Introduction + new project: "rootkit detection using virtualization".

Introduction + new project: "rootkit detection using virtualization".

[Matthew Giassa]

Good day,

I am a volunteer developer taking up a project originally proposed by
Rik van Riel, "rootkit detection using virtualization", and am
planning to contribute regularly to this project over the coming
months. I was advised to contact these mailing lists to introduce
myself, and I also wanted to inquire about any existing projects that
coincide with this work. My initial work will involved diving into KVM
+ qemu source and deciding how best to approach the problem. While I
have the attention of list members, are there any specific
individuals/groups I should contact directly with respect to this type
of project?

Thank you.

-- 
============================================================
Matthew Giassa

Re: Introduction + new project: "rootkit detection using virtualization".

[Jidong Xiao]

[-- Attachment #1: Type: text/plain, Size: 1082 bytes --]

Hi, Matthew,

"Rootkit detection using virtualization" has been widely studied for a
decade. Is the approach you are going to use different from all of these
existing ones?

https://www.cs.rochester.edu/u/hliao6/projects/other/os_survey.pdf

-Jidong

On Fri, Feb 10, 2017 at 3:00 PM, Matthew Giassa <matthew@giassa.net> wrote:

> Good day,
>
> I am a volunteer developer taking up a project originally proposed by
> Rik van Riel, "rootkit detection using virtualization", and am
> planning to contribute regularly to this project over the coming
> months. I was advised to contact these mailing lists to introduce
> myself, and I also wanted to inquire about any existing projects that
> coincide with this work. My initial work will involved diving into KVM
> + qemu source and deciding how best to approach the problem. While I
> have the attention of list members, are there any specific
> individuals/groups I should contact directly with respect to this type
> of project?
>
> Thank you.
>
> --
> ============================================================
> Matthew Giassa
>

[-- Attachment #2: Type: text/html, Size: 1669 bytes --]

Re: Introduction + new project: "rootkit detection using virtualization".

[Jidong Xiao]

[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]

Sorry, I have to resend this again, as the original two emails were blocked
because of the url.

"Rootkit detection using virtualization" has been widely studied for a
decade. Is the approach you are going to use different from all of these
existing ones:

"Survey: Virtual Machine Introspection Based System Monitoring and Malware
Detection Techniques" - by Haofu Liao at University of Rochester.

-Jidong

On Fri, Feb 10, 2017 at 3:00 PM, Matthew Giassa <matthew@giassa.net> wrote:

> Good day,
>
> I am a volunteer developer taking up a project originally proposed by
> Rik van Riel, "rootkit detection using virtualization", and am
> planning to contribute regularly to this project over the coming
> months. I was advised to contact these mailing lists to introduce
> myself, and I also wanted to inquire about any existing projects that
> coincide with this work. My initial work will involved diving into KVM
> + qemu source and deciding how best to approach the problem. While I
> have the attention of list members, are there any specific
> individuals/groups I should contact directly with respect to this type
> of project?
>
> Thank you.
>
> --
> ============================================================
> Matthew Giassa
>

[-- Attachment #2: Type: text/html, Size: 1883 bytes --]

Re: Introduction + new project: "rootkit detection using virtualization".

[Matthew Giassa]

On 2017-02-10 03:18 PM, Jidong Xiao wrote:
> Sorry, I have to resend this again, as the original two emails were
> blocked because of the url.
>
> "Rootkit detection using virtualization" has been widely studied for a
> decade. Is the approach you are going to use different from all of these
> existing ones:
>
> "Survey: Virtual Machine Introspection Based System Monitoring and
> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>
> -Jidong

On 2017-02-10 05:37 PM, Rik van Riel wrote:
 >
 > One of the things that Matthew can do is build on
 > the read-only memory protections in the kernel, and
 > have the hypervisor enforce that the memory the kernel
 > marks as read-only is never written from inside the
 > virtual machine, until the next reboot.
 >
 > That seems like it might be a useful place to start,
 > since it would immediately make the other read-only
 > protections that people are working on much harder to
 > get around, at least inside virtual machines.
 >


My initial plan was to start with what Rik proposed, and focus on 
additional memory protections. With respect to long-term plans, a lot of 
my work/research so far has been focused on implementing a system 
similar to that presented by Payne et al (ie: Lares).

-Matthew Giassa

Re: Introduction + new project: "rootkit detection using virtualization".

