On Fri, 06 Jul 2018 21:29:40 +0200, you said:
> Implementing some kernel protection against subset of rootkits that
> manipulates kernel static data (memory pages as well as their
> mappings) by having them enforced by hypervisor which is KVM in our
Can you give an actual example of a case where *all* of the following are true?
1) It's a page that's safe to make R/O out from under the code that uses that page.
2) It's a kernel static data that's R/W (Hint: stuff known to be R/O is already set to R/O
at boot or module load time, so if it's R/W it probably *needs* to be that...)
3) the rootkit *is* able to screw with kernel pages, but somehow *is not* able to
disable your protection (remember, all it takes is one NOP or BRANCH opcode in
the right place).
Attachment:
pgp1xQFJX9DmC.pgp
Description: PGP signature
_______________________________________________ Kernelnewbies mailing list Kernelnewbies@xxxxxxxxxxxxxxxxx https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
