Slashdot Mirror
Microsoft Research Warn About VM-Based Rootkits
Tenacious Hack writes "According to a story on eWeek, lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and maintaining control of a target OS. The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation. Once the target operating system is hoisted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system."
...and nuke the entire site from orbit.
It's the only way to be sure.
Everything I know about rootkits tells me that you cannot detect one from within the running system, you have to be objective (I consider the current fingerprint detection to be working because of bugs in the rootkit implimentation, these will be "fixed" over time).
Keep a known secure boot CD.
Drain the battery and reset the bios then boot from that cd.
If theres anything sophisticated enough to bypass this level of paranoia then it can damn well have my credit card number and I'll gladly send spam for them.
liqbase
Why is microsoft researching this kind of thing? And with Linux too? It makes me wonder if the next time you go to install Windows on a partition somewhere with the same machine as you also dual boot into Linux whether your linux boot will not then be "taken over" by Windows, and MS can insert any little hooks, DRM, inspection code or other things running underneath the linux system you have.
Then they can force linux to perform worse than Windows and nobody will be none the wiser.
Except when you boot into linux and then you get a blue screen it will give it away lol.
You never sure if this is a feature or a bug. Either way, they will probably charge a subbscription fee to get the feature or get rid of the bug.
Original Paper
Abstract
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits.
We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine. Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat.
Gan Family Homepage
Can anyone say dual boot?
And another question: I can understand the risk that this may pose for enterprise servers (Virtual Server systems, just to name one), but does this hold any implications for client VMs?
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
while I can appreciate the logic of the research, I imagine this only gives creedance to the theories that companies deliberately design viruses so that they can sell more of their latest security product. or system/OS upgrade
"It is a greater offense to steal men's labor, than their clothes"
that virtualising i386 was hard and carried quite some overhead.
i'd imagine the vm would have quite different performance patterns for some operations than the real machine. it would also pretty much by definition have to have slightly less ram.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
It may not be feasible for home environments, but for workplaces. What about booting off either dedicated ROM boot keys, or USB memory keys with a some sort of physical read only/read&write switch. Put the key into your machine to boot (for bonus points, the key tells the machine who you are and begins to load your roaming profile), when it comes time for a new image the IT guys either give you a brand new ROM key, or update your USB key by toggling the switch.
My worry with keeping things inside the machine (the article indicates that AMD and Intel have ideas) is that it's just going to be a perpetual arms race. Since we can't rely on the user to know when it is and is not apropriate to allow your OS to modify your boot sector, evenually virus/malware authors will just trick people into accepting the updates.
paul reinheimer
Traditional malicious software is limited because it has no clear advantage over intrusion detection systems running within a target system's OS. In this paper, we demonstrated how attackers can gain a clear advantage over intrusion detection systems running in a target OS. We explored the design and implementation of VMBRs, which use VMMs to provide attackers with qualitatively more control over compromised systems. We showed how attackers can leverage this advantage to implement malicious services that are completely hidden from the target system and to enable easy development of general-purpose malicious services. We evaluated this new malware threat by implementing two proof-of-concept VMBRs. We used our proof-ofconcept VMBRs to subvert Windows XP and Linux target systems and implemented four example malicious services.
In addition to evaluating the VMBR threat, we also explored techniques for detecting a VMBR. The best way to detect a VMBR is to control a layer beneath the VMBR, such as through bootable CD-ROMs, secure VMMs, or secure hardware. It might also be possible to detect a VMBR from software running above the VMM, but the high level of control VMBRs have over software running above turns this style of detection into an arms race where the VMBR has the fundamental advantage.
However, VMBRs have a number of disadvantages compared to traditional forms of malware. When compared to traditional forms of malware, VMBRs tend to have more state, be more difficult to install, require a reboot before they can run, and have more of an impact on the overall system. Although VMBRs do offer greater control over the compromised system, the cost of this higher level of control may not be justified for all malicious applications.
Despite these shortcomings, we believe that VMBRs are a viable and likely threat. Virtual-machine monitors are available from both the open-source community and commercial vendors. We built VMBRs based on two available virtual-machine monitors, including one for which source code was unavailable. On today's x86 systems, VMBRs are capable of running a target OS with few visual differences or performance effects that would alert the user to the presence of a VMBR. In fact, one of the authors accidentally used a machine which had been infected by our proof-ofconcept VMBR without realizing that he was using a compromised system!
Gan Family Homepage
You can only be secure if your run hardware with treacherous computing modules installed on the motherboard and in the "approved" CPUs and BIOS chips, and that only works with treacherous computing software, sort of expensive hand in designer glove..
