From: ahmedsoliman0x666@gmail.com (Ahmed Soliman)
To: kernelnewbies@lists.kernelnewbies.org
Subject: How to change page permission from inside the kernel?
Date: Fri, 6 Jul 2018 21:29:40 +0200 [thread overview]
Message-ID: <CAAGnT3YTAfNr5mkVPR1OPHot+ByGy12njihtC6Tco7ee6AUh0Q@mail.gmail.com> (raw)
In-Reply-To: <107393.1530902545@turing-police.cc.vt.edu>
> So there's two questions here:
>
from inside KVM lkm (/virt/kvm and arch/x86/kvm )
> 1) Why does the page's protection need to be changed?
Implementing some kernel protection against subset of rootkits that
manipulates kernel static data (memory pages as well as their
mappings) by having them enforced by hypervisor which is KVM in our
case (it is one way enforcement only reset by reboot). For the sake
of the question what is going here is guest virtual address -> guest
frame number -> host virtual address and then something that behaves
like mprotect but inside a loadable kernel module the protection
request is done via hypercall, so KVM should handle that internally.
The point is all memory used by KVM for virtualization is mmapped at
userspace and then passed to KVM using an IOCTL and kvm assumed to be
free to do whatever it wants with that memory area.
> 2) And why from inside the kernel?
Because this needs to be done from inside KVM.
Note: I am aware that this won't be effective against rootkits that
live in userspace, rootkits that target kernel dynamic data, files on
disk, as well as VMM escapes, but I believe if the attack surface is
reduced by just a little bit, it is not that bad, so please lets not
discuss that :P.
Thanks.
next prev parent reply other threads:[~2018-07-06 19:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-07-06 18:06 How to change page permission from inside the kernel? Ahmed Soliman
2018-07-06 18:42 ` valdis.kletnieks at vt.edu
2018-07-06 19:29 ` Ahmed Soliman [this message]
2018-07-06 21:10 ` valdis.kletnieks at vt.edu
[not found] ` <CAAGnT3Ymh6EcdaLo=rGR4-oH0nYub8v9VCZaCtppyxxJAmh5Ag@mail.gmail.com>
2018-07-06 21:59 ` Fwd: " Ahmed Soliman
2018-07-06 22:32 ` valdis.kletnieks at vt.edu
2018-07-06 23:31 ` Ahmed Soliman
2018-07-07 2:06 ` valdis.kletnieks at vt.edu
2018-07-07 2:13 ` Rik van Riel
2018-07-07 11:05 ` Ahmed Soliman
2018-07-06 18:49 ` Ruben Safir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAAGnT3YTAfNr5mkVPR1OPHot+ByGy12njihtC6Tco7ee6AUh0Q@mail.gmail.com \
--to=ahmedsoliman0x666@gmail.com \
--cc=kernelnewbies@lists.kernelnewbies.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.