Slashdot Mirror
VM-Based Rootkits Proved Easily Detectable
paleshadows writes "A year and a half has passed since SubVirt, the first VMM (virtual machine monitor) based rootkit, was introduced (PDF), covered in the tech press, and discussed here. Later Joanna Rutkowska made news by claiming she had a VMM-based attack on Vista that was undetectable — a claim that was roundly challenged. Now in this year's HotOS workshop, researchers from Stanford, CMU, VMware, and XenSource have published a paper titled Compatibility Is Not Transparency: VMM Detection Myths and Realities (PDF) showing that VMM-based rootkits are actually easily detectable."
I may be mistaken, but I thought blue pill was similar to a VM, but was actually a hypervisor exploit. It sounds to me like having dedicated root kit support built into the chip via the hypervisor would be different than running an OS image inside a software based virtual machine.
Until there is openness from the processor, bios, user software, and everything else through and through, who knows.
I'm still convinced that it's possible to make a VM that appaears to software running within as real hardware.
The paper, however, takes a practical approach, examining how some industry standard VM-s operate, such as VMWare and Virtual PC.
Those VM-s take plenty of shortcuts to improve performance, and don't virtualize some instructions, rather remap them, or "shift rings" of execution etc. as much as possible so to take advantage of the hardware while remaining sandboxed. They don't virtualize the clock as well, so you could time the performance.
A rootkit isn't competing with other rootkits based on performance, it does so based on how undetectable it is. It's arguably a different problem. I think we're yet to witness what a full blown VM made to be a rootkit will act like, and whether it'll be detectable.
Unfortunately, this paper completely misses the point. This paper is not so much about detecting a VM based rootkit so much as it is about detecting VMs in general. The authors argue is that if you detect a VM when you aren't expecting to, you've found a rootkit. Joanna's argument is that in a few years, everything is going to be using VM technology and you won't be able to tell a "good" VM from a "bad" one.
See virtualization-detection-vs-blue-pill and her presentation on the subject here. No one ever said that detecting a virtual machine is impossible. They are saying discriminating between malicious and non-malicious VMs is impossible.
This is undetectable*!
That is undetectable*!
* Undetectability based on current technology and the fact that nothing about a given vector of attack has been defined or studied in depth yet. Claim subject to change once the phenomenon has been studied, quantified, and dissected in a rational, forensic manner.
Translation: You can't detect it because you aren't looking for it (yet).
Translation 2: This new attack can't be defeated because nobody's tried yet!
That's what so many of these "security researchers" and pretty much ALL of the tech-press forgets.
Like any other system security compromise, the amount of time these things remain "compromising" depends largely on how long it takes to define it.
Chas - The one, the only.
THANK GOD!!!
Easily detectable by whom? The average grandma will _not_ be able to detect it. At what market in Vista aimed, anyway?
It is dangerous to be right when the government is wrong.
I mean, if even on our simpler computer systems, we are unable to simulate a computer well enough to hide the existence of the external simulator from the internal computer system, then it makes it a little difficult to believe that we could hide the fact that all of reality was being simulated, as in the case of the Matrix...
Or, maybe this work isn't really applicable philosophically.. Maybe they aren't describing a fundamental limit of the idea, but simply some problems with current implementations.
Detecting the simulator requires knowledge about the simulator and the outside world. If you've always been on the inside, you wouldn't know where to look. The majority of software is not designed to know if it's living in a simulated machine (in fact, that's one of the principles of computer architecture), and maybe it's similarly true of humans.
There are clues; Quantum randomness is caused by rounding errors.
Itanium runs x86 instructions through pure software emulation
Transmeta transcodes source instructions into its native code
New versions of Intel and AMD processors and motherboards most probably will not have the same instruction timings or emulate undocumented aspects of current hardware and software
New hardware-based virtualization techniques may not change CPU performance much and can allow guest OS direct access to selected hardware
The bottom line is that VM detectors can only reliably fingerprint hardware configurations known to the developer. CPUs released a year later or ones released by smaller players like VIA will trigger false alarms and expose users to the VM/virtualization viruses since there is no way to tell the difference between trojaned and non-trojaned systems
Damnit, that even makes sense.... Couldn't they use BigDecimals, no? ;-)
Amazing how much money your department of civilian oppression can waste on unrelated research. Yes that is right, if you RTFA, the last paragraph discloses their funding from DHS. Their subject is a noble course, but what does it have to do with the terrorists DHS were supposed to find? Or did they broaden their scope to include romanian hackers looking to make a buck?
Another concern is that this study is presented by those companies that have a stake in spreading positive news about it. And tadaa: the news is positive, VMBR's are nothing to worry about... The angle they missed is differentiating between a good and a bad VM. Strange, since they predicted that most desiable targets would be running inside VM's anyway.
This space is intentionally staring blankly at you
Every now and then I like to fire up a computer game. Sometimes it is one that uses three-dimensional graphics.
Correct me if I am wrong, but is it correct that at the present, any one of a number of highly paid and professional VM teams are completely unable to make a virtual machine within which I could play a three-dimensional-graphics-using-game?
So the best way of 'detecting a virtual machine' would within current technology simply be that a lot of things don't work? And the existence of a virtual machine rootkit that grandmas might be exposed to would instantly get attention because there would always be a large number of other users who would detect it straight away?
Which was kind of where I was going. Quantum weirdness and the speed limit on the transmission of information both make me think of the way cellular automata function.
I was listining to a podcast the other day (Escape Pod - scifi stories), and the story was about a guy that learns that his world is in a simulator, but there are bugs, especially found in an on-line game. You can make objects leave the game and appear in the "real world".
Which brings me back to the question. We live in a "real world" which exhibits at least some of the aspects that we would expect of a simulated world, and I keep wondering what sort of programming artifacts (bugs) could exist, how could we find them, and how could we exploit them...
Anyway, I don't intend to spend my life researching answers to those questions, but they seem to me to be every bit as valid for scientific research as , for example, SETI.
And what's Tommy the Tank Engine security?
:)
"I think it's safe! I think it's safe! I think it's safe!"
Look. Virtualization is not a security technology. I've gotten a VMWare engineer to admit this publicly, on stage, with only mild needling. Virtualization reduces hardware to a protocol that must be parsed, or (as is increasingly common) it allows direct passthrough to devices on buses that have no conception of host vs. guest (see: USB).
There was actually some really cool work recently done by Jeff Forristal, who pointed out that since all VM's are on the same LAN, all the old LAN-based attacks work really well cross-VM. Oops.
Now, regarding Joanna's attack, she's completely right that everyone's going to virtualization -- it's just so much more manageable. The consumer market will eventually embrace this.
But why is this article tagged Sony? The Sony rootkit was done by a content division of the company like, what, two years ago? And it wasn't even a VM rootkit.
Or are the sheeple waving their "Never forget" banners loudly?
FanFictionRecs.net
I keep wondering what sort of programming artifacts (bugs) could exist, how could we find them, and how could we exploit them...
I think that many of the bugs have been patched. For example many cultures remember a time when magic worked, enough people thinking of something with enough concentration could make it real. Some tweaks to the optimisation between the objective reality and our subjective selves sorted that out. There may be some bugs though, how often are inventions discovered by the same people at the same time, or you think of an old film to find that the guys at the TV company have thought of scheduling it!
This will begin with a a 6 page treatise on reversing into solid objects
The current commercial vm's don't try to be undetectable. But if a vm was created with the purpose of being undetectable might be a different matter.
It might be possible to create a vm that only visualizes a specific part of a pc. Only hide some memory and disc space, and passing all other parts through to actual hardware. I don't know if it is feasible.
Unlike conventional host operating systems (or several guest OSs running at the same time), the root kit would have no need to access the graphics card by itself, therefore I don't see any reason why it shouldn't just allow the guest OS to directly access the graphics card.
PS:
"Slashdot requires you to wait between each successful posting of a comment to allow everyone a fair chance at posting a comment."
There are lies, damn lies, and Slashdot.
"It's been 17 minutes since you last successfully posted a comment"
Unless the typical slashdot user is a snail, that's far more than enough time to give a fair chance at posting a comment.
This comment deserves a sole +5 insightful. Seriously. Demote other comments in this story if you have to.
VMWare is virtualization software, not emulation software. It runs pretty close to native speed, depending on what you run on it. Comparing it to bochs is just stupid, that's a full blown emulator. A VM still uses your processor natively to decode the majority of instructions, it just catches the privileged ones, that otherwise would make your OS go boom. (Simply put)
I think the fact that a detection mechanism can be found for each vm rootkit is very plausible. However, won't rootkits always find a way to circomvent the detection mechanisms? In that case, we'll probably end up in a new hacker - security war with hackers tweaking vm's to bypass detection and security folks who keep finding new detection mechanisms. While the article clearly indicates that finding detection mechanisms is much easier than finding ways to bypass or fool the detection mechanism, it doesn't really give a sound prouf why vm rootkits won't pose a threat. The complexity of vm rootkits are indeed a drawback, but that will greatly depend on which detection mechanisms are available and how well they are implemented.
- Never underestimate the power of human stupidity.
A properly-created virtual machine ought to be absolutely undetectable from withinside. The simple fact is that all commercial offerings to date haven't tried to be undetectable.
..... but on the inside, you don't know it's slow, precisely because you've been fed misinformation about the time things are taking. And processors are getting faster. They used to think that chop-and-swap analogue TV encryption would never be trivially crackable in practice .....
If you lock a person in a windowless room where the only "access to the outside world" is a TV set where you control all the programmes, you essentially control everything they know about the outside world; and you then can make that person believe anything you want them to believe. You could even cause them to think night was day, if their only reference was the continuity announcer's time checks (and/or you could give them a special watch which displayed your manipulated version of the time). But if you accidentally or deliberately let, say, BBC1 get through unaltered, you aren't controlling everything they see; and by comparing the news on the real BBC1 with your altered news on the other stations, they could ascertain that something was amiss.