Kind of a sneaky advertisement, isn't it? Instill terror to sell vendor lockin hardware and operating systems. Maybe even get a law or three passed. They sort of gloss over the "get the rootkit there in the first place" part, don't they?
Here is a link to the actual paper the article references:d f
http://www.eecs.umich.edu/virtual/papers/king06.p
The authors make an interesting point -- users and rootkits are about control. Whichever one controls the outer layer wins. If the user is in a protected environment, a rootkit running as root can win. If the user is root, then the rootkit must be a kernel-level root-kit and run in the kernel. If the user can control the kernel, the rootkit must control the machine, in this case, put the user kernel in a VM.
My take is: in this game of cat and mouse, you'll stop only at the hardware -- it is hard for a rootkit to control the hardware short of the rootkit script kidde being able to get physical control. So yes, the user can win this game, if he controls the hardware that controls the software. How does the hardware control software? You guessed it: trusted computing ala TCPA ala Palladium etc etc.
Can you think of a way to win against rootkits without TCPA?
On a normal machine, if you try to virtualize it you would notice right away that something was wrong as it would slow quite a bit.
There might also be driver issues that could tip you off something isnt right. May not know what, but it should be apparent something is amis. It would have to emuate all the hardware that you had installed at the time of infection, unlike something like VMWare which presents a 'standard' ( but different ) set of hardware devices. Thats a prety tall order to pull off.
---- Booth was a patriot ----
i've been working on a compromised system to poke for holes in the concept and i hit upon a novel idea. in fact, it's really simple
all you have to do is-END CARRIER-
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
What would prevent another virtual machine virus from going underneath the first one? The sandwiched in virtual machines would be even more undetectible. The only solution I can think of: replace the physical CPU with a harware CPU emulator, and run anti-virus software on the real CPU. This shouldn't effect performance, and would be undectible to any layer of the virtual machine fuck-fest.
My experience with Windows and VM scenarios is that it runs better in VM then in real life; mom and pop might not notice this but I should hope those that are savvy enough to understand what Microsoft is proposing as a 'threat' would also be savvy enough to notice the little things that make VM still a pain.
examples:
I bought 4 GB of ram and a 400 GB drive, now I have 1 GB and 150 GB drive (with 250 GB overhead for mail and porn).
My Ultra-Monkey quad SLI Nvidia 9999 video card with 1 GB of ram now shows up as a 16 MB S3 Virge card, WTF?
My Comcastic experience is now more like my old netcom dial up account but the cable modems lights are busy.
Its really good to see Microsoft concerned about security, but I hope they will stop looking at how elaborate the hacks could be and focus more on why this crap
can be done in the first place.....
Unix, an obscure operating system developed by bored researchers in an attempt to get a better game playing experience.
For someone like me, who games on his PC a lot as well as working, it would be immediately obvious that there is something wrong.
Gaming performance would take a serious hit, as would anything that would normally require privileged hardware access.
No virtual machine can work as fast as the host system or with as much RAM.
LL
Yes, just like all the other subscription fees they're charging at the moment...
It's official. Most of you are morons.
an image of an idiot user taking their computer to a repair shop and the repair person uncovering 500 instances of VMWare running with 1 instance of spyware in each one?
A few days ago, I saw VB6 jump instructions being sent to the wrong destinations, both in runtime and IDE. The malkit survived an XXClone backup so it was hiding in a file. I now have it isolated awaiting the gendarmes.
Why on earth is someone writing this software for the purposes of malware - why aren't they gainfully employed earning decent money.
Seriously, whipping up your own VM that will run $HOST_OS is nowhere near in the same league as, say, hacking together a VBS macro in MS Word or similar...
Specialist Mac support for creative pros, Melbourne
Within five years we'll have a college graduate who worked on this project but in the end barely passed. Not being able to find a decent job they'll resort to plying their knowledge in the neitherworld. I'm stickin' with Atari.
is to run under a virtualization manager from the beginning. Than, there will be no way for these VM-based rootkits to actually run on the real haardware. They'll think they are doing so, but the outermost vm will be able to detect them easily.
Here is the summary reduction: humans are crafty and creative.
You mean like those trying to sell TPM / Trusted Computing?
Seems like a solution (TPM/TC) in search of a problem consumers/end-users can identify with ("VIRUSES VIRUSES VIRUSES!"), because "protecting our intellectual property" wasn't really ringing with end-users.
It's still an interesting idea, and good to start thinking about how to defeat it...but I suspect this is a back-handed way of selling TPM crap.
Please help metamoderate.
