Blue Pill Myth Debunked

njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum. There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable. This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."

Detection

[CastrTroy]

I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer. If you can run the entire OS in a VM, without the user knowing, then there's a lot of stuff you can do that would probably be a lot harder to do if you were just running regular malware. Although it's reassuring that this wasn't as bad as we expected, I still expect to see a few exploits that use this method to install malware, and spy on what the user is doing.

Re:Detection

[vertinox]

If you can run the entire OS in a VM, without the user knowing,

So would the best solution is to try to run 3d FPS games to see if they work?

As far as I know one of the problems with VM is that 3d acceleration may not work as expected, but most VM companies are trying to get around this with much success.

Re:Detection

[cnettel]

Well, that's mostly not because of virtualization, but because of coexistence with the host OS. In this case, there is no host, just a hypervisor hacking specific calls. Any call to the graphics hardware could be let through, if desired. The performance hit would be acceptable for the non-inquisitive user.

Detection-My buddy, the program.

"I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer."

And people are going to detect it how? That's right. Using a program. Just like we detect all the other stuff.

Re:Detection-My buddy, the program.

[Anthony+Liguori]

When people talk about Blue Pill as being "undetectable" they mean "through the use of a program."

And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM.

This is the fundamental problem I have. So she has a crappy prototype but claims that the next version will be undetectable? Where's the paper? What is she exploiting to make this actually work?

She's got a theoritically "undetectable" exploit for which there is a theoritical way to detect it. Doesn't that seem a little odd? How big do you think Blue Pill 2 would have to be? Just to make the VMM itself would require something akin to Xen or VMware. We're talking hundreds of thousands of lines of code. Is that really a practical exploit in large enterprises?

Even with a full emulator, you cannot keep the VM from consulting external time sources in general. Just fixing up the TSC is not enough.

Re:Detection-My buddy, the program.

[Sancho]

The problem is that you're thinking of software virtualization rather than hardware virtualization (as in the Core Duo chips and AMD's newer chips). Both of your cases outlined above are dealt with using the instruction sets in these chips.

1) The hardware is the same unless the hypervisor changes what the software sees. All the hardware in the device manager will look just like it did pre-virtualization. This was demonstrated at Black Hat.

2) This is simply not true with hardware virtualization. It may be difficult to do, but Blue Pill was demonstrated through a video file as not requiring a reboot to initialize the VM with the running OS's settings. Furthermore, a live demonstration (first attempt crashed, though the second attempt was successful) on a Macbook showed that this was possible without a reboot.

What you have to realize is that this is all very new stuff on bleeding edge processors. It will be years before the majority of CPUs in homes will have this capability. For most users, what you say above is true--but not with these new chips.

Impossible to not be detected?

[nurb432]

I dont agree with that statement.

While i agree it would really really damned hard to do it, you could create a VM that the host os wont reconize as being a VM. Sure, it would have to accomodate for each new PC out there as hardware changes, and that it would be a massively complex beast that more then likely could never be turned into a worm/virus/trojan that you wouldnt see coming a mile away, but it could be done.

Never say impossible when logic says it could be done. Just say impractical..

Re:Impossible to not be detected?

[Anthony+Liguori]

Never say impossible when logic says it could be done. Just say impractical..

There are actually things in computer science that are impossible. Usually, they are problems in the form "figure out whether another program has propery X". Classic examples are the halting problem.

Recall, I'm disputing the claim of "100% undetectable". You could make something that's really, really, really hard to detect.

It's a prototype

[Bartmoss]

The exploit is the first of its kind for Vista. Give this a few years and add the high motivation of criminals who make millions by exploiting PCs and you can be sure we'll eventually see some quite nasty stuff.