Slashdot Mirror

← Back to Stories (view on slashdot.org)

Joanna Rutkowska Discusses VM Rootkits

Posted by ryuzaki0 on from the not-ready-for-it-cap'n dept.

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"

18 of 105 comments (clear)

  1. Yes, but how do you get mature technology. by mmell · · Score: 4, Insightful
    It starts as immature technology. Sure, you work with it in a lab for as long as you're able, but at some point you have to expose your work for all to see (and hammer away at).

    In software, we used to have a saying, "No program is ever complete, but it has to go to market sooner or later."

  2. Re:In a business enviroment by shawnce · · Score: 3, Informative
    I would say that few, very few are actually using the hardware virtualization.
    That is not her point. It doesn't matter if software does or not exist exists that uses the capabilities of the hardware.. the issues is that operating systems are running on hardware that has virtualization capabilities built-in but the operating system aren't really tooled to properly secure this capability to prevent it being used to subvert the operating system.
  3. Re:been around forever by AKAImBatman · · Score: 3, Insightful
    I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around.

    Virtual 8088 mode was not comparable. The 8088 virtual machine was entirely controlled by the 80386 software, and was not able to affect the 80386 in any dangerous fashion. The best one could have done was build an 80386 program to "rootkit" an 8088 Operating System. Considering that the OSes of the day (e.g. DOS) didn't have security to begin with, I'm not sure what you would have gained.

    Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

    Of course, the Blue Pill may work a bit different. I haven't studied it. But there is at least a potential for abuse here.
    --
    Javascript + Nintendo DSi = DSiCade
  4. Virtualization has been around much longer by njdj · · Score: 3, Informative

    Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early

    Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.

  5. I'd hit it like the fist from an angry god! by adolfojp · · Score: 4, Insightful

    You are missing the point guys! I don't know who she is or what she is selling but if she is a geek and looks like this
    http://common.ziffdavisinternet.com/util_get_image /13/0,1425,sz=1&i=135407,00.jpg
    http://static.flickr.com/66/206241643_d48861f49c.j pg
    I am subscribing to her newsletter. ;-)

    1. Re:I'd hit it like the fist from an angry god! by Anonymous Coward · · Score: 4, Funny

      Yeah, I'd root her box, all right. Penetrate her firewall. Invade her deep logic. Assert administrative privileges and disable all virus protection. Reconfigure her RAID array with a dedicated controller. Put new batteries in her UPS. ... Wait, what were we talking about?

    2. Re:I'd hit it like the fist from an angry god! by fbjon · · Score: 2, Funny
      Assert administrative privileges and disable all virus protection.
      Now that is just vile.


      I almost feel like posting a lengthy rant on the immaturity of the average slashdotter, and the repellent factor it has towards women in the industry, like has been discussed before here. This post would be the poster child. But...


      .. I laughed too. Damn you, hypocrisy!

      --
      True confidence comes not from realising you are as good as your peers, but that your peers are as bad as you are.
    3. Re:I'd hit it like the fist from an angry god! by bigberk · · Score: 2, Insightful

      I'm sure what she dislikes is rude, immature male attention. And she probably dislikes people ignoring her or not taking her seriously because she's a woman (a well known phenomenon of gender prejudice in academia) ... but I'm sure she has no problem with compliments that point out, not only is she an intelligent and skilled researcher but she is also quite attractive. A fantastic combination IMHO

  6. Potential Uses Not Good For PC Manufacturers? by no_pets · · Score: 2, Interesting

    I must admit that my only experience in hardware virtualization comes from IBM AS/400 and RS/6000 environments. But, if hardware virtualization is (mostly) ready on the PC and PC OSes could make use of it, it could hurt PC manufacturers such as Dell.

    What I'm getting at is many families are getting multiple PCs in the house now. One (or more) for the kids and one (or more) for the parents. Most of these people are just browsing the web, checking email, low CPU usage things. What if, like on these enterprise class platforms, you could order one PC with a dual core (ore more) CPU, two (or more) keyboards, monitors, mice then slice up the processing power in two then run two OSes and basically have 2 virtual PCs out of the same hardware?

    It may not save money just running 2 virtual PCs but if it could run 3 or 4 it should save money once they get into mass production.
    Okay, this is slightly OT but someone mentioned that there isn't much use for this technology at the consumer level but I disagree. Of course a rootkit running on top of it all wouldn't be good.

