[cap-talk] Virtual Machine Based Rootkits
Bill Frantz
frantz at pwpconsult.com
Thu Sep 14 00:48:01 CDT 2006
donnelley1 at webstart.com (Jed at Webstart) on Thursday, August 3, 2006 wrote:
>My understanding is that all it
>takes to be "fully virtualizable" is to have all privileged operations
>trap in "user" mode.
[Sorry to be so late replying. I've been traveling.]
Having all privileged operations trap in "user" mode is necessary but
not sufficient. On some Intel architectures, there were instructions
that executed differently in privileged mode and in user mode. If I
remember correctly, some extra information was returned in privileged
mode. To be fully virtualizable, these instructions would also have to
trap. I would say an additional criteria is, "All user mode
instructions must have the same specification in both privileged and
user mode."
Cheers - Bill
-------------------------------------------------------------------------
Bill Frantz | The first thing you need when | Periwinkle
(408)356-8506 | using a perimeter defense is a | 16345 Englewood Ave
www.pwpconsult.com | perimeter. | Los Gatos, CA 95032
More information about the cap-talk
mailing list