TFA seems to propose a model where the host OS is running a Root kit that runs a VM that runs a copy of the host OS that the user works within, which hides the root kit.
But in that model, the host OS is still running.
It mighr be possible to detect a rootkit by putting a honeypot of some sort in the true kernel. The when the root kit tried to do something, like say change the firewall, the true kernel could detect that and quarentine itself.
Of course a root kit running with ring-zero permissions would try to lobotomize that code, so the honeypot itself can't be too easy to find and alter. You'd probably need other kernel level tripwire type code to look for lobotomization.
Maybe a card with boot time code that the OS could call to verify itself. Not pure trusted computing as any user could add such a card (assuming a free slot)
-- 3 events that reshaped the world in the 20th century: WW1, WW2, and WWW
They even have a public research website
This issue is a bit more complicated than you think.
Microsoft Techie #1: How are we going to get this to work?? Hmm, maybe we can stick this virtual machine monitor here, and then we can trick the highly technical, security-conscious guys who would use the system into giving us root access so we could put it before kernel secure mode is initiated?
Microsoft Techie #2: Nah, too complicated. Let's just wait until the next default security hole...
Creative misinterpretation is your friend.
How do you install the rootkit? Yes, you guessed it, through an insecure operating system. This article is imho just another promotion FUD campaign for TCPA.
If your current operating system and security measures are good enough, such rootkits-with-virtual-machines are not even going to be able to be installed, heck as long as you don't have to login as administrator to print out a document or surf the web, you're pretty safe.
And as soon as you notice your box could be r00t3d, you take it out anyway and don't trust it. And if you don't notice one of your boxes is generating extra traffic or doing things it shouldn't, you shouldn't have to have admin privileges anyway.
Custom electronics and digital signage for your business: www.evcircuits.com
I definitely agree that security minded individuals should find ways of attacking systems in order to find defences against them. Nearly all software holes are found this way, and are patched within weeks of discovery.
But this seems excessive. We're just starting to hear about real Windows based rootkits in the wild, and a front page Slashdot article gives everyone and their mother an exploit route that is both nasty, nearly impossible to protect against, and hasn't been seen in the wild.
Please Stop. Find a good, solid fix... or find code in the wild, then post about it.
--This post intentionally left inflamatory. Please let me know where I'm wrong.
The ______ Agenda
So if I write a program that keeps any other program from writing to
the boot sector without confirmation, does this keep this in check?
I'm starting to wonder if I am better off just writing a general immune
system for my computer. The _effects_ of spyware, viruses, worms, rootkits
(or rather rootkit installers), etc are
the issue. Does it really make sense to keep fighting against them specifically?
Microsoft start to SUPPORT linux? And start off with a rootkit prototype?
Man, that is how a friend should be.
This may very well astonish you, but such sophisticated infection mechanisms already exist and have already been demonstrated. See this rootkit concept overwriting your BIOS to create a permanent backdoor.
Note: removing the CMOS battery will not destroy this rootkit because the CMOS battery erases the NVRAM, not the BIOS flash chip. The only known way to recover from a BIOS rootkit is to reflash your BIOS... but what if the rootkit is intelligent and tries to re-corrupt the new image being flashed ? This is a possibility. In this case your only option is to physically change the flash chip with a known good one. And don't forget that a modern computer has a lot of flash chips that can theoretically be infected: hard disk firmware, video card BIOS, DVD drive firmware, etc.
The advent of these low level root kits could bring Norton (Symantec) new business..but it will not effect Linux developers in the least. The article did not state that root kits of this nature will compromise linux in anyway. Compromising an ad hoc system like VM ware running Windows on linux is a bonus, not a problem.
Just like the *AA are saying that we must have tighter and tighter Digital Restrictions Management, enforce the DMCA ever more stringently, and chase down those pirates, now Microsoft is jumping on the bandwagon. "Our systems will never be secure enough until we have full TPM hardware support. This will be released as part of Windows Vista SP2 in our effort to improve security." Yep, we've found a killer way to make an awesome virus. Is the cure worse than the disease?
So... FIX THEM ... morons...
So basically what it is, is a rootkit designed to run in a virtual machine (like VMWare, VirtualPC, Bochs, QEMU, etc) that takes root control of the virtual machine, but the host OS is unable to detect the malware because it runs under a virtual machine and not on the host OS itself.
Microsoft had tested code under VMWARE for Linux, and VirtualPC for Windows that allowed them to gain root access to the host OS from the virtual machine, and run the rootkit malware under the virtual machine.
