Hello, welcome to the Thursday, December 21st, 2017 edition of the Sansonet Storm Center's

Stormcast. My name is Johannes Ulrich and I'm recording from Jacksonville, Florida.

One of the most basic and foundational parts of any operating systems, be it Windows or Unix, is the kernel.

Now, a matter of course tries to modify and hide itself from the kernel because if it can

accomplish that, it makes it a lot more difficult to detect and remove.

And if you are interested in how this all works, how attackers get access to the kernel,

how you may be able to detect it, we do have a great guest diary today by Itaigneur.

Pretty long read compared to some of our other diaries, but certainly worthwhile for you to go over it. Maybe, just maybe,

it's a little bit slower at work today, so that may be ideal to take a step at learning

something like how kernel hooking works. And one of the up-and-coming security technologies is memory encryption.

Now, we long have had full disk encryption.

Memory encryption has been tricky for a number of reasons.

First of all, performance, of course, could suffer, which is particular critical for memory.

And then also, how do you store keys

and how meaningful is it to actually encrypt memory? Well, Intel now published their take on the

problem with a new specification for total memory encryption. One interesting feature here is that the memory can actually be

segmented into different encrypted parts. This is of course particularly interesting for

virtualization where you can add an additional barrier here between memory used by

different virtual machines by encrypting it using different keys.

AMV is also working on a similar technology that has already been deployed in some of its

processors and Linux actually just started supporting this technology on a virtual machine level.

So with this you can encrypt memory for each virtual machine individually, which actually not only

...