Thank you for this, Sainath. Is this module of yours already in mainline KVM, or elsewhere in a separate repo? Cheers! On Wed, Feb 15, 2017 at 10:31 PM, Grandhi, Sainath <sainath.grandhi@xxxxxxxxx> wrote: > Hi Matthew, > We have been working on a Kernel Hardening project. Please find slides at http://events.linuxfoundation.org/sites/events/files/slides/Kernel%20Protection-Nakajima.pdf . We presented this idea in KVM Forum 2016. The idea is to protect CPU/platform resources and kernel managed resources (IDT, kernel page tables etc.) during execution of a VM. This approach is extended to baremetal/host OS by switching the execution of host OS into guest mode and monitoring the host OS with a very thin hypervisor, probably kvm module extension. Currently we have a PoC, contained in kvm module, for switching the host OS into guest mode. We are open for collaboration and feedback. > > Thanks > -Sainath >> -----Original Message----- >> From: kvm-owner@xxxxxxxxxxxxxxx [mailto:kvm-owner@xxxxxxxxxxxxxxx] On >> Behalf Of Matthew Giassa >> Sent: Tuesday, February 14, 2017 7:32 PM >> To: Steve Rutherford <srutherford@xxxxxxxxxx> >> Cc: Jidong Xiao <jidong.xiao@xxxxxxxxx>; kernel- >> hardening@xxxxxxxxxxxxxxxxxx; KVM <kvm@xxxxxxxxxxxxxxx>; Rik van Riel >> <riel@xxxxxxxxxx> >> Subject: Re: Introduction + new project: "rootkit detection using >> virtualization". >> >> On 2017-02-14 01:25 PM, Steve Rutherford wrote: >> > On Tue, Feb 14, 2017 at 10:06 AM, Matthew Giassa <matthew@xxxxxxxxxx> >> wrote: >> >> Hi Jidong, >> >> >> >> You are correct on all the points noted above:My goal is to develop a >> >> production-ready, non-academic implementation of such a tool. I'm in >> >> it for the long haul. >> > Is your goal for this to work on all architectures, or are you >> > planning to focus on Intel-x86 (or AMD-x86, or ARM, or...)? >> >> >> >> On Fri, Feb 10, 2017 at 7:43 PM, Jidong Xiao <jidong.xiao@xxxxxxxxx> >> wrote: >> >>> Thanks Matthew. So if I understand correctly, even though many >> >>> people have proposed similar solutions, none of them have actually >> >>> contributed their code (of their solution) into Qemu/KVM. To make it >> >>> "real" (i.e., as a part of Qemu/KVM code) is your goal, right? That sounds >> interesting! >> >>> >> >>> -Jidong >> >>> >> >>> On Fri, Feb 10, 2017 at 8:21 PM, Matthew Giassa <matthew@xxxxxxxxxx> >> wrote: >> >>>> >> >>>> On 2017-02-10 03:18 PM, Jidong Xiao wrote: >> >>>>> >> >>>>> Sorry, I have to resend this again, as the original two emails >> >>>>> were blocked because of the url. >> >>>>> >> >>>>> "Rootkit detection using virtualization" has been widely studied >> >>>>> for a decade. Is the approach you are going to use different from >> >>>>> all of these existing ones: >> >>>>> >> >>>>> "Survey: Virtual Machine Introspection Based System Monitoring and >> >>>>> Malware Detection Techniques" - by Haofu Liao at University of >> Rochester. >> >>>>> >> >>>>> -Jidong >> >>>> >> >>>> >> >>>> On 2017-02-10 05:37 PM, Rik van Riel wrote: >> >>>>> >> >>>>> One of the things that Matthew can do is build on the read-only >> >>>>> memory protections in the kernel, and have the hypervisor enforce >> >>>>> that the memory the kernel marks as read-only is never written >> >>>>> from inside the virtual machine, until the next reboot. >> >>>>> >> >>>>> That seems like it might be a useful place to start, since it >> >>>>> would immediately make the other read-only protections that people >> >>>>> are working on much harder to get around, at least inside virtual >> >>>>> machines. >> >>>>> >> >>>> >> >>>> >> >>>> My initial plan was to start with what Rik proposed, and focus on >> >>>> additional memory protections. With respect to long-term plans, a >> >>>> lot of my work/research so far has been focused on implementing a >> >>>> system similar to that presented by Payne et al (ie: Lares). >> >>>> >> >>>> -Matthew Giassa >> >>> >> >>> >> >> >> >> >> >> >> >> -- >> >> >> ============================================================ >> >> Matthew Giassa, MASc, BASc, EIT >> >> Principal Developer; Security and Embedded Systems Specialist >> >> linkedin: https://ca.linkedin.com/in/giassa >> >> e-mail: matthew@xxxxxxxxxx >> >> website: www.giassa.net >> >> My initial aim is x86/x64 targets, unless there are additional resources I can >> tap into for expanding to ARM. If I can get a working prototype up and running >> and into "staging", then expanding to ARM architecture would be viable. >> > -- ============================================================ Matthew Giassa, MASc, BASc, EIT Principal Developer; Security and Embedded Systems Specialist linkedin: https://ca.linkedin.com/in/giassa e-mail: matthew@xxxxxxxxxx website: www.giassa.net