Yet what they are not telling you, is that the virtual machine has to run on the host OS, and that can be detected, even if the malware cannot. If you are really paranoid, just don't run a VMWARE or Virtual PC virtual machine or any other virtual machine, and if you find one on your OS, remove it. The problem with that is that malware scanners will be looking for virtual machine files and suspect them of being malware and warn the user. Besides any virtual machine has to be installed on Linux with root access anyway, and VMWARE Server apparently when I installed it on my Linux box had to compile a part of itself to match my kernel, and asked me to download a few libraries before it would continue. I doubt someone can use VMWARE to install as a regular user on Linux without someone with root access allowing it. Still, Xen is a virtual machine and is becoming popular with Linux, I wonder if it is vulnerable as well?
The whole VM rootkit fails, unless the malware author finds a way to install a VM on a host OS without being detected, and without Root or Administrator access. The only way I can see that happening on Linux and Unix systems is if they use a trojan horse method of making it part of a program the user or administrator wants to install and they use root or administrator access to install it. On Windows it would just use an exploit to get Administrator access.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
I've done it with linux, I suppose it's possible to achieve with windows : have a two disk install, and make sure that there is a read only strap on one. Just put whatever binaries you have (/boot, /, /usr...) on that disk, then move the strap to ro ; on the other disk, put /var and /home. If you're paranoid about it, have syslogd hard print everything on an old line printer. Done. It doesn't prevent a break-in, but the attacker is stuck an can't damage the files, so when you reboot (because you notice the security log printing strange things) the evidences are easy to find.
My roommate runs a PC repair biz. I've noticed those dual-BIOS mobos. Always felt weird to me. If they want to make sure you have a good BIOS at all times, isn't it cheaper to install ONE bios socket, and send you two chips? Then you'll only swap if you really need to. And the "clean" chip is guaranteed clean because it can't be tampered with when it's not in the computer.
In any event, programs being able to flash your BIOS without telling you about it is A Very Bad Thing(TM). Disabling BIOS writes except when booted from a floppy would be a start. But at a very bare *minimum*, when the BIOS is modified by anyone or anything, the next time you boot the machine, the BIOS boot routine should throw a warning up on the screen:
"Your BIOS has been modified since last reboot. If you have not intentionally changed your BIOS, or added new hardware, you should discard these changes. Discard changes? (Y/n)"
And the code that performs this check, and throws up the error message, should be in a ROM or OTP chip where software can't tamper with it.
Here is how you detect any VMM on linux or Windows,no such thing as undetectable if you know how to find it. http://www.trapkit.de/research/vmm/scoopydoo/scoop y_doo.htm
That's actually interesting.
One would think you could detect the change in system hardware in some way.. it's unlikely that the VMM implementation is 100% identlcal when compared to the pre-VMM rootkit system. Something has to be differnet, somewhere.
First one to publish a detector for this gets good press.
I've tended to find that one of the big annoyances with virtual environments is that between them and the master, communication with various hardware tends to suffer. Mind you, I haven't worked with the big boys, but will the VM environment still happily let my burners, USB device, etc work normally... or would I start to notice some rather odd and revealing behavior?
The obvious solution is... Windows VISTA!
Heck the OS is so large any VMBR trying to "hoist" it is going to probably:
A.) Run out of space (memory or HDD).
B.) Take so long to hoist the OS, the user will probably reboot thinking their machine's locked up again.
C.) Cause CowboyNeal to acquire a hernia.
They (MS) are probably just looking for more selling points for their new BIG baby.
But then again, maybe not. I'll play my own "devil's advocate" for a bit here to contradict my previous comments. A full blown VM, probably detectable. But what about something like a changeroot (essentially, for non-'nix users, a subdirectory which for all intents and purposes appears as the drive root).
We have boxes at work which run chrooted... and the SSH server also runs in the changeroot. When you SSH in, you can't tell whether or not you're in the chroot except that we tend to have it labelled. If you were to apply the same trick to the console, but have the overlying layer outside of the changeroot, and some masks to hide various processes, how would you know if you're "in the box" or outside of it?
.. or Palladium or Trusted Secure Computing Platform or whatever it is called this day.
The only way to defeat an advanced rootkit today is to require strong crypto all the way down in the hardware. This means pratically everything down to the BIOS should be signed. There should be a chain of trust, and untrusted software should not be able to do permanent damage. The updates to the permanent storage should also be signed.
The technology is here. And it would be relatively easy to at least secure the root of your system (BIOS and OS kernel) from rootkits.
it's amazing how any piece of news that involves MS quickly turns into a conspiracy theory about the evil MS taking over your computer, the worst part is 90% of the people who read this site will believe it.
was just a VM rootkit for human brains, no?
The big impact might be on software distribution methods that rely on a virtual machine, in other words, every software distribution method known to man at this point. It pushes the security model toward one of distributed applications, such as those created through AJAX or XUL. In the future, people won't trust the installation process from independent developers enough (or MS won't let the users trust the install process), thereby limiting the future to remote applications accessible through web browsers or the next incarnation thereof.
The Death Penalty: Killing people to show others that killing people is wrong.
I've actually used this in a fictional story. The main character detects the root-kit by buying an identical machine, and then timing system calls. Certan emulated rootkits have different timing signatures, and she's able to figure out which one is running based on that, and then exploit holes in the virtual machine itself to disable it.
autopr0n is like, down and stuff.
The First Operating System booted must issue an instruction to the processor to create one of these "VM"'s. All you do is control this instruction.
There are many things in life we CAN do but dont. Like contractors stealing client trade secrets (some do). So heres to those morons who do 'proof of concept' nonsense like rootkits/ trojans/ spam ...
1. They are most likely uncircumcised.
2. They are most likely fatherless (fathers are role models -- u can hit wife but dont)
3. They live in the Balkans (or similar environment/basement)
4. Are bewitched
Now, mod me up if you rman!1
Stephen R. Donaldson wrote the "Gap Series". At one part of the story, the "Data First" of a pirate vessel put a virus in the firmware of one of the pieces of hardware controlling the ship. Even if the ship's computer was reloaded from known good stores, the virus would re-infect the computer. The virus was rigged to totally wipe the ship's computers if a password wasn't entered at specified intervals. Since you couldn't navigate or operate equipment without the computers, this was effective extortion. Billions of miles from home, there was simply no getting back without functional computers.
The cure was to install known good hardware (itself tricky considering the circumstances) and to reload the ship's computer. The story also featured a kind of WORM device called a "datacore" that every ship had to carry by law. It was a combination flight-recorder and criminal evidence accumulator. Come to think of it, many IT issues were dealt with pretty well in this series. It's worth checking out. The IT issues are essential in certain parts of the story but they aren't the main point.
If I had mod points....
we'll finally get an easy to install vmware?
..don't panic
Linux installs.
Running with Linux for over 20 years!
Come on lets be real here. The only reason Microsoft is paying its developers to write VM-based rootkits is because they intent to deploy these exploits against their competition, foes, etc. I think its a load of bullshit that this is done as "proof-of-concept".
Someone will just root your external integrity checker eventually anyway.
the iSeries (aka AS/400) OS runs on top of a layer of microcode in which security functions are implemented, so they are immune from this type of malware
Everyday I read something new that further justifies me switching to Linux. I haven't made the switch yet and it almost scares me to think I haven't after reading things like this. Anyone know where to find some good resources for making a first time switch? Perhaps some better reading will push me over the edge and there's no better place to ask that Slashdot.
I will forever be a student.
So let me get this straight. MS is damned if they investigate leading edge security, and damned if they don't. Did I miss something?
I recall there was a proof of concept modification of GCC that would add itself to any GCC complied with it, a Compiler Virus...
How about a program that specifically attacks chip design software, and adds malware to any chips that are layed out for production. With the millions of transistors on a modern chip, who would notice a few more? and who would know that multiplying 563473563 by 756481984 turns off all memory access interupts, allowing the following instructions to read/write anything they want?
I for one welcome our new VMWARE overlords
Eventually Microsoft will sell a license chip that plugs right into the motherboard, and Windows 20xx won't boot without it.
...To install a VMBR on a computer, an attacker must first gain access to the system with sufficient privileges to modify the system boot sequence.
...When targeting Linux systems, we modify the boot sequence using user-mode code. We modify the shutdown scripts so that our installation code runs after all processes have been killed but before the system shuts down. We overwrite the disk master boot record using the Linux hard-drive block-device so that our VMBR loads at system boot instead of the target OS.
...Our VMware-based VMBR image is 95 MB compressed and occupies 228 MB of disk space uncompressed.
...The VMware-based VMBR takes 52 seconds to boot the host OS and load the VMM and another 93 seconds to boot the target Linux OS.
...This research was supported in part by National Science Foundation grants CCR-0098229 and CCR-0219085, by ARDA grant NBCHC030104, by Intel Corporation, and by Microsoft.
d f
http://www.eecs.umich.edu/virtual/papers/king06.p
I read the original article. It's interesting but not earth shattering. Essentially; your system is only as secure as the base it's built on. Operating systems with mandatory access controls (MAC) and well designed hardware would mitigate this kind of shenanigan. A larger concern is whether can you trust your OS provider not to build in this kind of back door into their product.
