lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 02 Jan 2007 16:10:31 -0500
From: Rik van Riel <riel@...riel.com>
To: Matthieu Suiche <msuiche@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Windows Vista 64bits and unexported kernel symbols

Matthieu Suiche wrote:
> Hello,
> 
> This article is talking about Windows Vista 64bits and its system 
> structures
> which are proteged against rootkit. I also explain how these structures can
> be authentified without Pathguard.
> 
> http://www.msuiche.net/papers/Windows_Vista_64bits_and_unexported_kernel_symbols.pdf 

If you really wanted to protect a kernel from root kits, you could
use virtualization for that.  Simply mark part of the guest memory
as read only, and only allow the guest to map that memory read-only.

Conversely, the guest needs to only be allowed to map that memory
(and no other memory) at the addresses that memory is supposed to
be mapped, so it cannot eg. create duplicate syscall table, modify
that and map it where the original used to be mapped in virtual
memory.

This kind of scheme can work because an exploit would not have the
permission to modify the memory in question, and the hypervisor itself
does not run any of the applications that could exploit it.

Of course, with such a scheme the anti-virus vendors would be totally
locked out.

-- 
Politics is the struggle between those who want to make their country
the best in the world, and those who believe it already is.  Each group
calls the other unpatriotic.

Powered by blists - more mailing lists