[cap-talk] Virtual Machine Based Rootkits

Wed Aug 2 22:53:18 EDT 2006

cap-talk,

I realize this topic is a bit off our capability focus.  I hope 
somebody will point me
to a more focused list if they know of one.  Given the sorts of 
topics we discuss on
this list, this one seems generally relevant to me.

I found this paper:

http://www.eecs.umich.edu/~pmchen/papers/king06.pdf

quite interesting reading.  It contains a description of some work done
on Virtual Machine Based Rootkits (VMBRs).

Some have taken this work to suggest that the work that has recently
gone into processor design to make virtual machine support transparent
may backfire in some way to make rootkits like the above more difficult
to detect and therefore more prevalent.

I don't agree with this position.  I would like to get a full discussion
happening lest such an understand (if indeed it is incorrect) gain
wide acceptance and another generation of virtual machine support
goes down the tubes.

Here are some comments I had on the paper:

It appears that all the work (the test
systems with VMWare and VirtualPC) were done on machines without the new
generation of virtual machine support processors:

"We expect future enhancements to the x86 platform
to reduce these perturbations. Upcoming virtualization
support from Intel [45] and AMD [7] will enable
more efficient virtualization."

so it's clear that one doesn't need such virtualization features to implement
such Virtual Machine Based Rootkits.  Still, one could argue that such features
make their life easier.  I don't believe the authors were suggesting 
that, though
some have suggested that in email.  I believe the authors appropriately placed
the issue in the context of an escalating battle.  They pointed out some ways
in which virtualizability can enhance protection (e.g. run a secure VMM on the
base system and detect rootkits in VMs).

I believe such virtualization support makes it considerably easier to protect
against rootkits.  I do think running relatively vulnerable systems (e.g.
systems where you run commercial or downloaded software, systems
that are network facing, etc.) under a VM makes protection easier.  I'd
very much like to get a network monitor for my VMM.  I know that in some
sense it's safer to monitor the network externally.  Still doing so is less
convenient.  I thing such monitoring from a base VMM could be quite
helpful.

I think there are a couple of points in the paper where the authors
got a bit enamored with their technology and seemed to suggest that it
could do things that I believe are difficult to impossible.  For example,
when they were referring to efforts to detect a VMBR they said:

"...even if the target system did see something amiss, the VMBR could
tamper with the execution of the detector and force it to report incorrect
results."

While I agree this is theoretically possible, I think in practice
it's very unlikely to ever be achieved.

 From what I've read so far it seems that having better support for
virtual machine monitors supports efforts at protection and
detection more than it supports attacks.  I will personally feel
more comfortable if I'm able to run my network facing Windows
system under a virtual machine monitor.  E.g. one that can look
for boot record changes, can monitor network traffic, etc.  One
where I can take the system easily back to an initial state
(e.g. base build, base software installed) and easily add my
relevant files and some few new applications.

--Jed http://www.webstart.com/jed/  