Slashdot Mirror
Blue Pill Myth Debunked
njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum.
There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable.
This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."
Thought there was something more exciting than I thought happening with Vista!
the red pill but I still wake up in hell each morning ... Vista will be shipping.
I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer. If you can run the entire OS in a VM, without the user knowing, then there's a lot of stuff you can do that would probably be a lot harder to do if you were just running regular malware. Although it's reassuring that this wasn't as bad as we expected, I still expect to see a few exploits that use this method to install malware, and spy on what the user is doing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Read: Anthony Liguori: I've been working on the Xen project for approximately 2 years. Like most Xen hackers, I have no job security. I'm am taking of any project but this article hopefully secures my job.
Silly editors, this irony.
I would probably take heart to this if a hardware (or firmware) engineer spoke up and noted that this is a possibity. Are processors now offering virtualizaton in-chip?
Oh well, at least the summary was a good deal more interesting than the norm.
"I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer."
And people are going to detect it how? That's right. Using a program. Just like we detect all the other stuff.
It won't help you find a good one.
haha, but you *thought* it was a woman. :)
Comment removed based on user account deletion
I dont agree with that statement.
While i agree it would really really damned hard to do it, you could create a VM that the host os wont reconize as being a VM. Sure, it would have to accomodate for each new PC out there as hardware changes, and that it would be a massively complex beast that more then likely could never be turned into a worm/virus/trojan that you wouldnt see coming a mile away, but it could be done.
Never say impossible when logic says it could be done. Just say impractical..
---- Booth was a patriot ----
I'm not so sure Anthony Liguori is right.
t ml more detail at http://static.ephemeralsecurity.com/mosvm/Mosref%2 0Howto.html and the continual move toward VM
Most people in the security community are well aware of http://www.ephemeralsecurity.com/mosref demo at http://static.ephemeralsecurity.com/mosvm/demo1.h
If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).
Which is why malware's going to do this on Windows XP, then lie dormant until it detects Vista installed.
This really has nothing to do with Vista. The premise of the "exploit" is that some piece of malware obtains enough access to the machine to effectively install it's own OS shim which acts as a virtual machine host, or VMM, or hypervisor, which then launches the original natively-executing OS as a guest OS. The shim would be able to perform nefarious acts with full access to the memory and execution of the guest OS while being effectively undetected by the guest OS, since it's not technically running in the memory of the guest OS.
Effectively this vulnerability is a hardware one and would effect any OS which is compatible for the platform. However, as the article states, it would be a Helluva engineering feat to accomplish loading the virtual machine host and then piggybacking the native OS, and even then due to the fact that the virtual machine host has to catch and emulate certain instructions it will always be detectable if just through performance characteristics of those instructions.
At least with Beta 2 Vista did run with admin privledges, just as all previous versions of Windows. But you have that box that pops up when ever you use those privledges. MS has done a good PR campaign to make people think it doesn't, but install beta 2 for yourself, the user created in setup is an admin just like in XP. I sincerely hope that this is changed with RC1.
-- "Freedom is the right of all sentient beings" -Optimus Prime
"seriously though, it does sound like they've done quite a bit of work on security, so here's hoping it's still not swiss cheese security."
Yes, and trusted computing will help in regards to these "shims".
The exploit is the first of its kind for Vista. Give this a few years and add the high motivation of criminals who make millions by exploiting PCs and you can be sure we'll eventually see some quite nasty stuff.
- grammar is pretty bad on /., eh?
FWIW, Keith Adams of VMware posted a recent blog entry "Blue Pill" is quasi-illiterate gibberish and there have been a number of other folks that have come to the same conclusion.
You're supposed to by a Intel Core Duo CPU...
"Free software" is a matter of liberty, not price.
