RE: Introduction + new project: "rootkit detection using virtualization".

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Matthew,
We have been working on a Kernel Hardening project. Please find slides at http://events.linuxfoundation.org/sites/events/files/slides/Kernel%20Protection-Nakajima.pdf . We presented this idea in KVM Forum 2016. The idea is to protect CPU/platform resources and kernel managed resources (IDT, kernel page tables etc.) during execution of a VM. This approach is extended to baremetal/host OS by switching the execution of host OS into guest mode and monitoring the host OS with a very thin hypervisor, probably kvm module extension. Currently we have a PoC, contained in kvm module, for switching the host OS into guest mode. We are open for collaboration and feedback.

Thanks
-Sainath
> -----Original Message-----
> From: kvm-owner@xxxxxxxxxxxxxxx [mailto:kvm-owner@xxxxxxxxxxxxxxx] On
> Behalf Of Matthew Giassa
> Sent: Tuesday, February 14, 2017 7:32 PM
> To: Steve Rutherford <srutherford@xxxxxxxxxx>
> Cc: Jidong Xiao <jidong.xiao@xxxxxxxxx>; kernel-
> hardening@xxxxxxxxxxxxxxxxxx; KVM <kvm@xxxxxxxxxxxxxxx>; Rik van Riel
> <riel@xxxxxxxxxx>
> Subject: Re: Introduction + new project: "rootkit detection using
> virtualization".
> 
> On 2017-02-14 01:25 PM, Steve Rutherford wrote:
> > On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@xxxxxxxxxx>
> wrote:
> >> Hi Jidong,
> >>
> >> You are correct on all the points noted above:My goal is to develop a
> >> production-ready, non-academic implementation of such a tool. I'm in
> >> it for the long haul.
> > Is your goal for this to work on all architectures, or are you
> > planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)?
> >>
> >> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@xxxxxxxxx>
> wrote:
> >>> Thanks Matthew. So if I understand correctly, even though many
> >>> people have proposed similar solutions, none of them have actually
> >>> contributed their code (of their solution) into Qemu/KVM. To make it
> >>> "real" (i.e., as a part of Qemu/KVM code) is your goal, right? That sounds
> interesting!
> >>>
> >>> -Jidong
> >>>
> >>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@xxxxxxxxxx>
> wrote:
> >>>>
> >>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote:
> >>>>>
> >>>>> Sorry, I have to resend this again, as the original two emails
> >>>>> were blocked because of the url.
> >>>>>
> >>>>> "Rootkit detection using virtualization" has been widely studied
> >>>>> for a decade. Is the approach you are going to use different from
> >>>>> all of these existing ones:
> >>>>>
> >>>>> "Survey: Virtual Machine Introspection Based System Monitoring and
> >>>>> Malware Detection Techniques" - by Haofu Liao at University of
> Rochester.
> >>>>>
> >>>>> -Jidong
> >>>>
> >>>>
> >>>> On 2017-02-10 05:37 PM, Rik van Riel wrote:
> >>>>>
> >>>>> One of the things that Matthew can do is build on the read-only
> >>>>> memory protections in the kernel, and have the hypervisor enforce
> >>>>> that the memory the kernel marks as read-only is never written
> >>>>> from inside the virtual machine, until the next reboot.
> >>>>>
> >>>>> That seems like it might be a useful place to start, since it
> >>>>> would immediately make the other read-only protections that people
> >>>>> are working on much harder to get around, at least inside virtual
> >>>>> machines.
> >>>>>
> >>>>
> >>>>
> >>>> My initial plan was to start with what Rik proposed, and focus on
> >>>> additional memory protections. With respect to long-term plans, a
> >>>> lot of my work/research so far has been focused on implementing a
> >>>> system similar to that presented by Payne et al (ie: Lares).
> >>>>
> >>>> -Matthew Giassa
> >>>
> >>>
> >>
> >>
> >>
> >> --
> >>
> ============================================================
> >> Matthew Giassa, MASc, BASc, EIT
> >> Principal Developer; Security and Embedded Systems Specialist
> >> linkedin: https://ca.linkedin.com/in/giassa
> >> e-mail:   matthew@xxxxxxxxxx
> >> website:  www.giassa.net
> 
> My initial aim is x86/x64 targets, unless there are additional resources I can
> tap into for expanding to ARM. If I can get a working prototype up and running
> and into "staging", then expanding to ARM architecture would be viable.
> 





[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux