|lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives
Date: Tue, 02 Jan 2007 16:10:31 -0500 From: Rik van Riel <riel@...riel.com> To: Matthieu Suiche <msuiche@...il.com> Cc: bugtraq@...urityfocus.com Subject: Re: Windows Vista 64bits and unexported kernel symbols Matthieu Suiche wrote: > Hello, > > This article is talking about Windows Vista 64bits and its system > structures > which are proteged against rootkit. I also explain how these structures can > be authentified without Pathguard. > > http://www.msuiche.net/papers/Windows_Vista_64bits_and_unexported_kernel_symbols.pdf If you really wanted to protect a kernel from root kits, you could use virtualization for that. Simply mark part of the guest memory as read only, and only allow the guest to map that memory read-only. Conversely, the guest needs to only be allowed to map that memory (and no other memory) at the addresses that memory is supposed to be mapped, so it cannot eg. create duplicate syscall table, modify that and map it where the original used to be mapped in virtual memory. This kind of scheme can work because an exploit would not have the permission to modify the memory in question, and the hypervisor itself does not run any of the applications that could exploit it. Of course, with such a scheme the anti-virus vendors would be totally locked out. -- Politics is the struggle between those who want to make their country the best in the world, and those who believe it already is. Each group calls the other unpatriotic.
Powered by blists - more mailing lists