I'm thinking any subversive VM thing would be like an uber-rootkit. When infected, the user's ntldr or winload.exe (for Vista) would be overwritten to load our new OS instead of Windows. On the next boot (which could come early by the delivery system resetting the computer), the new OS would load which would be little more than a very thin VM wrapper around windows. It would immediately boot up windows, and the user would be none the wiser. Basic things it would do (that would classify it as a rootkit) would be to modify the raw hard drive data running between Windows and the BIOS to hide it's own files as well as hide the ntldr and winload.exe tampering (it would make backups of them before modification and would hide the backups, but would show them in place of its hacked versions).
Theoretically this would be undetectable unless you boot from a CD... even this could potentially be compromised if the BIOS can be "upgraded"... of course there would be no way to protect from moving the HD into another computer and immediately booting from a CD to look at the contents.
Though there is a littlee war the authors neglect to mention. If I am writing a blue pill virus vm, and I KNOW there is software out there that is trying to detect me, it's completely worthless. Since I own the machine at that point, I can modify the programs running, with impunity. That's like all the viruses that are out there right now that are more or less immune to Norton... they know what the "threat" is, and they plan accordingly, they know its weaknesses and simply sidestep right around it.
A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app before it actually puts it in the execute queue, or subtly mucks with its registers while it's executing. Now the program blissfully reports just what the VM wants it to report... "no VM detected.".
Now how are you going to get around THAT? If you are running on a totally owned system, you cannot tell me there is anything you can do that is guaranteed to work, especiially if you are using a commonly available tool that the vm author had access to..
You simply cannot win at their game if they are the ones writing the rules. You can claim victory for a day or two, until the VM authors get their hands on your tool and make the necessary modifications to their VM to cripple your tool, and then you are back to the drawing board.
I work for the Department of Redundancy Department.
With Open source there's no problem. I can hear about a thing, test it, look at code, and decide whether it's an issue to me. Or if it's outside of my abilities, That wonderful peer review process can do the job for me. People who are being paid to say good things soon fall silent or get drowned out in the face of proof to the contrary from many sources who are not being paid, but do it out of interest.
With closed source code of any type I have no such option. Instead all I get is 'experts' to tell me. But these guys have to eat, so they get paid by someone, and have a vested interest in being paid tomorrow. Therefore there can be no impartial advice.
Heck, if the cheif engineer on the shuttle program can be convinced to retract his refusal to sign off the shuttle because of O-ring problems, what hope is there for trustworthy answer from anyone regarding closed source software?
Ok, possibly I'm being too extreme with my example, but seriously I worry about the *true* safety of using an operating system which has not, in fact, been designed with consumers in mind. It is, by microsofts own cheerful admission, purposely built to help 'rights holders' of stuff you use keep you from deviating from their precious business plan.
Perhaps this is fair enough, but there should be a trade off. I see no evidence that the rights of the OS purchaser are being properly considered. Even XP assumes you are a pirate unless proven otherwise. That reveals a lot about their views of the lowly home consumer.
Now how are you going to get around THAT?
Periodic live-CD system file scanning?
Information wants to be free.
Entertainment wants to be paid.
You just want to be cheap.
You could get around that by detecting this code at the driver level -- as it's being read or written from disk or received on the network -- but that's still possible to work around: Download it in an encrypted archive (with a key that's different for each download) into an encrypted partition, dearchive and run it there and the disk drivers will never see the byte pattern matching BluePillDetect.exe.
All that said -- I can see how one could twiddle the bits (modifying BPD's code, not the system characteristics) within the VMM to make the system itself undetectable to BluePillDetect on a standalone machine (one would need to look for BluePillDetect only if a pattern appropriate to it is seen -- say, a specific trapped instruction being called very frequently -- though if BPD could be written to need only a small number of common trapped instruction calls, and it's passed through the disk and network drivers only in encrypted form, it's hard to see how its activity could be easily detected from a VMM without serious overhead), but not how to stay undetectable with another networked machine assisting. If BluePillDetect provides a challenge which a system running under a VMM can perform quickly and a system not running under a VMM can't and another system on the network is involved in the test (validating the answers and the times at which they were received), the system under the VMM is sunk -- at least if the challenge is dynamically modifiable enough that it can't patch BluePillDetect with code to provide the remote machine with a precanned answer. Sure, the local system may still not know it's been hacked -- but the remote system will, and that's enough.
To the extent that Blue Pill was claimed to be 100% undetectable, I do believe it's debunked. Might the war continue? Sure -- but it's the same war it's always been.
I'm still just amazed that people don't do this anyway. My understanding is that today's approach to AV is that people run AV applications on possibly infected systems, while infected, to try to diagnose and remove malware. The blue pill claims to invalidate this approach, but that approach was already invalid. You can't trust an infected system, period. If this is how you approach malware, you are doomed, and whether the blue pill is all it's cracked up to be or not, is irrelevant. They will get you someday, if you trust your system to look at itself. This is absolutely inevitable.
What's so disappointing, is that this is a very, very basic and fundamental principle. You don't have to be a virtualization expert to know this. Indeed, there was a time when everyone knew it. It's so sad that the AV companies have dumbed down the public.
BTW, the interviewee goes on to claim that using an external time source (presumably that is totally un-virtualizable) is a foolproof way to detect when you're running under virtualization. Keep in mind that all you might learn from such a test, is whether or not you're virtualized. This will still not give a user any way to detect whether you're running running malware or not. I think a time is coming when virtualization becomes mainstream, simply for security and compartmentalization reasons. When that happens, users will expect the "am I virtualized?" test to return True, so this test will not necessarily lead anyone to suspect their system is compromised.
So give up on this approach. I promise you: you're absolutely doomed if you rely on AV tools running while possibly compromised. You must boot a known-clean system before you scan.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
This is unfortunate mistake
Yes, it is.
With a name like "blue pill" you know it has to be fake. What is it? Blue pill, developed by h4XX, Inc.?
Can someone tell me what the hell this sentence means?
"This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked"
It seems to be saying that there is a proper way of jumping to conclusions based on unfounded speculation, but that sometimes people make a mistake in doing so and that one of those mistakes is assuming that the "blue pill" thing is Windows Vista specific. I can't even begin to figure out how "if it worked" is supposed to fit in with the rest of that sentence. Have our writing classes become that bad, or is the author a homeschooler?
Booting from read-only media and cleaning a compromised machine works well for *nix systems, but there isn't a usable live CD malware removal tool for Windows. Unmodified Windows won't run from read-only media, the lack of a complete, free, legal NTFS driver and automated tools for removing Windows-specific malware makes Linux live DC distros impractical, and the pain of dealing with BartPE makes that a non-starter for all but the most technically adept admins. Until you can pop a disc in the drive, reboot, and click a big red "Kill Malware" button, people are going to keep using AV applications from within compromised Windows environments.
0 1 - just my two bits
Am I the only person that thought this posting was going to be about Viagra? Must just be the email I've been getting lately.
Most people can't even detect spyware running until there are like tons of them running!
Anyway, the blue pill stuff is overrated.
AFAIK the new x86 hardware VM features are supposed to allow you to run VMs in VMs and other stuff.
So, just make sure you boot Vista or whatever O/S of you choice in a hardware VM right from the very beginning. Call that sort of thing a "white pill" if you want.
Then the white pill can just scan for or intercept blue pill stuff. The white pill can use whatever tricks the blue pill can, and since it got there first, there's very little the blue pill can do about it.
Yawn...
A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app
There exists an infinite number of bit patterns performing the task of BluePillDetect.exe. 99.99999% of them will be unrecognized by the malware. If the user can install one of them, or even type one in, then the malware is not "100% undetectable." So the claim has been debunked.You forget, my BluePill detect program uses DMA requests to the video card to scan main memory for the presence of any hypervisor.
Dearchiving [1] can be done without using the disk drivers?
