Slashdot Mirror

← Back to Stories (view on slashdot.org)

Blue Pill Myth Debunked

Posted by ryuzaki0 on from the setting-the-record-straight dept.

njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum. There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable. This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."

11 of 128 comments (clear)

  1. Detection by CastrTroy · · Score: 5, Insightful

    I think the problem is not whether or not it can be detected by a professional, or a malware detection program, but whether or not it can be detected by the user of the computer. If you can run the entire OS in a VM, without the user knowing, then there's a lot of stuff you can do that would probably be a lot harder to do if you were just running regular malware. Although it's reassuring that this wasn't as bad as we expected, I still expect to see a few exploits that use this method to install malware, and spy on what the user is doing.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:Detection by gclef · · Score: 4, Informative

      This is hardware virtualization we're talking about, not software. The processor manufacturers have built virtualization calls into their chipsets. The side-effect of this is that the hypervisor can simply tell the bios "I'm the hypervisor...but, only call me when these specific requests are made." So, the hypervisor could simply choose to ignore the sound and video hardware, leaving those as fast as they were before.

      The only way to tell the hypervisor is there is to find a CPU call that the hypervisor *does* care about, and compare how long it takes to run that command before & after the rootkit pushes the OS to a guest OS. That's what the Xen guy is talking about.

      (I was at Rutkowska's talk...I'm not sure I buy the Xen guy's response.)

    2. Re:Detection by Anthony+Liguori · · Score: 4, Interesting

      This is hardware virtualization we're talking about, not software. The processor manufacturers have built virtualization calls into their chipsets.

      They've added extensions to facilitate trap-and-emulate virtualization.

      The side-effect of this is that the hypervisor can simply tell the bios "I'm the hypervisor...but, only call me when these specific requests are made."

      VT/SVM have absolutely nothing to do with the BIOS. Instead, they both introduce a new processor mode that can be entered at any point that allow certain operations to be trapped. These operations are more or less the set of classic x86-sensitive instructions.

      So, the hypervisor could simply choose to ignore the sound and video hardware, leaving those as fast as they were before.

      Yup. But we're not talking about hardware here. Keep in mind, that if you do allow direct access to hardware, one now has a channel to access all of memory which could be used to detect a virus in RAM. Let's ignore that for now though :-)

      The only way to tell the hypervisor is there is to find a CPU call that the hypervisor *does* care about, and compare how long it takes to run that command before & after the rootkit pushes the OS to a guest OS.

      Yup, and as I pointed out to Joanna, there are a number of CPU operations that one would *have* to trap. Things like %cr3 moves, msr reads/writes, etc. Otherwise, one can just search memory for a signature. BTW, how does she hide the memory of the VMM from the guest? I didn't address this because there are some potential solutions (like memory hotplug) but this, in practice, would be a very hard problem to solve. You can just take away memory from an Operating System and expect things to function normally.

      Why do you think she addressed this in her talk? I brought it up to her before she presented...

      Anyway, you have to take a trap at some point. There are only a small number of possible instructions that trap. A very thorough "detector" could simply check the timing of every trapable instruction.

      If she's not trapping any instructions, then the monitor is never getting run so is it really a monitor anymore?

      BTW, on VT at least, the VMM doesn't get a choice for certain instructions. They always trap no matter what.

  2. my take by brennz · · Score: 4, Interesting

    I'm not so sure Anthony Liguori is right.

    Most people in the security community are well aware of http://www.ephemeralsecurity.com/mosref demo at http://static.ephemeralsecurity.com/mosvm/demo1.ht ml more detail at http://static.ephemeralsecurity.com/mosvm/Mosref%2 0Howto.html and the continual move toward VM

    If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).

    1. Re:my take by Anthony+Liguori · · Score: 4, Informative

      If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).

      Of course, VMM's can be used to do all sorts of nasty things. VMM-level virus could certainly be nasty. And, an important point to note, is that it may be entirely possible for a virus to be hidden in a VMM and for a virtual machine not to be able to detect that virus. Will VMM's need anti-virus software? I hope they don't suck that much.

      What "blue pill" is though is something much different. It's claim is that you can take a native Operating System and turn it into a virtual machine without the OS knowing about it.

  3. Of course it's difficult to do in Vista by Ant+P. · · Score: 4, Interesting

    Which is why malware's going to do this on Windows XP, then lie dormant until it detects Vista installed.

  4. Re:Detection-My buddy, the program. by ElleyKitten · · Score: 4, Funny
    Actually, I think most people would be able to detect it when it fails utterly to work, and instead performs a quick BSD.
    BSOD. Unless Vista has a special feature where it will randomly install BSD over itself. That would be the best Windows ever!
    --
    "What is Internet Explorer 7? Are you saying we can't access the normal internet?" - I love tech support. Really.
  5. Re:Impossible to not be detected? by Anthony+Liguori · · Score: 4, Insightful

    Never say impossible when logic says it could be done. Just say impractical..

    There are actually things in computer science that are impossible. Usually, they are problems in the form "figure out whether another program has propery X". Classic examples are the halting problem.

    Recall, I'm disputing the claim of "100% undetectable". You could make something that's really, really, really hard to detect.

  6. debunked? I don't think so... by v1 · · Score: 4, Interesting

    Though there is a littlee war the authors neglect to mention. If I am writing a blue pill virus vm, and I KNOW there is software out there that is trying to detect me, it's completely worthless. Since I own the machine at that point, I can modify the programs running, with impunity. That's like all the viruses that are out there right now that are more or less immune to Norton... they know what the "threat" is, and they plan accordingly, they know its weaknesses and simply sidestep right around it.

    A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app before it actually puts it in the execute queue, or subtly mucks with its registers while it's executing. Now the program blissfully reports just what the VM wants it to report... "no VM detected.".

    Now how are you going to get around THAT? If you are running on a totally owned system, you cannot tell me there is anything you can do that is guaranteed to work, especiially if you are using a commonly available tool that the vm author had access to..

    You simply cannot win at their game if they are the ones writing the rules. You can claim victory for a day or two, until the VM authors get their hands on your tool and make the necessary modifications to their VM to cripple your tool, and then you are back to the drawing board.

    --
    I work for the Department of Redundancy Department.
  7. Re:Detection-My buddy, the program. by Sancho · · Score: 4, Informative

    When people talk about Blue Pill as being "undetectable" they mean "through the use of a program."

    And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM. She discusses the possibility of a timing attack using an external clock, but also notes that this is infeasible in a large deployment. Certainly it would be infeasible for your average person running a computer (evidence by the fact that some of them don't even run antivirus/antimalware programs at all and get horribly infected!)

    I was at Joanna's Black Hat briefing. Not once did she imply that this was Vista specific--in fact, she mentioned another briefing with the same sort of rootkit--only running on a MacBook. Her briefing was entitled "Subverting the Vista Kernel for Fun and Profit" because the first half of her talk was about elevating privileges in Vista, which would allow a rootkit such as Blue Pill to run.

    I think that the danger here lies somewhere between "The end is very fucking nigh" and "This is absolutely nothing to worry about." Yes, it's extremely hard to implement. But that shouldn't mean we don't worry about it, because one implementation and it will be much easier to reverse engineer/modify to do other nasty things. Also, the eventual inability to detect in software means that if such an attack ever comes to pass, it will be extremely difficult to clean en masse (virtually requiring a reinstall or a livecd).

  8. Re:Detection-My buddy, the program. by Sancho · · Score: 4, Informative

    The paper was presented at Black Hat. She explained what is required in order to fully "emulate" the instructions required to make it undetectable. Essentially, Blue Pill would need a shim that passes virtualization instructions back up the chain until they could be executed for real, then return everything back down. It's not as huge as everyone thinks, but it's not trivial, either. But yes, she's outlined what has to be done.

    I bet you can find a PDF of her slides somewhere online, if you're interested.