Virtualization Based Hardening (VBH) - Intel / Bitdefender

madaidan · June 10, 2020, 8:01pm

I’ve found another interesting kernel self-protection module (like LKRG) using virtualization to protect the kernel.

Using this would of course be nested virtualization but in the video, they say it works fine in KVM.

I haven’t yet tested this though and it seems quite complex.

HulaHoop · June 11, 2020, 12:36pm

Interesting however it is Intel only and the juicy features are unpublished:

Help Prevent privilege escalation attack against Linux kernel. (source code not published)

Help protect Linux’s kernel code against tampering (source code not published)

Patrick · June 14, 2020, 5:38pm

Acknowledged.

This however would be OK in theory if we used bitdefender/vbh_sample since that is fully Open Source?

If you’re wondering why I was packaging LKRG and not yet VBH:

Time is one reason.
Another is that LKRG is supported by Adam and Solar. Both are very responsive on the mailing list for years, very reasonable and easy to talk to. I haven’t seen much from VBH yet but also didn’t search.

If someone wants to move this forward, I suggest:

discuss VBH on LKRG mailing list
try VBH in Debian, Kicksecure, and Whonix, contact upstream when applicable.

Packaging VBH might be similarly doable for me if it’s a “pure” kernel module since I already packaged LKRG. Useful? Dunno, I don’t know if VBH does things that LKRG doesn’t. Please contact both upstream’s to talk about this.

Related: Linux Kernel Runtime Guard (LKRG) - Linux Kernel Runtime Integrity Checking and Exploit Detection

HulaHoop · June 15, 2020, 1:19pm

This presentation from the KVM Forum conference mentions Intel Bitdefender as the first commercial grade and opensource tool of its kind:

Also interesting stuff about the advantages of VMI