[cap-talk] Virtual Machine Based Rootkits
David Hopwood
david.nospam.hopwood at blueyonder.co.uk
Mon Aug 7 08:25:36 EDT 2006
Karp, Alan H wrote:
> David Hopwood wrote:
>
>>> My understanding is that all it
>>>takes to be "fully virtualizable" is to have all privileged
>>>operations trap in "user" mode.
>>
>>That is the definition of "fully virtualizable", yes.
>
> My understanding is that these systems don't trap the privileged
> instructions in user mode. Instead they run the OS in Ring 1 and the
> rootkit in Ring 1.
In architectures with multiple privilege rings, the definition above should
be interpreted as "there exists a privilege ring in which all privileged
operations trap". Which specific ring is used in any case may differ between
VMMs.
--
David Hopwood <david.nospam.hopwood at blueyonder.co.uk>
More information about the cap-talk
mailing list