-15 3:31 ` Matthew Giassa
2017-02-16 6:31 ` [kernel-hardening] " Grandhi, Sainath
2017-02-16 6:31 ` Grandhi, Sainath
2017-02-17 1:16 ` [kernel-hardening] " Matthew Giassa
2017-02-17 1:16 ` Matthew Giassa
2017-02-10 23:27 ` [kernel-hardening] " Kees Cook
2017-02-10 23:31 ` Kees Cook
2017-02-11 1:37 ` Rik van Riel
2017-02-13 8:41 ` Matthew Garrett [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170213084115.GA16815@srcf.ucam.org \
--to=mjg59@srcf.ucam.org \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvm@vger.kernel.org \
--cc=matthew@giassa.net \
--cc=riel@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.