From: Ingo Molnar <mingo@kernel.org>
To: Ahmed Abd El Mawgood <ahmedsoliman0x666@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
rkrcmar@redhat.com, Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
hpa@zytor.com, x86@kernel.org, kvm@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
ovich00@gmail.com, kernel-hardening@lists.openwall.com,
nigel.edwards@hpe.com,
Boris Lukashev <blukashev@sempervictus.com>,
Hossam Hassan <7ossam9063@gmail.com>,
Ahmed Lotfy <A7med.lotfey@gmail.com>
Subject: Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening
Date: Mon, 29 Oct 2018 07:46:40 +0100 [thread overview]
Message-ID: <20181029064640.GE128403@gmail.com> (raw)
In-Reply-To: <20181026151223.16810-1-ahmedsoliman0x666@gmail.com>
* Ahmed Abd El Mawgood <ahmedsoliman0x666@gmail.com> wrote:
> This is the 5th version which is 4th version with minor fixes. ROE is a
> hypercall that enables host operating system to restrict guest's access to its
> own memory. This will provide a hardening mechanism that can be used to stop
> rootkits from manipulating kernel static data structures and code. Once a memory
> region is protected the guest kernel can't even request undoing the protection.
>
> Memory protected by ROE should be non-swapable because even if the ROE protected
> page got swapped out, It won't be possible to write anything in its place.
>
> ROE hypercall should be capable of either protecting a whole memory frame or
> parts of it. With these two, it should be possible for guest kernel to protect
> its memory and all the page table entries for that memory inside the page table.
> I am still not sure whether this should be part of ROE job or the guest's job.
>
>
> The reason why it would be better to implement this from inside kvm: instead of
> (host) user space is the need to access SPTEs to modify the permissions, while
> mprotect() from user space can work in theory. It will become a big performance
> hit to vmexit and switch to user space mode on each fault, on the other hand,
> having the permission handled by EPT should make some remarkable performance
> gain.
>
> Our model assumes that an attacker got full root access to a running guest and
> his goal is to manipulate kernel code/data (hook syscalls, overwrite IDT ..etc).
>
> There is future work in progress to also put some sort of protection on the page
> table register CR3 and other critical registers that can be intercepted by KVM.
> This way it won't be possible for an attacker to manipulate any part of the
> guests page table.
BTW., transparent detection and trapping of attacks would also be nice:
if ROE is active and something running on the guest still attempts to
change the pagetables, the guest should be frozen and a syslog warning on
the hypervisor side should be printed?
Also, the feature should probably be 'default y' to help spread it on the
distro side. It's opt-in functionality from the guest side anyway, so
there's no real cost on the host side other than some minor resident
memory.
Thanks,
Ingo
next prev parent reply other threads:[~2018-10-29 6:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-26 15:12 [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 1/5] KVM: X86: Memory ROE documentation Ahmed Abd El Mawgood
2018-10-29 16:42 ` gRe: [PATCH V5 1/5] KVM: X86: Memory ROE documentation^[ Sean Christopherson
2018-10-29 16:42 ` Sean Christopherson
2018-10-31 16:02 ` gRe: [PATCH V5 1/5] KVM: X86: Memory ROE documentation Ahmed Soliman
2018-10-26 15:12 ` [PATCH V5 2/5] KVM: X86: Adding arbitrary data pointer in kvm memslot iterator functions Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 3/5] KVM: X86: Adding skeleton for Memory ROE Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 4/5] KVM: X86: Adding support for byte granular memory ROE Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 5/5] KVM: Small Refactoring to kvm_free_memslot Ahmed Abd El Mawgood
2018-10-29 16:51 ` Sean Christopherson
2018-10-29 6:46 ` Ingo Molnar [this message]
2018-10-30 16:49 ` [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening Ahmed Soliman
2018-10-29 18:01 ` Igor Stoppa
2018-10-31 23:21 ` Ahmed Soliman
2018-11-01 15:56 ` Igor Stoppa
2018-10-30 17:31 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181029064640.GE128403@gmail.com \
--to=mingo@kernel.org \
--cc=7ossam9063@gmail.com \
--cc=A7med.lotfey@gmail.com \
--cc=ahmedsoliman0x666@gmail.com \
--cc=blukashev@sempervictus.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nigel.edwards@hpe.com \
--cc=ovich00@gmail.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.