Slashdot Mirror
Blue Pill Myth Debunked
njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum.
There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable.
This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."
the red pill but I still wake up in hell each morning ... Vista will be shipping.
I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer. If you can run the entire OS in a VM, without the user knowing, then there's a lot of stuff you can do that would probably be a lot harder to do if you were just running regular malware. Although it's reassuring that this wasn't as bad as we expected, I still expect to see a few exploits that use this method to install malware, and spy on what the user is doing.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I would probably take heart to this if a hardware (or firmware) engineer spoke up and noted that this is a possibity. Are processors now offering virtualizaton in-chip?
Actually, I think most people would be able to detect it when it fails utterly to work, and instead performs a quick BSD.
110100 1101000 1101000 1100110 0 1101111 1101000 1100011 1
I dont agree with that statement.
While i agree it would really really damned hard to do it, you could create a VM that the host os wont reconize as being a VM. Sure, it would have to accomodate for each new PC out there as hardware changes, and that it would be a massively complex beast that more then likely could never be turned into a worm/virus/trojan that you wouldnt see coming a mile away, but it could be done.
Never say impossible when logic says it could be done. Just say impractical..
---- Booth was a patriot ----
I'm not so sure Anthony Liguori is right.
t ml more detail at http://static.ephemeralsecurity.com/mosvm/Mosref%2 0Howto.html and the continual move toward VM
Most people in the security community are well aware of http://www.ephemeralsecurity.com/mosref demo at http://static.ephemeralsecurity.com/mosvm/demo1.h
If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).
Which is why malware's going to do this on Windows XP, then lie dormant until it detects Vista installed.
"What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
At least with Beta 2 Vista did run with admin privledges, just as all previous versions of Windows. But you have that box that pops up when ever you use those privledges. MS has done a good PR campaign to make people think it doesn't, but install beta 2 for yourself, the user created in setup is an admin just like in XP. I sincerely hope that this is changed with RC1.
-- "Freedom is the right of all sentient beings" -Optimus Prime
The exploit is the first of its kind for Vista. Give this a few years and add the high motivation of criminals who make millions by exploiting PCs and you can be sure we'll eventually see some quite nasty stuff.
FWIW, Keith Adams of VMware posted a recent blog entry "Blue Pill" is quasi-illiterate gibberish and there have been a number of other folks that have come to the same conclusion.
Though there is a littlee war the authors neglect to mention. If I am writing a blue pill virus vm, and I KNOW there is software out there that is trying to detect me, it's completely worthless. Since I own the machine at that point, I can modify the programs running, with impunity. That's like all the viruses that are out there right now that are more or less immune to Norton... they know what the "threat" is, and they plan accordingly, they know its weaknesses and simply sidestep right around it.
A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app before it actually puts it in the execute queue, or subtly mucks with its registers while it's executing. Now the program blissfully reports just what the VM wants it to report... "no VM detected.".
Now how are you going to get around THAT? If you are running on a totally owned system, you cannot tell me there is anything you can do that is guaranteed to work, especiially if you are using a commonly available tool that the vm author had access to..
You simply cannot win at their game if they are the ones writing the rules. You can claim victory for a day or two, until the VM authors get their hands on your tool and make the necessary modifications to their VM to cripple your tool, and then you are back to the drawing board.
I work for the Department of Redundancy Department.
With Open source there's no problem. I can hear about a thing, test it, look at code, and decide whether it's an issue to me. Or if it's outside of my abilities, That wonderful peer review process can do the job for me. People who are being paid to say good things soon fall silent or get drowned out in the face of proof to the contrary from many sources who are not being paid, but do it out of interest.
With closed source code of any type I have no such option. Instead all I get is 'experts' to tell me. But these guys have to eat, so they get paid by someone, and have a vested interest in being paid tomorrow. Therefore there can be no impartial advice.
Heck, if the cheif engineer on the shuttle program can be convinced to retract his refusal to sign off the shuttle because of O-ring problems, what hope is there for trustworthy answer from anyone regarding closed source software?
