WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] DomU rootkit detection in Dom0

from [James Harper] [Permanent Link][Original]
To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] DomU rootkit detection in Dom0
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sat, 9 Oct 2010 18:55:02 +1100
Delivery-date: Sat, 09 Oct 2010 00:56:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Actnh0dt98No7ae4S2G4Err5RBJnhw==
Thread-topic: DomU rootkit detection in Dom0 
Has any work been done on rootkit/kernel patching detection under Xen?
Eg Dom0 periodically scans mapped kernel space in DomU to see if
anything has been tinkered with. Ideally this would need to operate
entirely outside of DomU (for obvious reasons), but having a driver in
DomU initially grant the kernel pages to Dom0 might be required.

64 bit versions of Windows have PatchGuard(?) that prevent any
modification to the kernel
(http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx), but
because that exists 'in the box' it can never been foolproof.

More importantly, and perhaps OT, would this offer any reasonable
increase in protection or is it just a short term gain?

James

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] DomU rootkit detection in Dom0, James Harper <=
Previous by Date:  [Xen-devel] python 2.4 and the xl, Jiang, Yunhong
Next by Date:  [Xen-devel] [xen-4.0-testing test] 2346: regressions - FAIL, xen . org
Previous by Thread:  [Xen-devel] python 2.4 and the xl, Jiang, Yunhong
Next by Thread:  [Xen-devel] [xen-4.0-testing test] 2346: regressions - FAIL, xen . org
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy