Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacker Defeats Hardware-based Rootkit Detection

Posted by CmdrTaco on from the immovable-object-vs-unstoppable-force dept.

Manequintet writes "Joanna Rutkowska's latest bit of rootkit-related research shatters the myth that hardware-based (PCI cards or FireWire bus) RAM acquisition is the most reliable and secure way to do forensics. At this year's Black Hat Federal conference, she demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU. The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said."

12 of 126 comments (clear)

  1. I thought this was invalid anyway by LiquidCoooled · · Score: 4, Insightful

    I was under the impression that the only way to reliably detect a root-kit is to examine the system from another clean system?

    ie remove the drive/devices and check them all.

    --
    liqbase :: faster than paper
    1. Re:I thought this was invalid anyway by JackHoffman · · Score: 5, Insightful

      The rootkits that are written to the disk aren't the biggest problem. Like you said, one can "simply" look at the drive from a clean system. The problem is with rootkits that are only installed in RAM, while the system is running. The attacker exploits some hole in an application or in the OS and then transfers the whole system into a virtual machine that looks exactly like the real thing, so the rootkit can't be detected from inside the OS. Nothing is written to disk, so when the system is powered down, the rootkit vanishes into thin air. Servers are unlikely to be powered down often and even if they are, the cracker can simply attack again. With the rootkit undetected, it is likely that the exploited bug has not been corrected. Common wisdom was that this type of attack can be detected by looking at the contents of the RAM in a way which bypasses the OS. The rootkit has to be somewhere, right? Well, according to this article, there is a way to hide the real RAM contents from hardware assisted forensic methods.

    2. Re:I thought this was invalid anyway by andreyw · · Score: 2, Insightful

      No technical information? Did you happen to miss Rutkowska's slides linked from the page? There is more than enough information, when coupled with the freely available manuals from AMD, to understand the issue at hand....

  2. well by mastershake_phd · · Score: 1, Insightful

    If sony could rootkit your computer and your hardware couldnt tell, would they?

    --
    Libertarian Leaning Political Discussion Forum.
  3. DRM by Athrun+Zala · · Score: 3, Insightful

    "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said."

    Yay, DRM in every piece of hardware to the rescue!

    1. Re:DRM by ymgve · · Score: 3, Insightful

      Yay, DRM in every piece of hardware to the rescue!

      Sounds actually like the exact opposite. DRM tries to hide away things, while this would give devices the ability to see everything that goes on inside the system RAM.

  4. Re:she shatters two myths really ... by Eivind · · Score: 2, Insightful
    This stopped being funny like literally 2 decades ago, if ever it was.

    It's true that there are more males than females in in CompSci, but the ones which are there are no more and no less attractive than the average girl in any other line of work. Same goes for the males.

    What the people in CompSci do share is an above-average passion for computing, abstract thinking and maths. (or if they don't they don't belong in CompSci regardless of sex) but neither of these things have any influence on looks.

  5. BIOS by tepples · · Score: 2, Insightful

    How would a rootkit install itself above a hypervisor on a box where the boot sector is on write protected FLASH? By flashing the BIOS.
  6. Trying to have her cake and eat it too? by kscguru · · Score: 4, Insightful
    Let's see ... last year, she got all over the headlines claiming that virtual machines are a Bad Idea because rootkits could use them to remain undetectable (even though virtual machine experts discounted her "trivially easy and left unimplemented" parts as technically intractable).

    And now a year later, she claims we need specialized hardware interfaces to scan memory for rootkits, even though this problem is laughably easy in the world of virtual machines.

    And on to the actual work ... the research basically observes that MTTR registers (some of the MSRs in the CPU) can cause memory mappings to look different between the CPU and the northbridge, and then comes up with a pretty easy way to cause the northbridge to either lock up or read data that is different (really easy once you see the specs for the appropriate registers). And she totally ignores the possibility of a system defending itself against this attack by verifying the registers she's modifying. Lousy research, girl.

    Oddly enough, this "hack" is ALREADY IN USE ON YOUR SYSTEM and is actually necessary. See, when the processor is running in SMM (System Management Mode), it switches to exactly this configuration: the PCI bus sees VGA hardware mapped at the well-known address, but the processor maps the RAM at that address, which gives SMM mode a few kilobytes of memory that the normal system can't touch. SMM mode is used for things like "legacy USB devices" (e.g. having your USB keyboard act like PS/2 so DOS can use it) and other implement-in-software hacks that your OS doesn't know about, but your BIOS vendor gives you as "value-added features".

    --

    A witty [sig] proves nothing. --Voltaire

  7. good luck... by sholden · · Score: 2, Insightful

    The MPAA/RIAA would just *love* it if there was a port on your motherboard you could just plug something into and get direct access to the contents of RAM, bypassing OS completely.

  8. Quite the opposite by Opportunist · · Score: 2, Insightful

    We don't need DRM, we need truely "trusted computers". But not computers that some content industries trust, computers that we can trust. Computers where we can actually tap the wires and "listen" to what's going on inside.

    DRM is exactly the opposite. Locking away your computer's inner workings from you, taking away your chance to see what's going on inside.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:AACS "Improvement" by Anonymous Coward · · Score: 2, Insightful

    The difference is that with HD-DVD / Blu-Ray players you *know* there is a key in there, so you will try different (unreliable) methods until you find it. For a rootkit, you're not sure if there is one to start with, so you'll never be sure when to stop searching if you're not finding any.