This is predated by Ken Thompson's paper [Turing award lecture, Reflections on Trusting Trust, CACM 27, 8, August 1984] wherein the concept of an invisible virus was proposed -- the actual virus was (to be) buried in the object code of the C compiler for Unix; its object was that IF it were compiling the source code of the login module it would insert a little piece of code that allowed it's creator always to log on (the War Games "backdoor"); IF it were compiling the source code of the C compiler itself it would merely copy itself at the appropriate place. In both cases there was no sign of the virus in the source code nor presumably in the listing generated by the compiler;...
http://catless.ncl.ac.uk/Risks/6.3.html
Sounds like something in the family of TCPA to me..
One of the design flaws of the I386 was that it was not possible to fully virtualize. Has this been fixed in recent processors? Otherwise it must be possible for an OS to detect wether or not it's running inside a VM or not....
There are some real problems in implementation. Many parts in the hardware layer are flashable and in effect infectable with the latest and greatest $Malware. Not only does the BIOS have to be covered but also everything from Hard Drive controllers to the flashable ROM on graphics cards and even your CD-Drive.
Imagine a rootkit that writes to flashable area of your USB controller or your bootable CD Drive.
Well, since we're skipping over the "get the rootkit there in the first place" part, wouldn't TC make a VM-based rootkit easier to produce?
Trusted Computing isn't about someone else rooting your machine without your consent. If you are going to be running software from $VENDOR, it makes little difference for your credit card numbers if your computer also "trusts' $VENDOR.
/boot will allow you to rootkit them, and at least capture the password used to encrypt the disk the next time a legitimate user attempts to login. In this setup, touch one bit of /boot without signing it (presumably the private key isn't kept on the laptop anywhere), and the hardware will simply refuse to boot, or allow you to boot but deny you access to /. Or, in other words, have fun with your ramdisk/Knoppix, you still aren't getting the data.
The difference it makes is that a "Trusted Computer" now trusts $VENDOR, but no longer trusts you. You no longer really have root.
Trusted computing works, then, when $VENDOR == you. That's where it has legitimate uses. For instance, a large company which runs some form of Linux and actually audits all of its source, before signing their own custom distro (kernel and all). The private key is jealously guarded, the public key is in the hardware of all of their laptops.
If I remember right, the majority of the disk was encrypted, and you only get the decryption key (well, actually, the right to ask the hardware to decrypt for you) if you're a trusted kernel, thus implying that all the software is trusted. Thus implying that said software will require a valid user to authenticate, probably two-factor (password and thumbprint), before giving any access to the decrypted contents of the disk.
You could try to mess with the disk itself. In other, similar setups, a little messing with
And if that data includes ssh keys, you get to authenticate yourself as "trusted" merely by having any access at all to the ssh keys.
Trusted Computing, the way Hollywood wants it, is essentially the same technology as what I described above. You have some encrypted stuff, like, say, a movie. You have a "trusted" OS (presumably Vista), where every bit of software from the kernel to the media player must be authenticated, or it gets no access to the media player, the decrypted movie data, the key, or the image that's output. And, if they can control that image all the way to the monitor, what they've effectively done is ensured that you get to watch that movie, on a specific version of Windows media player, on Windows, on a certified monitor, as many times as they decide to let you. God help you if you even try to skin WMP -- no mods at all.
This does very little to help security, however. Unlike the insanely secure laptop, your desktop will be running tons of software that isn't "trusted". So, there will be malware. Maybe it won't be able to do anything to your "trusted" files, but does that matter to the user? Every time something falls into the domain of "trusted" -- be it your movies, your documents, your photos, anything -- you lose the right to use any software that isn't "trusted" to manipulate it in any way. So, if you want your Word docs to be safe from malware, you have to use an officially signed Word, and God help you if you want something like OpenOffice.
And, even if they did allow OpenOffice, it would be a specific version. Say goodbye to "scratching the itch", or contracting someone to add a feature or fix a bug in open source software.
And if that wasn't enough, it still does absolutely nothing about the malware we care about -- the spyware that constantly opens popups, creates botnets, and eats bandwidth, CPU, and RAM. It hardly matters if it's not "privelaged" or "trusted".
And if there's a security hole in the "trusted" software, none of the "trust" matters anyway, as far as your security. And yet, exploiting that hole will probably still be a royal pain for anyone trying to legitimately use files that they believe they own in a way that wasn't "trusted" by the content providers.
So, while I basical
Don't thank God, thank a doctor!
A rootkit would be aware that it was not installing on a pre-existing VMM?
