--Is the method of making kernel read only to block rootkits used in linux kernel mainline?
I suspect not. How are u going to distinguish between "legitimate program" and "rootkit" program? Program includes both userland program and kernel modules. This distinction is needed, because legitimate kernel modules can call "kmalloc" and that is read/writeable kernel memory. Supposed there is a vulnerability in the kernel modules (and thus userspace program can escalate privilege and execute into) then the "kmalloc" is executed on behalf of the malware, but outwardly it looks as if the kernel module is making a memory allocation. Unless u record down all the potential legitimate kernel execution path (sequence of EIP addresses), and compare it dynamically with the redirected path (as triggered by the malware), it seemed like impossible to distinguish. And the database of path is also going to be very huge.
For KVM:
http://www.linux-kvm.org/wiki/images/3/33/KvmForum2008$kdf2008_15.pdf
http://wiki.xen.org/wiki/X86_Paravirtualised_Memory_Management
http://lists.xen.org/archives/html/xen-devel/2009-10/msg01201.html
Hello guys,
I was going through kernelnewbies.org and came across a project "Block Rootkits using Virtualization" by riel.
Basically we have to make kernel read only after boot process completes so rootkits get blocked.
I have few doubts...--Is the method of making kernel read only to block rootkits used in linux kernel mainline?
--have anybody implenented this project already?
--what is the good way to start with above project?
--any guidelines to implemnet above project??
--can I get any menor??
--any material related to above project??
(note: i have requested to mailing list but have not been approved yet. So please reply me personely.)
_______________________________________________
Kernel-mentors mailing list
Kernel-mentors@xxxxxxxxxxx
http://selenic.com/mailman/listinfo/kernel-mentors
--
Regards,
Peter Teoh
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx http://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies