Dailydave mailing list archives
Re: VPC
From: "Andrew R. Reiter" <arr () watson org>
Date: Sat, 1 Mar 2008 14:59:18 -0500 (EST)
hey, On Thu, 28 Feb 2008, Matt Richard wrote: [snip]
I have only seen defensive implementations such as the work of Garfinkel and Rosenblum at Stanford. Their use case is a modified hypervisor that can monitor critical OS data structures. One of their implementations watches the Linux system call table and can prevent modification to thwart rootkits. http://www.cs.fit.edu/%7Epkc/id/related/garfinkel03ndssVM.pdf
Admittedly I just browsed this paper (so please forgive any poor assumptions I make), but it seems their sys call protection scheme just monitors the syscall table structure and not the actual syscall code. My point being -- for a long time people have just done jmp overwrites at the beginning (or other known to be "ok" location) of the system call they are hooking so that they don't have to touch the values in the syscall table. Am I wrong about what they protect? If so, my fault!! :D Cheers, Andrew _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: VPC, (continued)
- Re: VPC Rodrigo Rubira Branco (BSDaemon) (Feb 29)
- Re: VPC Rodrigo Rubira Branco (BSDaemon) (Mar 03)
- Re: VPC don bailey (Mar 03)