Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blue Pill Myth Debunked

Posted by ryuzaki0 on from the setting-the-record-straight dept.

njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum. There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable. This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."

10 of 128 comments (clear)

  1. Re:When the heart rules the mind.... by MindStalker · · Score: 2, Informative

    Yes. http://www.intel.com/technology/computing/vptech/

    Of course this is intended for highend systems. Like all other technology expect to see it in regular systems in no time.

  2. Re:That's great! by Anonymous Coward · · Score: 1, Informative

    This really has nothing to do with Vista. The premise of the "exploit" is that some piece of malware obtains enough access to the machine to effectively install it's own OS shim which acts as a virtual machine host, or VMM, or hypervisor, which then launches the original natively-executing OS as a guest OS. The shim would be able to perform nefarious acts with full access to the memory and execution of the guest OS while being effectively undetected by the guest OS, since it's not technically running in the memory of the guest OS.

    Effectively this vulnerability is a hardware one and would effect any OS which is compatible for the platform. However, as the article states, it would be a Helluva engineering feat to accomplish loading the virtual machine host and then piggybacking the native OS, and even then due to the fact that the virtual machine host has to catch and emulate certain instructions it will always be detectable if just through performance characteristics of those instructions.

  3. Re:vista running with admin privledges? by Timesprout · · Score: 2, Informative

    ffs its a beta, they have said all along the Final RC will not run under admin

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  4. Re:my take by Anthony+Liguori · · Score: 4, Informative

    If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).

    Of course, VMM's can be used to do all sorts of nasty things. VMM-level virus could certainly be nasty. And, an important point to note, is that it may be entirely possible for a virus to be hidden in a VMM and for a virtual machine not to be able to detect that virus. Will VMM's need anti-virus software? I hope they don't suck that much.

    What "blue pill" is though is something much different. It's claim is that you can take a native Operating System and turn it into a virtual machine without the OS knowing about it.

  5. Not the only one to come to this conclusion... by Anthony+Liguori · · Score: 2, Informative

    FWIW, Keith Adams of VMware posted a recent blog entry "Blue Pill" is quasi-illiterate gibberish and there have been a number of other folks that have come to the same conclusion.

  6. Re:Detection by gclef · · Score: 4, Informative

    This is hardware virtualization we're talking about, not software. The processor manufacturers have built virtualization calls into their chipsets. The side-effect of this is that the hypervisor can simply tell the bios "I'm the hypervisor...but, only call me when these specific requests are made." So, the hypervisor could simply choose to ignore the sound and video hardware, leaving those as fast as they were before.

    The only way to tell the hypervisor is there is to find a CPU call that the hypervisor *does* care about, and compare how long it takes to run that command before & after the rootkit pushes the OS to a guest OS. That's what the Xen guy is talking about.

    (I was at Rutkowska's talk...I'm not sure I buy the Xen guy's response.)

  7. Re:Detection-My buddy, the program. by Sancho · · Score: 4, Informative

    When people talk about Blue Pill as being "undetectable" they mean "through the use of a program."

    And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM. She discusses the possibility of a timing attack using an external clock, but also notes that this is infeasible in a large deployment. Certainly it would be infeasible for your average person running a computer (evidence by the fact that some of them don't even run antivirus/antimalware programs at all and get horribly infected!)

    I was at Joanna's Black Hat briefing. Not once did she imply that this was Vista specific--in fact, she mentioned another briefing with the same sort of rootkit--only running on a MacBook. Her briefing was entitled "Subverting the Vista Kernel for Fun and Profit" because the first half of her talk was about elevating privileges in Vista, which would allow a rootkit such as Blue Pill to run.

    I think that the danger here lies somewhere between "The end is very fucking nigh" and "This is absolutely nothing to worry about." Yes, it's extremely hard to implement. But that shouldn't mean we don't worry about it, because one implementation and it will be much easier to reverse engineer/modify to do other nasty things. Also, the eventual inability to detect in software means that if such an attack ever comes to pass, it will be extremely difficult to clean en masse (virtually requiring a reinstall or a livecd).

  8. Re:Detection by Sancho · · Score: 2, Informative

    It was quite an amazing talk, wasn't it?

    She admitted that timing attacks were her weakness, as did the other guy who talked about virtualization-based rootkits. The problem is that you have to have a benchmark to compare it to, and you have to assume that the hypervisor doesn't modify the time whenever it is called. If the time does get modified, then the only way we know of to detect the rootkit is to measure clock skew on the infected PC using a real time source. This, of course, assumes that there isn't any real clock skew, or you get a bunch of false positives.

    All of this requires a full implementation of Blue Pill, though, including the ability to virtualize "within" the virtualized OS. That is something that will be awhile coming--then again, mass adoption of CPUs which can handle virtualization will be awhile coming, too.

  9. Re:Detection-My buddy, the program. by Sancho · · Score: 2, Informative

    Right. As has been said, "undetectable" means "from within the VM itself". You're also talking about prevention, which is equally important. TPM could also prevent virtualization-based exploits, already exists in a fairly convenient form, is more robust (doesn't require an external server which could be down or bogged down), and fits in fairly well with corporate culture.

  10. Re:Detection-My buddy, the program. by Sancho · · Score: 4, Informative

    The paper was presented at Black Hat. She explained what is required in order to fully "emulate" the instructions required to make it undetectable. Essentially, Blue Pill would need a shim that passes virtualization instructions back up the chain until they could be executed for real, then return everything back down. It's not as huge as everyone thinks, but it's not trivial, either. But yes, she's outlined what has to be done.

    I bet you can find a PDF of her slides somewhere online, if you're interested.