Ok, possibly I'm being too extreme with my example, but seriously I worry about the *true* safety of using an operating system which has not, in fact, been designed with consumers in mind. It is, by microsofts own cheerful admission, purposely built to help 'rights holders' of stuff you use keep you from deviating from their precious business plan.
Perhaps this is fair enough, but there should be a trade off. I see no evidence that the rights of the OS purchaser are being properly considered. Even XP assumes you are a pirate unless proven otherwise. That reveals a lot about their views of the lowly home consumer.
When people talk about Blue Pill as being "undetectable" they mean "through the use of a program."
And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM. She discusses the possibility of a timing attack using an external clock, but also notes that this is infeasible in a large deployment. Certainly it would be infeasible for your average person running a computer (evidence by the fact that some of them don't even run antivirus/antimalware programs at all and get horribly infected!)
I was at Joanna's Black Hat briefing. Not once did she imply that this was Vista specific--in fact, she mentioned another briefing with the same sort of rootkit--only running on a MacBook. Her briefing was entitled "Subverting the Vista Kernel for Fun and Profit" because the first half of her talk was about elevating privileges in Vista, which would allow a rootkit such as Blue Pill to run.
I think that the danger here lies somewhere between "The end is very fucking nigh" and "This is absolutely nothing to worry about." Yes, it's extremely hard to implement. But that shouldn't mean we don't worry about it, because one implementation and it will be much easier to reverse engineer/modify to do other nasty things. Also, the eventual inability to detect in software means that if such an attack ever comes to pass, it will be extremely difficult to clean en masse (virtually requiring a reinstall or a livecd).
When people talk about Blue Pill as being "undetectable" they mean "through the use of a program."
And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM.
This is the fundamental problem I have. So she has a crappy prototype but claims that the next version will be undetectable? Where's the paper? What is she exploiting to make this actually work?
She's got a theoritically "undetectable" exploit for which there is a theoritical way to detect it. Doesn't that seem a little odd? How big do you think Blue Pill 2 would have to be? Just to make the VMM itself would require something akin to Xen or VMware. We're talking hundreds of thousands of lines of code. Is that really a practical exploit in large enterprises?
Even with a full emulator, you cannot keep the VM from consulting external time sources in general. Just fixing up the TSC is not enough.
Right. As has been said, "undetectable" means "from within the VM itself". You're also talking about prevention, which is equally important. TPM could also prevent virtualization-based exploits, already exists in a fairly convenient form, is more robust (doesn't require an external server which could be down or bogged down), and fits in fairly well with corporate culture.
The paper was presented at Black Hat. She explained what is required in order to fully "emulate" the instructions required to make it undetectable. Essentially, Blue Pill would need a shim that passes virtualization instructions back up the chain until they could be executed for real, then return everything back down. It's not as huge as everyone thinks, but it's not trivial, either. But yes, she's outlined what has to be done.
I bet you can find a PDF of her slides somewhere online, if you're interested.
Am I the only person that thought this posting was going to be about Viagra? Must just be the email I've been getting lately.
The problem is that you're thinking of software virtualization rather than hardware virtualization (as in the Core Duo chips and AMD's newer chips). Both of your cases outlined above are dealt with using the instruction sets in these chips.
1) The hardware is the same unless the hypervisor changes what the software sees. All the hardware in the device manager will look just like it did pre-virtualization. This was demonstrated at Black Hat.
2) This is simply not true with hardware virtualization. It may be difficult to do, but Blue Pill was demonstrated through a video file as not requiring a reboot to initialize the VM with the running OS's settings. Furthermore, a live demonstration (first attempt crashed, though the second attempt was successful) on a Macbook showed that this was possible without a reboot.
What you have to realize is that this is all very new stuff on bleeding edge processors. It will be years before the majority of CPUs in homes will have this capability. For most users, what you say above is true--but not with these new chips.
so vista will install BSD while it's dying?
"Hello 911? I just tried to toast some bread, and the toaster grew an arm and stabbed me in the face!"