Aside from your point, I thought the Gap series was amazing for how little it focused on the tech side of the story.
The stories are built almost entirely around human interactions. It's just people in rooms, but it is fascinating. Someone here said "perverted", yes, very.
It's been a while since I read them, but I think the entire series takes place in a really short period of time, like a day or so.
i think you should know md5 is broken
welcome to last year
my password really is 'stinkypants'
They obviously must be talking about new Vanderpool/Pacifica virtualisation features. I seem to think that MS is paying much attention only because such rootkits might be a route around Palladium or HD-DVD/Blu-Ray content protection.
In slides from WinHEC they present whole protected video path route. Even bus transfers are encrypted to prevent that type of attack. Kernel, signed and verified by TCPA chip, loads only signed video card drivers (which also take care that decrypted video content isn's ripped from VRAM. Kernel also takes care that nothing can "debug" processes which handle unencrypted data (although it is possible that GPU itself does that). In case of DVI output, device must support HDCP (which in fact is the weakest link in chain). I can imagine how with VMM program one could tinkering with running kernel and, for example, get unsigned (hacked) video drivers to load.
I wonder if starforce folks are going to try to get in control of VMM on new CPUs if everything else fails against Daemon Tools 4.
Close, The story hinges on the use of a "zone implant", a mind control device. I'm sure the perversions (sex and torture) are a reasonable facsimile of how people would behave given absolute control over someone else, and no peers to intervene. It is not over a day or so, though, more like years.
But does this hold any implications for client VMs?
The point is, if I surmise correctly, is to virtualize a user's computer whether it is server or a desktop. Henceforth, he can install all the detection and removal tools he want on his (unbeknownst to him) virtual computer, it won't help him. The tools will be running on the virtual computer, and the mal-ware isn't on that computer, it's on the real computer underneath.
It's as if somebody put a wiretap on your hard disk controller. You're OS would never know.
It occurs to me the thing to do would be for the user to engage in preemptive virtualization. He should only use virtual machines, only using the real machine directly to check the state of his virtual machines or install tools from trusted sources.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Think about this...
If a piece of malware could actually succeed in placing af fully transparent layer of virtualization beneath the running OS, then wouldn't it in theory mean that the same thing could happen again after the OS is booted on top of the VMBR?
To stop this from happening every time the user triggers the infecting malware, it would have to have a way of detecting that it is already running in an OS on top of the VMBR. The point of being fully transparent seems to be a problem in itself.
Also I wonder:
If such an infection check is not performed, will re-infection then place the new layer
1) underneath the first VMBR
or
2) between the VMBR and the OS?
If 1) then we can use the same technique to detect and remove the VMBR.
If 2) then we could already be running the OS on top of a change-detecting VM thus preventing infection.
Just my $.02
If the VM the rootkit installs does decent hardware emulation and has good drivers, your Windows system may be more stable than if you let Windows talk directly to the hardware. :-(
I don't think you can move a running OS into a VM so there would have to be a reboot, at which point Tripwire would start screaming at you. Unless they find a way around the key based access that Tripwires dbase uses.
Tripwire is included in FC4s Extras repository BTW.
MS Research has nothing to do with MS product cycle.
The Bootable ROM checks the new BIOS image for a digital signature. To avoid "Trusted Computing" the Bootable ROM allows you to choose if you want to install only a properly signed BIOS image, or a custom one (although that option risks rootkits).
(1.21 gigawatts) / (88 miles per hour) = 30 757 874 newtons
"Seems like a solution (TPM/TC) in search of a problem consumers/end-users can identify with ("VIRUSES VIRUSES VIRUSES!"), because "protecting our intellectual property" wasn't really ringing with end-users."
/. mistake) wouldn't work when dealing with the virus/rootkit problem?
Do you have any proof that TPM/TC (not to be confused with DRM a common
Speak for yourself, mate! I don't think I would ever torture or rape people!
Female Prison Rape in NY
To control someone, all you needed was, IIRC, a combination of making them submissive and pleasure, and just the tiniest bit of pain, and they'd follow you around like a puppy, hoping for another burst of pleasure.
Donaldson really thought out all the tech aspects of those books.
If corporations are people, aren't stockholders guilty of slavery?
The article states is "it is to get the VM-based malware on a target system." Maybe, but on any given day, my systems may be vulnerable to than can load hostile software, or they may not.
It is helpful to reduce the vulnerability of systems to code execution flaws, and this can be done by running code in an already-restricted execution environment.
Matt
The one time Microsoft ports some of their software to Linux, and it's a rootkit. ;)
--
Given enough personal experience, all stereotypes are shallow.