    --
    "A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
  7. Where I work, it's common by spun · · Score: 2, Interesting

    We use VMware on IBM Blades. Very many other businesses are doing the same. All the CIO management rags are all abuzz over VM. Your workplace is indeed a little behind the times.

    You do know that it doesn't matter if people are using hardware virtualization, right? All new Intel and AMD chips have it, whether you use it or not, it's there for a rootkit to exploit.

    There are several other VM packages that also use the hardware VM. Xen is one, and it's open source. And in any case, it's not about how VMWare or Xen deal with the new hardware, it's how Windows and Linux deal with it. If mainstream OSs don't take steps to lock down the VM hardware, undetectable rootkits will be the result.

    As someone who has worked quite a bit with VMware, let me say that I am more concerned with it's freakish inability to keep accurate time. I've got a cronjob running every five minutes to reset the time via ntpdate. Running ntp on the server won't help, the offset is too random and too large to compensate for. In five minutes between running ntpdate, I've seen clocks be off by a minute.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
    1. Re:Where I work, it's common by Foolhardy · · Score: 2, Informative

      Have you seen Clock in a Linux Guest Runs More Slowly or Quickly Than Real Time? It can happen when the 2.6 kernel requests more interrupts for the purposes of clock updates than the host can provide, especially if the host is Windows. The kernel will try to compensate for lost ticks, but this doesn't always work correctly. The main solution is to set the clock interrupt rate back to 100Hz like it was in the 2.4 series (requiring a kernel recompile).

  8. Blue Pill by Jim+Buzbee · · Score: 2, Interesting

    There's an interesting feasibility discusison of Blue Pill Here

  9. Backstreet Ruby by foobsr · · Score: 2, Informative

    You could have it for quite a time, just an example.

    But dou you honestly think that anyone would market that? Instead, overtime to buy multiple whatevers is proposed to be the best.

    CC.

    --
    TaijiQuan (Huang, 5 loosenings)
  10. Re:So far, so good. by Sancho · · Score: 2, Informative

    It's not really that easy.

    The way the rootkit works (and this particular MMU in general) is by allowing direct hardware access to the virtualized host. That is, under the rootkit scenario, if Windows makes a call to the video card to do anything (from getting EDIC info to rendering 3d), the MMU passes the request directly to the graphics hardware. Windows still needs to know how to talk to the hardware--because Windows uses a driver to make the call.

    Only a few instructions must (by design) be trapped and handled by the MMU. This is why, in theory, you can get better performance out of this than traditional emulation, and it's also why doing it this way is easier than full emulation or instruction translation. Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.

    Putting the device driver in the MMU would be interesting, but you really want the MMU to be as lean as possible to maintain performance. If the MMU is intercepting calls to the video card, sound card, network devices, etc, and presenting a generic interface to its clients, you'll lose quite a bit of performance.

  11. Kernel holes, not virtualization, are the problem. by Animats · · Score: 4, Interesting

    Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

    What this does demonstrate is that after-the-fact malware detectors are a dead end.

    There's a great comment in the article:

    The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

    (This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

    In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

    Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

    There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.

  12. Re:I speak for hundreds of geeks... by Jugalator · · Score: 2, Funny

    Here she's sitting between two other geeks that looks to be slightly confused by the situation:
    http://www.prabu.us/wp-content/Fabio_Joanna_prabu_ Small.jpg

    Please don't confuse the leftmost man named Fabio there with the model of the same name.

    --
    Beware: In C++, your friends can see your privates!
  13. Not ready? by Schraegstrichpunkt · · Score: 2, Insightful

    Major operating systems aren't ready for virtualization? We could have used virtualization five years ago.

    The only OS that has any sort of problem with virtualization is Windows, and there is no reason to believe that Microsoft would have suddenly fixed thingsif hardware virtualization had been put off for another 5-10 years.

    --
    http://outcampaign.org/
  14. "Blue Pill" is quasi-illiterate gibberish. by Anonymous Coward · · Score: 2, Informative

    Blue Pill is bullshit. Don't believe me, believe the experts:

    o Keith Adams, of VMware fame (binary translation and Intel VT work): http://x86vmm.blogspot.com/2006/08/blue-pill-is-qu asi-illiterate.html
    o Anthony Liguori, of Xen fame (paravirtualization work): http://www.virtualization.info/2006/08/debunking-b lue-pill-myth.html