[Jidong Xiao]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

Thanks Matthew. So if I understand correctly, even though many people have
proposed similar solutions, none of them have actually contributed their
code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
of Qemu/KVM code) is your goal, right? That sounds interesting!

-Jidong

On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net> wrote:

> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>
>> Sorry, I have to resend this again, as the original two emails were
>> blocked because of the url.
>>
>> "Rootkit detection using virtualization" has been widely studied for a
>> decade. Is the approach you are going to use different from all of these
>> existing ones:
>>
>> "Survey: Virtual Machine Introspection Based System Monitoring and
>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>
>> -Jidong
>>
>
> On 2017-02-10 05:37 PM, Rik van Riel wrote:
> >
> > One of the things that Matthew can do is build on
> > the read-only memory protections in the kernel, and
> > have the hypervisor enforce that the memory the kernel
> > marks as read-only is never written from inside the
> > virtual machine, until the next reboot.
> >
> > That seems like it might be a useful place to start,
> > since it would immediately make the other read-only
> > protections that people are working on much harder to
> > get around, at least inside virtual machines.
> >
>
>
> My initial plan was to start with what Rik proposed, and focus on
> additional memory protections. With respect to long-term plans, a lot of my
> work/research so far has been focused on implementing a system similar to
> that presented by Payne et al (ie: Lares).
>
> -Matthew Giassa
>

[-- Attachment #2: Type: text/html, Size: 2383 bytes --]

Re: Introduction + new project: "rootkit detection using virtualization".

[Matthew Giassa]

Hi Jidong,

You are correct on all the points noted above:My goal is to develop a
production-ready, non-academic implementation of such a tool. I'm in
it for the long haul.

On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@gmail.com> wrote:
> Thanks Matthew. So if I understand correctly, even though many people have
> proposed similar solutions, none of them have actually contributed their
> code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
> of Qemu/KVM code) is your goal, right? That sounds interesting!
>
> -Jidong
>
> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net> wrote:
>>
>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>>>
>>> Sorry, I have to resend this again, as the original two emails were
>>> blocked because of the url.
>>>
>>> "Rootkit detection using virtualization" has been widely studied for a
>>> decade. Is the approach you are going to use different from all of these
>>> existing ones:
>>>
>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>>
>>> -Jidong
>>
>>
>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>> >
>> > One of the things that Matthew can do is build on
>> > the read-only memory protections in the kernel, and
>> > have the hypervisor enforce that the memory the kernel
>> > marks as read-only is never written from inside the
>> > virtual machine, until the next reboot.
>> >
>> > That seems like it might be a useful place to start,
>> > since it would immediately make the other read-only
>> > protections that people are working on much harder to
>> > get around, at least inside virtual machines.
>> >
>>
>>
>> My initial plan was to start with what Rik proposed, and focus on
>> additional memory protections. With respect to long-term plans, a lot of my
>> work/research so far has been focused on implementing a system similar to
>> that presented by Payne et al (ie: Lares).
>>
>> -Matthew Giassa
>
>



-- 
============================================================
Matthew Giassa, MASc, BASc, EIT
Principal Developer; Security and Embedded Systems Specialist
linkedin: https://ca.linkedin.com/in/giassa
e-mail:   matthew@giassa.net
website:  www.giassa.net

Re: Introduction + new project: "rootkit detection using virtualization".

[Steve Rutherford]

On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@giassa.net> wrote:
> Hi Jidong,
>
> You are correct on all the points noted above:My goal is to develop a
> production-ready, non-academic implementation of such a tool. I'm in
> it for the long haul.
Is your goal for this to work on all architectures, or are you
planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
>
> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@gmail.com> wrote:
>> Thanks Matthew. So if I understand correctly, even though many people have
>> proposed similar solutions, none of them have actually contributed their
>> code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
>> of Qemu/KVM code) is your goal, right? That sounds interesting!
>>
>> -Jidong
>>
>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net> wrote:
>>>
>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>>>>
>>>> Sorry, I have to resend this again, as the original two emails were
>>>> blocked because of the url.
>>>>
>>>> "Rootkit detection using virtualization" has been widely studied for a
>>>> decade. Is the approach you are going to use different from all of these
>>>> existing ones:
>>>>
>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>>>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>>>
>>>> -Jidong
>>>
>>>
>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>>> >
>>> > One of the things that Matthew can do is build on
>>> > the read-only memory protections in the kernel, and
>>> > have the hypervisor enforce that the memory the kernel
>>> > marks as read-only is never written from inside the
>>> > virtual machine, until the next reboot.
>>> >
>>> > That seems like it might be a useful place to start,
>>> > since it would immediately make the other read-only
>>> > protections that people are working on much harder to
>>> > get around, at least inside virtual machines.
>>> >
>>>
>>>
>>> My initial plan was to start with what Rik proposed, and focus on
>>> additional memory protections. With respect to long-term plans, a lot of my
>>> work/research so far has been focused on implementing a system similar to
>>> that presented by Payne et al (ie: Lares).
>>>
>>> -Matthew Giassa
>>
>>
>
>
>
> --
> ============================================================
> Matthew Giassa, MASc, BASc, EIT
> Principal Developer; Security and Embedded Systems Specialist
> linkedin: https://ca.linkedin.com/in/giassa
> e-mail:   matthew@giassa.net
> website:  www.giassa.net

Re: Introduction + new project: "rootkit detection using virtualization".

[Matthew Giassa]

On 2017-02-14 01:25 PM, Steve Rutherford wrote:
> On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@giassa.net> wrote:
>> Hi Jidong,
>>
>> You are correct on all the points noted above:My goal is to develop a
>> production-ready, non-academic implementation of such a tool. I'm in
>> it for the long haul.
> Is your goal for this to work on all architectures, or are you
> planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
>>
>> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@gmail.com> wrote:
>>> Thanks Matthew. So if I understand correctly, even though many people have
>>> proposed similar solutions, none of them have actually contributed their
>>> code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
>>> of Qemu/KVM code) is your goal, right? That sounds interesting!
>>>
>>> -Jidong
>>>
>>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net> wrote:
>>>>
>>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>>>>>
>>>>> Sorry, I have to resend this again, as the original two emails were
>>>>> blocked because of the url.
>>>>>
>>>>> "Rootkit detection using virtualization" has been widely studied for a
>>>>> decade. Is the approach you are going to use different from all of these
>>>>> existing ones:
>>>>>
>>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>>>>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>>>>
>>>>> -Jidong
>>>>
>>>>
>>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>>>>>
>>>>> One of the things that Matthew can do is build on
>>>>> the read-only memory protections in the kernel, and
>>>>> have the hypervisor enforce that the memory the kernel
>>>>> marks as read-only is never written from inside the
>>>>> virtual machine, until the next reboot.
>>>>>
>>>>> That seems like it might be a useful place to start,
>>>>> since it would immediately make the other read-only
>>>>> protections that people are working on much harder to
>>>>> get around, at least inside virtual machines.
>>>>>
>>>>
>>>>
>>>> My initial plan was to start with what Rik proposed, and focus on
>>>> additional memory protections. With respect to long-term plans, a lot of my
>>>> work/research so far has been focused on implementing a system similar to
>>>> that presented by Payne et al (ie: Lares).
>>>>
>>>> -Matthew Giassa
>>>
>>>
>>
>>
>>
>> --
>> ============================================================
>> Matthew Giassa, MASc, BASc, EIT
>> Principal Developer; Security and Embedded Systems Specialist
>> linkedin: https://ca.linkedin.com/in/giassa
>> e-mail:   matthew@giassa.net
>> website:  www.giassa.net

My initial aim is x86/x64 targets, unless there are additional resources 
I can tap into for expanding to ARM. If I can get a working prototype up 
and running and into "staging", then expanding to ARM architecture would 
be viable.

RE: Introduction + new project: "rootkit detection using virtualization".

[Grandhi, Sainath]

Hi Matthew,
We have been working on a Kernel Hardening project. Please find slides at http://events.linuxfoundation.org/sites/events/files/slides/Kernel%20Protection-Nakajima.pdf . We presented this idea in KVM Forum 2016. The idea is to protect CPU/platform resources and kernel managed resources (IDT, kernel page tables etc.) during execution of a VM. This approach is extended to baremetal/host OS by switching the execution of host OS into guest mode and monitoring the host OS with a very thin hypervisor, probably kvm module extension. Currently we have a PoC, contained in kvm module, for switching the host OS into guest mode. We are open for collaboration and feedback.

