On 2017-02-14 01:25 PM, Steve Rutherford wrote:
On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@xxxxxxxxxx> wrote:
Hi Jidong,
You are correct on all the points noted above:My goal is to develop a
production-ready, non-academic implementation of such a tool. I'm in
it for the long haul.
Is your goal for this to work on all architectures, or are you
planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@xxxxxxxxx> wrote:
Thanks Matthew. So if I understand correctly, even though many people have
proposed similar solutions, none of them have actually contributed their
code (of their solution) into Qemu/KVM. To make it "real" (i.e., as a part
of Qemu/KVM code) is your goal, right? That sounds interesting!
-Jidong
On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@xxxxxxxxxx> wrote:
On 2017-02-10 03:18 PM, Jidong Xiao wrote:
Sorry, I have to resend this again, as the original two emails were
blocked because of the url.
"Rootkit detection using virtualization" has been widely studied for a
decade. Is the approach you are going to use different from all of these
existing ones:
"Survey: Virtual Machine Introspection Based System Monitoring and
Malware Detection Techniques" - by Haofu Liao at University of Rochester.
-Jidong
On 2017-02-10 05:37 PM, Rik van Riel wrote:
One of the things that Matthew can do is build on
the read-only memory protections in the kernel, and
have the hypervisor enforce that the memory the kernel
marks as read-only is never written from inside the
virtual machine, until the next reboot.
That seems like it might be a useful place to start,
since it would immediately make the other read-only
protections that people are working on much harder to
get around, at least inside virtual machines.
My initial plan was to start with what Rik proposed, and focus on
additional memory protections. With respect to long-term plans, a lot of my
work/research so far has been focused on implementing a system similar to
that presented by Payne et al (ie: Lares).
-Matthew Giassa
--
============================================================
Matthew Giassa, MASc, BASc, EIT
Principal Developer; Security and Embedded Systems Specialist
linkedin: https://ca.linkedin.com/in/giassa
e-mail: matthew@xxxxxxxxxx
website: www.giassa.net
My initial aim is x86/x64 targets, unless there are additional resources
I can tap into for expanding to ARM. If I can get a working prototype up
and running and into "staging", then expanding to ARM architecture would
be viable.
