[cap-talk] Virtual Machine Based Rootkits
norm at cap-lore.com
Thu Aug 3 23:45:19 EDT 2006
On Aug 3, 2006, at 10:11 AM, David Hopwood wrote:
> Karp, Alan H wrote:
>> Joanna Rutkowska is the name I've seen associated with this attack,
>> which is frequently called Blue Pill, from the Matrix. She has
>> demonstrated a running version on Vista x64 and is presenting at
>> Hat today. According to reports, she was able to install the
>> rootkit on
>> a running system, no reboot required.
>> http://www.eweek.com/article2/0,1895,1983037,00.asp is a news
>> article on
>> the subject.
>> The key point is that you're both right. You are safer if you use a
>> virtual machine to run Windows. However, if your base system gets
>> infected, virtualizability assures that there is no mechanism by
>> the OS can detect the attack.
> That's not quite accurate; most VMMs are detectable, and AFAIK all
> that run on x86 hardware (VT, Pacifica or otherwise) are detectable.
> It is true to say that a guest OS cannot reliably detect a VMM in a
> way that is useful to prevent this kind of rootkit attack, in general.
> After all, we don't want guest OSes to refuse to run under any VMM;
> that would be more counterproductive than helpful. Also, such a
> detection mechanism could be circumvented, if the attacker writes
> his/her code after the defender (and I believe this to be more
> than Jed does).
It may be that
for every attack there is a defense workaround and
for every defense there is an attack workaround.
This is in contrast to the situation where you can debug a fixed set
of privileged code.
(the design has got to be right too.)
> David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
> cap-talk mailing list
> cap-talk at mail.eros-os.org
More information about the cap-talk