LVBS and Advanced Kernel Integrity – Thara Gopinath, Microsoft
Linux Virtualization based Security (LVBS) is a security feature that can a) harden the kernel and b) ensure that critical kernel resources remain untampered, even if the kernel gets compromised. VBS uses hardware virtualization and the hypervisor (Hyper-V) to create an isolated virtual environment that runs as a higher trust level, called Virtual Trust Level 1 (VTL1). In earlier talks on LVBS we explored the fundamentals of having a secure kernel running in VTL1 and how we support basic kernel integrity through LVBS. In this talk we explore how LVBS can be extended to offer advanced kernel integrity features. We examine the status quo in Linux kernel today and the various kernel features that manipulate page tables to inject/modify kernel code. We then discuss how these features can be hardened via LVBS to ensure that authenticity and integrity of the modified/loaded code can be ensured, even if the kernel is compromised. We will also present the status of our work in hardening some of these features. Finally, as future work we also explore hardening of key kernel data structures that are target to attack and present our goals in guarding them against unauthorized modification.
