[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] DomU rootkit detection in Dom0

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sat, 9 Oct 2010 18:55:02 +1100
Delivery-date: Sat, 09 Oct 2010 00:56:11 -0700
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
Thread-index: Actnh0dt98No7ae4S2G4Err5RBJnhw==
Thread-topic: DomU rootkit detection in Dom0

Has any work been done on rootkit/kernel patching detection under Xen?
Eg Dom0 periodically scans mapped kernel space in DomU to see if
anything has been tinkered with. Ideally this would need to operate
entirely outside of DomU (for obvious reasons), but having a driver in
DomU initially grant the kernel pages to Dom0 might be required.

64 bit versions of Windows have PatchGuard(?) that prevent any
modification to the kernel
(http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx), but
because that exists 'in the box' it can never been foolproof.

More importantly, and perhaps OT, would this offer any reasonable
increase in protection or is it just a short term gain?

James

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Prev by Date: [Xen-devel] python 2.4 and the xl
Next by Date: [Xen-devel] [xen-4.0-testing test] 2346: regressions - FAIL
Previous by thread: [Xen-devel] python 2.4 and the xl
Next by thread: [Xen-devel] [xen-4.0-testing test] 2346: regressions - FAIL
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.