Re: Introduction + new project: "rootkit detection using virtualization".

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@xxxxxxxxxx> wrote:
> Hi Jidong,
>
> You are correct on all the points noted above:My goal is to develop a
> production-ready, non-academic implementation of such a tool. I'm in
> it for the long haul.
Is your goal for this to work on all architectures, or are you
planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
>
> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@xxxxxxxxx> wrote:
>> Thanks Matthew. So if I understand correctly, even though many people have
>> proposed similar solutions, none of them have actually contributed their
>> code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
>> of Qemu/KVM code) is your goal, right? That sounds interesting!
>>
>> -Jidong
>>
>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@xxxxxxxxxx> wrote:
>>>
>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
>>>>
>>>> Sorry, I have to resend this again, as the original two emails were
>>>> blocked because of the url.
>>>>
>>>> "Rootkit detection using virtualization" has been widely studied for a
>>>> decade. Is the approach you are going to use different from all of these
>>>> existing ones:
>>>>
>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
>>>> Malware Detection Techniques" - by Haofu Liao at University of Rochester.
>>>>
>>>> -Jidong
>>>
>>>
>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
>>> >
>>> > One of the things that Matthew can do is build on
>>> > the read-only memory protections in the kernel, and
>>> > have the hypervisor enforce that the memory the kernel
>>> > marks as read-only is never written from inside the
>>> > virtual machine, until the next reboot.
>>> >
>>> > That seems like it might be a useful place to start,
>>> > since it would immediately make the other read-only
>>> > protections that people are working on much harder to
>>> > get around, at least inside virtual machines.
>>> >
>>>
>>>
>>> My initial plan was to start with what Rik proposed, and focus on
>>> additional memory protections. With respect to long-term plans, a lot of my
>>> work/research so far has been focused on implementing a system similar to
>>> that presented by Payne et al (ie: Lares).
>>>
>>> -Matthew Giassa
>>
>>
>
>
>
> --
> ============================================================
> Matthew Giassa, MASc, BASc, EIT
> Principal Developer; Security and Embedded Systems Specialist
> linkedin: https://ca.linkedin.com/in/giassa
> e-mail:   matthew@xxxxxxxxxx
> website:  www.giassa.net



[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux