15

Let's say I have a linux guest running in xen and I want xen to check the integrity of the guest kernel so that I know there aren't any rootkits, or similar, active.

Is there a way to accomplish this in with xen or other hypervisors?

Scott Pack
  • 15,167
  • 5
  • 61
  • 91
baj
  • 513
  • 5
  • 9
  • 1
    I don't have a proper answer for this, but She Who Is The Expert on this (Joanna Rutkowska) can be found at http://theinvisiblethings.blogspot.com/. She was the original author of the Blue Pill exploit, and numerous other attacks on virtualization. – AviD Mar 30 '11 at 13:53
  • Do you want merely some file-level integrity checking, or do you want to go deeper? – Marcin Apr 01 '11 at 00:45
  • no file-integrity can be checked : mount, compare hashes, maybe search for files with foremost. i found that http://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/ could do the job. i asked the author and he said it should work with xen-memory dumps. a list of network connections is still a missing features, but the project is young. probably he will implement it some day – baj Apr 02 '11 at 22:44
  • Look at some of Samsung Knox's stuff, e.g. RKP. – forest Dec 18 '18 at 03:07

5 Answers5

6

That exists handily? I'm not aware. However, within the memory space that the VM allocates, the kernel is in predictable location. One could write code which reads the memory and compares the structure to what is expected.

If I were implementing such a creature, I'd focus on following the system APIs and ensuring that they are appropriate. One likely challenge is that different kernel versions will have changes in different areas. You may have to do mapping on a kernel-by-kernel basis.

You may be able to run chrootkit externally to the VM by exporting your filesystems. I've never tried such a thing, but I bet it would make an excellent research project.

EDIT: or read your disk images direct live and use known good hash comparisons from outside the vM. Then your VM continues running, but you have the benefit of the "LiveCD" confidence. There, now I have answers ordered from most esoteric to readily available.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
1

xm dump-core --> xen memory dump

http://www.segmentationfault.fr/projets/volatilitux-physical-memory-analysis-linux-systems/
searching for active processes and open files.

foremost for searching files

baj
  • 513
  • 5
  • 9
1

Hypervisor introspection allows access to the memory to guests from the Host.

Here are 2 aging examples:

1) XenAccess 2) Ukwazi-Xen

atdre
  • 18,885
  • 6
  • 58
  • 107
0

In the time since this question was asked, a few have been released. Of those, only one is in common use, which is RKP from Samsung Knox. It is a hypervisor-based solution that verifies the integrity of the running kernel. It operates by detecting modification to kernel structures and monitoring credentials.

There are also some experimental designs, such as SecVisor and Capsule.

The Linux kernel is in the process of implementing ROE for KVM on x86 systems:

ROE is a hypercall that enables host operating system to restrict guest's access to its own memory. This will provide a hardening mechanism that can be used to stop rootkits from manipulating kernel static data structures and code. Once a memory region is protected the guest kernel can't even request undoing the protection.

forest
  • 64,616
  • 20
  • 206
  • 257
0

BlockWatch monitor's guest OS's by inspecting memory snapshots.

It uses snapshots because they can typically be converted into a common format (MINIDUMP), this is the case for Hyper-V and VMWare.

BlockWatch also has python scripting to automate snapshot/export/memory-scanning/cleanup. The memory validation is done with cryptographically secure hash (Tiger192). Currently it validates Windows 32 and 64 bit OS's.

RandomNickName42
  • 101
  • 2