[cap-talk] Virtual Machine Based Rootkits

Norman Hardy norm at cap-lore.com
Thu Aug 3 23:01:23 EDT 2006 

On Aug 2, 2006, at 7:53 PM, Jed at Webstart wrote:

> cap-talk,
>
> I realize this topic is a bit off our capability focus.  I hope
> somebody will point me
> to a more focused list if they know of one.  Given the sorts of
> topics we discuss on
> this list, this one seems generally relevant to me.
>
> I found this paper:
>
> http://www.eecs.umich.edu/~pmchen/papers/king06.pdf
>
> quite interesting reading.  It contains a description of some work  
> done
> on Virtual Machine Based Rootkits (VMBRs).
>
> Some have taken this work to suggest that the work that has recently
> gone into processor design to make virtual machine support transparent
> may backfire in some way to make rootkits like the above more  
> difficult
> to detect and therefore more prevalent.
>
> I don't agree with this position.  I would like to get a full  
> discussion
> happening lest such an understand (if indeed it is incorrect) gain
> wide acceptance and another generation of virtual machine support
> goes down the tubes.

I agree with you Jed. It is a matter of degree.
I enjoyed the paper but was annoyed that they didn't spend even a  
sentence acknowledging that this problem was once solved by operating  
systems that did not run unknown code in privileged mode.
I think there were actually such OSes at one time.
I understand the box that MS is in and how they got there.
They need a broader perspective than Windows.
What sort of security is it that depends on discovering privileged  
malware already in place and then tries to ‘recover’?
Certainly not the sort we propose on this mail list.
See more comments on paper and a brief rant at <http://cap-lore.com/ 
CapTheory/SubVirt.html>.

> Here are some comments I had on the paper:
>
> It appears that all the work (the test
> systems with VMWare and VirtualPC) were done on machines without  
> the new
> generation of virtual machine support processors:
>
> "We expect future enhancements to the x86 platform
> to reduce these perturbations. Upcoming virtualization
> support from Intel [45] and AMD [7] will enable
> more efficient virtualization."
>
> so it's clear that one doesn't need such virtualization features to  
> implement
> such Virtual Machine Based Rootkits.  Still, one could argue that  
> such features
> make their life easier.  I don't believe the authors were suggesting
> that, though
> some have suggested that in email.  I believe the authors  
> appropriately placed
> the issue in the context of an escalating battle.  They pointed out  
> some ways
> in which virtualizability can enhance protection (e.g. run a secure  
> VMM on the
> base system and detect rootkits in VMs).
>
> I believe such virtualization support makes it considerably easier  
> to protect
> against rootkits.  I do think running relatively vulnerable systems  
> (e.g.
> systems where you run commercial or downloaded software, systems
> that are network facing, etc.) under a VM makes protection easier.   
> I'd
> very much like to get a network monitor for my VMM.  I know that in  
> some
> sense it's safer to monitor the network externally.  Still doing so  
> is less
> convenient.  I thing such monitoring from a base VMM could be quite
> helpful.
\
> I think there are a couple of points in the paper where the authors
> got a bit enamored with their technology and seemed to suggest that it
> could do things that I believe are difficult to impossible.  For  
> example,
> when they were referring to efforts to detect a VMBR they said:
>
> "...even if the target system did see something amiss, the VMBR could
> tamper with the execution of the detector and force it to report  
> incorrect
> results."
>
> While I agree this is theoretically possible, I think in practice
> it's very unlikely to ever be achieved.

It is not so hard if the attacker has seen the code that he is trying  
to subvert.
It is nearly impossible otherwise.
This is why it is a never-ending sequence of blow and counter-blow in  
which the defender has no advantage.

>  From what I've read so far it seems that having better support for
> virtual machine monitors supports efforts at protection and
> detection more than it supports attacks.  I will personally feel
> more comfortable if I'm able to run my network facing Windows
> system under a virtual machine monitor.  E.g. one that can look
> for boot record changes, can monitor network traffic, etc.  One
> where I can take the system easily back to an initial state
> (e.g. base build, base software installed) and easily add my
> relevant files and some few new applications.
>
> --Jed http://www.webstart.com/jed/
>
>
> _______________________________________________
> cap-talk mailing list
> cap-talk at mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/cap-talk

More information about the cap-talk mailing list