This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-devel] DomU rootkit detection in Dom0

To: <xen-devel@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-devel] DomU rootkit detection in Dom0
From: "James Harper" <james.harper@xxxxxxxxxxxxxxxx>
Date: Sat, 9 Oct 2010 18:55:02 +1100
Delivery-date: Sat, 09 Oct 2010 00:56:11 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: Actnh0dt98No7ae4S2G4Err5RBJnhw==
Thread-topic: DomU rootkit detection in Dom0
Has any work been done on rootkit/kernel patching detection under Xen?
Eg Dom0 periodically scans mapped kernel space in DomU to see if
anything has been tinkered with. Ideally this would need to operate
entirely outside of DomU (for obvious reasons), but having a driver in
DomU initially grant the kernel pages to Dom0 might be required.

64 bit versions of Windows have PatchGuard(?) that prevent any
modification to the kernel
(http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx), but
because that exists 'in the box' it can never been foolproof.

More importantly, and perhaps OT, would this offer any reasonable
increase in protection or is it just a short term gain?


Xen-devel mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-devel] DomU rootkit detection in Dom0, James Harper <=