From: Ingo Molnar <mingo@kernel.org>
To: Ahmed Abd El Mawgood <ahmedsoliman0x666@gmail.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>,
rkrcmar@redhat.com, Jonathan Corbet <corbet@lwn.net>,
Thomas Gleixner <tglx@linutronix.de>,
Ingo Molnar <mingo@redhat.com>, Borislav Petkov <bp@alien8.de>,
hpa@zytor.com, x86@kernel.org, kvm@vger.kernel.org,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
ovich00@gmail.com, kernel-hardening@lists.openwall.com,
nigel.edwards@hpe.com,
Boris Lukashev <blukashev@sempervictus.com>,
Hossam Hassan <7ossam9063@gmail.com>,
Ahmed Lotfy <A7med.lotfey@gmail.com>
Subject: Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening
Date: Mon, 29 Oct 2018 07:46:40 +0100 [thread overview]
Message-ID: <20181029064640.GE128403@gmail.com> (raw)
In-Reply-To: <20181026151223.16810-1-ahmedsoliman0x666@gmail.com>
* Ahmed Abd El Mawgood <ahmedsoliman0x666@gmail.com> wrote:
> This is the 5th version which is 4th version with minor fixes. ROE is a
> hypercall that enables host operating system to restrict guest's access to its
> own memory. This will provide a hardening mechanism that can be used to stop
> rootkits from manipulating kernel static data structures and code. Once a memory
> region is protected the guest kernel can't even request undoing the protection.
>
> Memory protected by ROE should be non-swapable because even if the ROE protected
> page got swapped out, It won't be possible to write anything in its place.
>
> ROE hypercall should be capable of either protecting a whole memory frame or
> parts of it. With these two, it should be possible for guest kernel to protect
> its memory and all the page table entries for that memory inside the page table.
> I am still not sure whether this should be part of ROE job or the guest's job.
>
>
> The reason why it would be better to implement this from inside kvm: instead of
> (host) user space is the need to access SPTEs to modify the permissions, while
> mprotect() from user space can work in theory. It will become a big performance
> hit to vmexit and switch to user space mode on each fault, on the other hand,
> having the permission handled by EPT should make some remarkable performance
> gain.
>
> Our model assumes that an attacker got full root access to a running guest and
> his goal is to manipulate kernel code/data (hook syscalls, overwrite IDT ..etc).
>
> There is future work in progress to also put some sort of protection on the page
> table register CR3 and other critical registers that can be intercepted by KVM.
> This way it won't be possible for an attacker to manipulate any part of the
> guests page table.
BTW., transparent detection and trapping of attacks would also be nice:
if ROE is active and something running on the guest still attempts to
change the pagetables, the guest should be frozen and a syslog warning on
the hypervisor side should be printed?
Also, the feature should probably be 'default y' to help spread it on the
distro side. It's opt-in functionality from the guest side anyway, so
there's no real cost on the host side other than some minor resident
memory.
Thanks,
Ingo
next prev parent reply other threads:[~2018-10-29 6:47 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-26 15:12 [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 1/5] KVM: X86: Memory ROE documentation Ahmed Abd El Mawgood
2018-10-29 16:42 ` gRe: [PATCH V5 1/5] KVM: X86: Memory ROE documentation^[ Sean Christopherson
2018-10-31 16:02 ` gRe: [PATCH V5 1/5] KVM: X86: Memory ROE documentation Ahmed Soliman
2018-10-26 15:12 ` [PATCH V5 2/5] KVM: X86: Adding arbitrary data pointer in kvm memslot iterator functions Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 3/5] KVM: X86: Adding skeleton for Memory ROE Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 4/5] KVM: X86: Adding support for byte granular memory ROE Ahmed Abd El Mawgood
2018-10-26 15:12 ` [PATCH V5 5/5] KVM: Small Refactoring to kvm_free_memslot Ahmed Abd El Mawgood
2018-10-29 16:51 ` Sean Christopherson
2018-10-29 6:46 ` Ingo Molnar [this message]
2018-10-30 16:49 ` [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening Ahmed Soliman
2018-10-29 18:01 ` Igor Stoppa
2018-10-31 23:21 ` Ahmed Soliman
2018-11-01 15:56 ` Igor Stoppa
2018-10-30 17:31 ` Christian Borntraeger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181029064640.GE128403@gmail.com \
--to=mingo@kernel.org \
--cc=7ossam9063@gmail.com \
--cc=A7med.lotfey@gmail.com \
--cc=ahmedsoliman0x666@gmail.com \
--cc=blukashev@sempervictus.com \
--cc=bp@alien8.de \
--cc=corbet@lwn.net \
--cc=hpa@zytor.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=kvm@vger.kernel.org \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=nigel.edwards@hpe.com \
--cc=ovich00@gmail.com \
--cc=pbonzini@redhat.com \
--cc=rkrcmar@redhat.com \
--cc=tglx@linutronix.de \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).