[cap-talk] Virtual Machine Based Rootkits

Jed Donnelley jed at nersc.gov
Thu Aug 3 23:36:28 EDT 2006 

At 08:01 PM 8/3/2006, Norman Hardy wrote:

>On Aug 2, 2006, at 7:53 PM, Jed at Webstart wrote:
>...
> > when they were referring to efforts to detect a VMBR they said:
> >
> > "...even if the target system did see something amiss, the VMBR could
> > tamper with the execution of the detector and force it to report
> > incorrect
> > results."
> >
> > While I agree this is theoretically possible, I think in practice
> > it's very unlikely to ever be achieved.
>
>It is not so hard if the attacker has seen the code that he is trying
>to subvert.
>It is nearly impossible otherwise.
>This is why it is a never-ending sequence of blow and counter-blow in
>which the defender has no advantage.

I believe that the defender has some significant advantages:

1.  The ability to take the high ground with a reset to
clean media (issues with BIOS infection, etc. discussed
elsewhere), and

2.  Cooperation of the user of the system - even while running
the detection software (as I mentioned in my other message), and

3.  Hiding while consuming resources is not technically easy,
while noticing consumed resources (e.g. my bare metal discussion)
is fairly straight forward, and

4.  The attacker must constantly respond to asynchronous updates
in the detection software, while the detector need only detect the
attacker once (until the next independent infection).

I think in many ways detecting a VMBR is easier than detecting
an ordinary rootkit.  I wouldn't be surprised to see the "VMBR"
approach devolve to a situation where something more or less
like an ordinary rootkit is run in the guest OS to make detection
less likely for the VMBR.  It seems to me that techniques that
have been used for ordinary rootkits have some advantages over
the VMBR approach.  Both have the "high ground" (unless a security
VMM is running above the attacking VMBR), but in the ordinary
rootkit situation the control can be embedded deeper into the
OS, libraries, applications, etc.  The pure VMBR needs to be very
careful to avoid any machine detectable use of shared resources -
which defeats some of the purpose.  With an ordinary rootkit it seems
to me there is less concern with shared resources as detection
applications have to assume such sharing in general.  The main
concern with shared resources with ordinary rootkits is avoiding
detection by a human user - who is generally less sensitive and
more willing to gloss over apparent degradation in performance.

I believe there's a bit of sensationalism and hacker bravado in the
current VMBR discussions that won't stand the test of time.
We'll see.

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list