[1] -- in other words, reading the encrypted version, expanding it, and writing out the expanded version.
Or perhaps you meant "unencrypt into memory and run it from there", which might do what you want.
That they're finally debunked that blue pill nonsense. I'm tired of getting spam for that stuff.
.. paranoid crackpot leftover from the days of Amiga.
Unless I'm hearing her wrong, Rutkowska is only claiming that to the extent the underlying virtualiztion is complete, the existence of the hypervisor is undetectable, in principle, to code running under it. Only if you break out of that closed system, maybe by way of Chaumian double-blinding to an external third-party or agent by some other means opaque to the hypervisor (an issue I'm looking into right now) or, as has been mentioned, external (to restate myself) timing references, which are suspect under a complete virtualization *unless* there is some opacity wrt the hypervisor's view, can you (meaining in this context, the virtualized code. Again this has been pointed out explicitly by Rutkowska.) guarantee that you aren't being diddled.
In practice, there are always implementation isssues, and Liquroi is not to be faulted for pointing them out, but I don't see that he has sucessfully countered her main thesis.
I should hasten to add that the issue Rutkowska raises should not be considered any kind of argument against virtualization. Virtualization implementors may want to consider security cutouts at some point, though. In the end, astute users are going to be the court of last resort. Scary thought, that. (I fix PeeCees to put bread on the table right now, and the tales I could tell about lusers...well, I'm sure I'm not alone there.)
Assertation is an unfamiliar concept I have to look into. Sounds just a little bit implausible to me, but then so does Kant.
Ok, so many "Blue Pill" fanboys (wtf?), have completely missed this. I was sceptical so I hauled out the AMD Architechture Programmer's Manual, and it clearly states on Page 440 that VMRUN may only be executed in CPL-0. Hence the only way "Blue Pill" can be loaded is if the kernel is compromised, in which case you're hosed anyway.
Now assuming Blue Pill can load itself from CPL-3, it indicates that the current AMD64 proccessor's incorrectly implement SVM, in which case this will not work on later processor's. This has happened before, for example the Pentium Crashnow instruction which caused an instant reboot regardless of CPL.
What could be better than a jet powered motorcycle? http://www.youtube.com/watch?v=u8l6GTHLSWE
...these guys wouldn't be rushing to defend any of this.
And as you knee-jerk reactionary PC-types mod me down as a 'troll', or for 'flamebaiting', be aware that we all know that you know I'm completely correct.
The truth hurts, doesn't it?
Are all the subscribers to this hype braindead? The blue pill and all the related issues are only relevant if there is no existing hypervisors running on machines that have VT/SVM hardware features enabled (some BIOSs disable these extensions by default). What makes you think neither Microsoft nor security vendors themselves would create lightweight hypervisors for the purpose of locking out blue pill and it's misinformed fanboys out? Windows Longhorn Server plans to support server virtualization out of the box and therefore, is very likely to have a hypervisor running by default.
There was a instruction to reboot the Pentium regardless of CPL? The only instruction I'd remember like that is "lock cmpxchg8b eax" (or any other normal register). That instruction caused the CPU to lock up due to an incorrect implementation of the "invalid opcode" exception. This was called the "f00f bug" because its bytes were F0 0F C7 C8.
Melissa
"Screw Sun, cross-platform will never work. Let's move on and steal the Java language." - Visual J++ Product Manager
I can't believe no one has commented on the fact that she's female yet.
I'd hit it, assuming she's as cute as she looks in that picture.
+++ATH0
That's not a strong discriminator.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
If you're expanding out of an encrypted archive into an encrypted partition (think TrueCrypt or Norton's equivalent tools), no, it's never going to touch disk in raw form. Decrypting from memory makes more sense, though, in terms of not requiring an additional 3rd-party tool to be involved.
May be he should attend the presentation before making such bold statements as well. I attended her presentation in person, amd she addressed all the issues he claims are able to detect the virtualization.