Thanks
-Sainath
> -----Original Message-----
> From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On
> Behalf Of Matthew Giassa
> Sent: Tuesday, February 14, 2017 7:32 PM
> To: Steve Rutherford <srutherford@google.com>
> Cc: Jidong Xiao <jidong.xiao@gmail.com>; kernel-
> hardening@lists.openwall.com; KVM <kvm@vger.kernel.org>; Rik van Riel
> <riel@redhat.com>
> Subject: Re: Introduction + new project: "rootkit detection using
> virtualization".
> 
> On 2017-02-14 01:25 PM, Steve Rutherford wrote:
> > On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@giassa.net>
> wrote:
> >> Hi Jidong,
> >>
> >> You are correct on all the points noted above:My goal is to develop a
> >> production-ready, non-academic implementation of such a tool. I'm in
> >> it for the long haul.
> > Is your goal for this to work on all architectures, or are you
> > planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
> >>
> >> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@gmail.com>
> wrote:
> >>> Thanks Matthew. So if I understand correctly, even though many
> >>> people have proposed similar solutions, none of them have actually
> >>> contributed their code (of their solution) into Qemu/KVM. To make it
> >>> "real" (i.e., as a part of Qemu/KVM code) is your goal, right? That sounds
> interesting!
> >>>
> >>> -Jidong
> >>>
> >>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net>
> wrote:
> >>>>
> >>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
> >>>>>
> >>>>> Sorry, I have to resend this again, as the original two emails
> >>>>> were blocked because of the url.
> >>>>>
> >>>>> "Rootkit detection using virtualization" has been widely studied
> >>>>> for a decade. Is the approach you are going to use different from
> >>>>> all of these existing ones:
> >>>>>
> >>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
> >>>>> Malware Detection Techniques" - by Haofu Liao at University of
> Rochester.
> >>>>>
> >>>>> -Jidong
> >>>>
> >>>>
> >>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
> >>>>>
> >>>>> One of the things that Matthew can do is build on the read-only
> >>>>> memory protections in the kernel, and have the hypervisor enforce
> >>>>> that the memory the kernel marks as read-only is never written
> >>>>> from inside the virtual machine, until the next reboot.
> >>>>>
> >>>>> That seems like it might be a useful place to start, since it
> >>>>> would immediately make the other read-only protections that people
> >>>>> are working on much harder to get around, at least inside virtual
> >>>>> machines.
> >>>>>
> >>>>
> >>>>
> >>>> My initial plan was to start with what Rik proposed, and focus on
> >>>> additional memory protections. With respect to long-term plans, a
> >>>> lot of my work/research so far has been focused on implementing a
> >>>> system similar to that presented by Payne et al (ie: Lares).
> >>>>
> >>>> -Matthew Giassa
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >>
> ============================================================
> >> Matthew Giassa, MASc, BASc, EIT
> >> Principal Developer; Security and Embedded Systems Specialist
> >> linkedin: https://ca.linkedin.com/in/giassa
> >> e-mail:   matthew@giassa.net
> >> website:  www.giassa.net
> 
> My initial aim is x86/x64 targets, unless there are additional resources I can
> tap into for expanding to ARM. If I can get a working prototype up and running
> and into "staging", then expanding to ARM architecture would be viable.
> 

Re: Introduction + new project: "rootkit detection using virtualization".

[Matthew Giassa]

Thank you for this, Sainath. Is this module of yours already in
mainline KVM, or elsewhere in a separate repo?

Cheers!

