Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening

From: Igor Stoppa
Date: Mon Oct 29 2018 - 14:01:49 EST

Next message: Trond Myklebust: "Re: [PATCH] SUNRPC: Fix iter_iov_*vec warnings"
Previous message: Prakhya, Sai Praneeth: "RE: [PATCH V2 1/2] x86/efi: Unmap EFI boot services code/data regions from efi_pgd"
In reply to: Ahmed Soliman: "Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening"
Next in thread: Ahmed Soliman: "Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 26/10/2018 16:12, Ahmed Abd El Mawgood wrote:

This is the 5th version which is 4th version with minor fixes. ROE is a
hypercall that enables host operating system to restrict guest's access to its
own memory. This will provide a hardening mechanism that can be used to stop
rootkits from manipulating kernel static data structures and code. Once a memory
region is protected the guest kernel can't even request undoing the protection.

This is very interesting, because it seems a very good match to the work I'm doing, for supporting the creation of more targets for protection:

https://www.openwall.com/lists/kernel-hardening/2018/10/23/3

In my case the protection would extend also to write-rate type of data.
There is an open problem of identifying legitimate write-rare operations, however it should be possible to provide at least a certain degree of confidence.

--

igor

Next message: Trond Myklebust: "Re: [PATCH] SUNRPC: Fix iter_iov_*vec warnings"
Previous message: Prakhya, Sai Praneeth: "RE: [PATCH V2 1/2] x86/efi: Unmap EFI boot services code/data regions from efi_pgd"
In reply to: Ahmed Soliman: "Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening"
Next in thread: Ahmed Soliman: "Re: [PATCH V5 0/5] KVM: X86: Introducing ROE Protection Kernel Hardening"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]