Because it might porentially subvert their DRMs in Vista. They don't want any competing rootkits on machines out there.
http://lkml.org/lkml/2005/8/20/95
Get a copy of Suse. Either OpenSuse http://en.opensuse.org/Released_Version#HTTP_or_FT P
currently v10.0, v10.1 due end of April, 10.2 due end of year. Or buy Novell Suse professional with a support contract (s/b under $100 for the box, not sure of the support pricing). The purchased version has additional non-GPL content, like java, integrated. See http://www.thejemreport.com/mambo/content/view/178 /42/ for how to add the missing bits.
The install will recognise your existing Windoze partitions and will walk you through upgrading to a dual boot and the linux side has read-only access to the your NTFS partitions. Very Oeei-GUI interface, very little command line savvy needed. There is a LiveCD you can just boot to check it out. The "eval" DVD is the actual install.
On top of that VMware will be releasing a free VMserver so you can run your legacy Windoze inside the linux. Alternatively, if you are impatient or want a linux other than suse, you can download one of the free VMware appliances http://www.vmware.com/vmtn/appliances/ and run it in your Windoze environment
HTH
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Problem: BIOS untrustworthy after reboot due to surreptitious flashing. All devices in a particular computer that have a flashable BIOS have this identical risk independently. Reflashing with a double BIOS chip is a solution, but requires significant development to make a single utility that can flash each device after the bios.
Easy Rock-Solid Solution: Replace all the flashable write-many BIOS chips with write-once chips that you burn yourself. This can be done for minimal cost for all the various devices in a system that need it, and guarantees physical version control. If this became a desired solution, vendors would start to provide (once again) pre-burned write-once chips at a minimal cost, with eventual convenient subscription services. Then, you wouldn't even need to buy a burner or blank chips, eliminating any up-front costs altogether.
Yeah, it is one more subscription to pay for, but this GUARANTEES security. Unless, of course, someone hacks the vendors servers and changes the BIOS that was supposed to be burned. Hopefully, they would be using this technique on their own computers, in which case they would have guaranteed intra-corporate security, which by extension gives all the customers perfect security.
Note: When I say security here, in every instance I am implying perfect forward security.
I remember Angus having cigarettes stubbed out on his tounge, and then eating the stub. It caused him a great deal of discomfort, but he was unable to stop. I think there was a bit more to it than just emotional control.
I've found some insight about this research: http://www.securityzero.com/2006/03/rootkits-power ed-by-virtualization.html
Doing this kinda rootkit is much more difficult than what MS says...
The way to prevent this is for the hardware to perform a signature check on the bios before booting. Only authorized vendors could sign bios code. It would lock-out everyone from hacking the bios and, frankly, that is probably a pretty good idea.
It is your personal duty to fight for what is right on a daily basis. Ignoring injustice is identical to approving
He did have something like a zone implant in his head, but it had been custom-tailored for his mind, to the point of more traditional mind-control.
If corporations are people, aren't stockholders guilty of slavery?
As always, all IMO. Insert "I think" everywhere grammatically possible.
So it is indeed more than just emotional control.
A brief scan of the last book reveals this:-
So even though Angus was a cyborg, he was controlled by zone implants.
And the book can call whatever is Angus 'zone implants' all they want. The point is he had a computer inside him. Not just a zone implant. This computer knew what he was doing, and could cause him, via his zone implants, to stop, and could even turn on 'complusion' mode and give him an order and he'd basically have to do it.
Normal zone implants installations don't have anything like that. They are merely small devices inserted in the head. Agnus was taken apart and put back together.
If corporations are people, aren't stockholders guilty of slavery?
Good God, where to start...
I included the whole quote as this is Stephen Donaldson telling us the capabilities of the zone implant through Angus's dealings with Morn. I highlighted the part that was in contention, the rest of the quote wasn't in contention so it didn't need highlighting. The point of including the quote was to show that he had a choice. Look at it again, he would control her actions perhaps by taking control of her body or perhaps by exerting neural pressure. The zone implant was capable of both.
This is not the case, either. One of the overriding themes in the books is the anger and frustration felt carrying out instructions against ones will, but being unable to resist.
A few more quotes on this theme:-
The point of Angus's internal computer was to control the zone implant. He was being sent away from the people controlling him. The computer was able to control the implant according to a program designed by the people controlling him. It was replacing a person.
You do know this is not a news report? If the book says it's a zone implant thats what it is. It is whatever the author wants it to be. If you disagree take it up with him.
I suggest you re-read the books as your recollection of them doesn't appear to be as good as you think it is. And that will have the added benefit of allowing you to quote a passage to back up your stance.