On Wed, Feb 15, 2017 at 10:31 PM, Grandhi, Sainath
<sainath.grandhi@intel.com> wrote:
> Hi Matthew,
> We have been working on a Kernel Hardening project. Please find slides at http://events.linuxfoundation.org/sites/events/files/slides/Kernel%20Protection-Nakajima.pdf . We presented this idea in KVM Forum 2016. The idea is to protect CPU/platform resources and kernel managed resources (IDT, kernel page tables etc.) during execution of a VM. This approach is extended to baremetal/host OS by switching the execution of host OS into guest mode and monitoring the host OS with a very thin hypervisor, probably kvm module extension. Currently we have a PoC, contained in kvm module, for switching the host OS into guest mode. We are open for collaboration and feedback.
>
> Thanks
> -Sainath
>> -----Original Message-----
>> From: kvm-owner@vger.kernel.org [mailto:kvm-owner@vger.kernel.org] On
>> Behalf Of Matthew Giassa
>> Sent: Tuesday, February 14, 2017 7:32 PM
>> To: Steve Rutherford <srutherford@google.com>
>> Cc: Jidong Xiao <jidong.xiao@gmail.com>; kernel-
>> hardening@lists.openwall.com; KVM <kvm@vger.kernel.org>; Rik van Riel
>> <riel@redhat.com>
>> Subject: Re: Introduction + new project: "rootkit detection using
>> virtualization".
>>
>> On 2017-02-14 01:25 PM, Steve Rutherford wrote:
>> > On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@giassa.net>
>> wrote:
>> >> Hi Jidong,
>> >>
>> >> You are correct on all the points noted above:My goal is to develop a
>> >> production-ready, non-academic implementation of such a tool. I'm in
>> >> it for the long haul.
>> > Is your goal for this to work on all architectures, or are you
>> > planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
>> >>
>> >> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@gmail.com>
>> wrote:
>> >>> Thanks Matthew. So if I understand correctly, even though many
>> >>> people have proposed similar solutions, none of them have actually
>> >>> contributed their code (of their solution) into Qemu/KVM. To make it
>> >>> "real" (i.e., as a part of Qemu/KVM code) is your goal, right? That sounds
>> interesting!
>> >>>
>> >>> -Jidong
>> >>>
>> >>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@giassa.net>
>> wrote:
>> >>>>
>> >>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>> >>>>>
>> >>>>> Sorry, I have to resend this again, as the original two emails
>> >>>>> were blocked because of the url.
>> >>>>>
>> >>>>> "Rootkit detection using virtualization" has been widely studied
>> >>>>> for a decade. Is the approach you are going to use different from
>> >>>>> all of these existing ones:
>> >>>>>
>> >>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>> >>>>> Malware Detection Techniques" - by Haofu Liao at University of
>> Rochester.
>> >>>>>
>> >>>>> -Jidong
>> >>>>
>> >>>>
>> >>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>> >>>>>
>> >>>>> One of the things that Matthew can do is build on the read-only
>> >>>>> memory protections in the kernel, and have the hypervisor enforce
>> >>>>> that the memory the kernel marks as read-only is never written
>> >>>>> from inside the virtual machine, until the next reboot.
>> >>>>>
>> >>>>> That seems like it might be a useful place to start, since it
>> >>>>> would immediately make the other read-only protections that people
>> >>>>> are working on much harder to get around, at least inside virtual
>> >>>>> machines.
>> >>>>>
>> >>>>
>> >>>>
>> >>>> My initial plan was to start with what Rik proposed, and focus on
>> >>>> additional memory protections. With respect to long-term plans, a
>> >>>> lot of my work/research so far has been focused on implementing a
>> >>>> system similar to that presented by Payne et al (ie: Lares).
>> >>>>
>> >>>> -Matthew Giassa
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >> --
>> >>
>> ============================================================
>> >> Matthew Giassa, MASc, BASc, EIT
>> >> Principal Developer; Security and Embedded Systems Specialist
>> >> linkedin: https://ca.linkedin.com/in/giassa
>> >> e-mail:   matthew@giassa.net
>> >> website:  www.giassa.net
>>
>> My initial aim is x86/x64 targets, unless there are additional resources I can
>> tap into for expanding to ARM. If I can get a working prototype up and running
>> and into "staging", then expanding to ARM architecture would be viable.
>>
>



-- 
============================================================
Matthew Giassa, MASc, BASc, EIT
Principal Developer; Security and Embedded Systems Specialist
linkedin: https://ca.linkedin.com/in/giassa
e-mail:   matthew@giassa.net
website:  www.giassa.net

Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".

[Kees Cook]

On Fri, Feb 10, 2017 at 2:00 PM, Matthew Giassa <matthew@giassa.net> wrote:
> Good day,
>
> I am a volunteer developer taking up a project originally proposed by
> Rik van Riel, "rootkit detection using virtualization", and am
> planning to contribute regularly to this project over the coming
> months. I was advised to contact these mailing lists to introduce
> myself, and I also wanted to inquire about any existing projects that
> coincide with this work. My initial work will involved diving into KVM
> + qemu source and deciding how best to approach the problem. While I
> have the attention of list members, are there any specific
> individuals/groups I should contact directly with respect to this type
> of project?
>
> Thank you.

