Dailydave mailing list archives

Re: VPC

From: "Andrew R. Reiter" <arr () watson org>
Date: Sat, 1 Mar 2008 14:59:18 -0500 (EST)

hey,

On Thu, 28 Feb 2008, Matt Richard wrote:

[snip]


I have only seen defensive implementations such as the work of
Garfinkel and Rosenblum at Stanford.  Their use case is a modified
hypervisor that can monitor critical OS data structures.  One of their
implementations watches the Linux system call table and can prevent
modification to thwart rootkits.

http://www.cs.fit.edu/%7Epkc/id/related/garfinkel03ndssVM.pdf


Admittedly I just browsed this paper (so please forgive any poor 
assumptions I make), but it seems their sys call protection scheme just 
monitors the syscall table structure and not the actual syscall code.  My 
point being -- for a long time people have just done jmp overwrites at the 
beginning (or other known to be "ok" location) of the system call they are 
hooking so that they don't have to touch the values in the syscall table. 
Am I wrong about what they protect?  If so, my fault!! :D

Cheers,
Andrew
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: VPC, (continued)
- - - Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Thorsten Holz (Feb 21)
  - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
  - Re: VPC Halvar Flake (Feb 27)
- Re: VPC Thierry Zoller (Feb 22)
- Re: VPC Alexander Sotirov (Feb 24)
- Re: VPC Anthony Lineberry (Feb 28)
  - Re: VPC Matt Richard (Feb 29)
    - Re: VPC Jon Oberheide (Feb 29)
    - Re: VPC Andrew R. Reiter (Mar 03)
- Re: VPC Thierry Zoller (Feb 23)
  - Re: VPC Tyler (Feb 23)
    - Re: VPC J.M. Seitz (Feb 24)
    - Re: VPC Jared DeMott (Feb 25)
- Re: VPC Rodrigo Rubira Branco (BSDaemon) (Feb 29)
  - Re: VPC Joanna Rutkowska (Feb 29)
    - Re: VPC Joanna Rutkowska (Feb 29)
- Re: VPC Rodrigo Rubira Branco (BSDaemon) (Mar 03)
  - Re: VPC don bailey (Mar 03)