Hi! Welcome to the list(s)!

I think this is an interesting area of research, though it may be a
tricky cat/mouse game. Some of this kind of
hypervisor-protects-the-kernel work has been done on some Android
phones in small areas (see the cred protection near the end):

http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/

-Kees

-- 
Kees Cook
Pixel Security

Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".

[Kees Cook]

On Fri, Feb 10, 2017 at 3:27 PM, Kees Cook <keescook@chromium.org> wrote:
> On Fri, Feb 10, 2017 at 2:00 PM, Matthew Giassa <matthew@giassa.net> wrote:
>> Good day,
>>
>> I am a volunteer developer taking up a project originally proposed by
>> Rik van Riel, "rootkit detection using virtualization", and am
>> planning to contribute regularly to this project over the coming
>> months. I was advised to contact these mailing lists to introduce
>> myself, and I also wanted to inquire about any existing projects that
>> coincide with this work. My initial work will involved diving into KVM
>> + qemu source and deciding how best to approach the problem. While I
>> have the attention of list members, are there any specific
>> individuals/groups I should contact directly with respect to this type
>> of project?
>>
>> Thank you.
>
> Hi! Welcome to the list(s)!
>
> I think this is an interesting area of research, though it may be a
> tricky cat/mouse game. Some of this kind of
> hypervisor-protects-the-kernel work has been done on some Android
> phones in small areas (see the cred protection near the end):
>
> http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-Kernel/

And some privilege monitoring work done by Matthew Garrett:

https://github.com/mjg59/rkt/commits/privilege

-Kees

-- 
Kees Cook
Pixel Security

Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".

[Rik van Riel]

On Fri, 2017-02-10 at 15:27 -0800, Kees Cook wrote:
> On Fri, Feb 10, 2017 at 2:00 PM, Matthew Giassa <matthew@giassa.net>
> wrote:
> > Good day,
> > 
> > I am a volunteer developer taking up a project originally proposed
> > by
> > Rik van Riel, "rootkit detection using virtualization", and am
> > planning to contribute regularly to this project over the coming
> > months. I was advised to contact these mailing lists to introduce
> > myself, and I also wanted to inquire about any existing projects
> > that
> > coincide with this work. My initial work will involved diving into
> > KVM
> > + qemu source and deciding how best to approach the problem. While
> > I
> > have the attention of list members, are there any specific
> > individuals/groups I should contact directly with respect to this
> > type
> > of project?
> > 
> > Thank you.
> 
> Hi! Welcome to the list(s)!
> 
> I think this is an interesting area of research, though it may be a
> tricky cat/mouse game. Some of this kind of
> hypervisor-protects-the-kernel work has been done on some Android
> phones in small areas (see the cred protection near the end):
> 
> http://keenlab.tencent.com/en/2016/06/01/Emerging-Defense-in-Android-
> Kernel/

One of the things that Matthew can do is build on
the read-only memory protections in the kernel, and
have the hypervisor enforce that the memory the kernel
marks as read-only is never written from inside the
virtual machine, until the next reboot.

That seems like it might be a useful place to start,
since it would immediately make the other read-only
protections that people are working on much harder to
get around, at least inside virtual machines.

Re: [kernel-hardening] Introduction + new project: "rootkit detection using virtualization".

[Matthew Garrett]

On Fri, Feb 10, 2017 at 08:37:01PM -0500, Rik van Riel wrote:
> One of the things that Matthew can do is build on
> the read-only memory protections in the kernel, and
> have the hypervisor enforce that the memory the kernel
> marks as read-only is never written from inside the
> virtual machine, until the next reboot.
> 
> That seems like it might be a useful place to start,
> since it would immediately make the other read-only
> protections that people are working on much harder to
> get around, at least inside virtual machines.

I agree that this is valuable, but it feels like doing so probably 
involves designing a consistent mechanism for lightweight 
kernel→hypervisor calls - the existing vfio framework seems heavier than 
necessary for this kind of thing. Going further probably involves having 
a good way for syscalls to call into the hypervisor, but again finding a 
generic solution that doesn't add too much overhead seems like a good 
plan. My implementation of this was very special cased and didn't 
attempt to do anything in a generic way, so I'm definitely not a good 
model!

-- 
Matthew Garrett | mjg59@srcf.ucam.org