If your virtualised environment behaves absolutely "correctly" with respect to undocumented instructions and the like (i.e. they aren't trapped and made to do something specific to your virtualisation application), and all I/O channels are properly manipulated (to the point where even the scan line count on the graphics card is adjusted to account for the slowdown in the virtual environment), then it's undetectable from withinside. If, however, even one undocumented instruction does not behave exactly as the real processor, or even one I/O channel is left unmunged, then there is a potential way the virtual environment could be detected.
Of course, all that manipulation of stuff is bound to impose some kind of overhead, so a truly undetectable VM might end up being slow as hell
Je fume. Tu fumes. Nous fûmes!
VMWare runs significantly faster than 10% native. So your basic premise falls apart.
And the attack is completely plausible. The fact that I can't write a VM Machine in no way invalidates that premise. It just means that I can't write a VM.
Depending what you run on it? Let's say "anything that makes the load go above 1 on *N*X".
Let's say "OpenOffice". It takes a year and more to load, so running it on any kind of VM will make that two years and more... (replace "years" by something less exaggerating)
"Even granpa" will notice. Yes. Even Granpa notices when the computer becomes really, really unusable. A VM to run a bot-infested machine? BWAHAHA. Welcome back, 8086 @ 4,77MHz.
Making laws based on opinions that stem up from false informations leads to witch hunts.
You clearly didn't read the paper, because it doesn't simply describe how "industry standard VMs operate". Garfinkel and Ferrie are talking about fundamental X86 architectural issues that make intercepting hardware accesses and emulating them in software perceptable to code running on the same machine. The Blue Pill VMM rootkit doesn't leave important instructions "unvirtualized", but it has to operate within the X86 memory hierarchy, and so remains detectable.
For example, the fact that a transition in and out of the hypervisor flushes TLB entries is not a "shortcut" taken by VMware; it's a design parameter of Intel's VT-x and AMD's SVM extensions. The fact that you can't reliably offset the TSC in AMD's SVM is also not a shortcut. And the fact that you can run a counter loop to detect VM exits regardless of the underlying hardware is not a shortcut.
How, exactly, do you propose that rootkit authors evade these problems?
Folks, this is the Halting Problem. If you have a foolproof method of detecting that you’re running in a VM, you can build a special-purpose VM that watches for that method specifically to defeat it.
Similarly, you can’t ever rule out the possibility that you yourself are living in a Matrix-style (etc.) simulated world. You might be able to detect that you are under certain circumstances, but any sufficiently advanced simulation is indistinguishable from reality. No, really!
Oh — and all this applies equally to any supposedly “omnipotent” deities you might care to propose. After all, if “God” could trap “The Devil” (to pick the current favorite pair of arch-rival gods) in a simulated world such that The Devil thought that he (The Devil) was the all-powerful creator of life, the universe, and everything ... then God has no way of knowing that The Devil hasn’t done the same to him. And if God doesn’t have any foolproof way of knowing whether or not The Devil has him trapped, and if he himself has no foolproof way of trapping The Devil, it hardly makes any kind of sense to describe God as “all-powerful,” now, does it?
Cheers,
b&
All but God can prove this sentence true.
OMG! Yesterday I was flipping through the radio stations in my car, and I found the same song playing on 2 different stations! AT THE SAME TIME!!!!
kinda sounds like rainman. VMs...definately faster than 10%. definitely.
I don't know man, I've been playing with VMware server running on a really modest 2.4Ghz P4 with 2GB of ram and I've been pretty impressed with it's speed. I'm sure there are some tasks will make the machine take a real beating making the lag more pronounced but I typically have 3-4(lately CentOS, WinXP and a pair of Win2003) guests with the XP host subtituting as my Windows desktop using a really basic Ubuntu install as the host. It actually reboots VMs faster than physical hardware(Win2003 comes up in about 10 seconds after clicking the start vm button) and a start to finish Windows install took about 10-15 minutes from initial boot to a functioning login prompt. Maybe it might be noticable but I'm at least open to many scenarios where it could be pretty convincingly hidden from the layman. I can't imagine how it would run if it had something more recent like a AMD X2 or Core 2 based machine at it's disposal. My hardware is 3+ years old.
jerky
--
What is pirate software? Software for inventory of stolen treasure?
As you say, a real VM does execute instructions directly and either traps memory calls in hardware or traps all the system calls or both, it's not emulation. Stacking one virtual machine inside another one is quite thinkable since even two steps down the machine is still executing native instructions not emulating them so the speed loss is not multaplicative
For that reason I fully expect in the not too distant future that we will have virtual machines running inside virtual machines. That is there will be a move towards more compartmentalization. OS's will spawn virtual machines for any untrusted process, maybe all of them. And then pass messages between them. It's reasonable to assume the OS may in turn sit on top of some lightweight virtual machine. Perhaps embedded systems will use some stripped down real-time OS on the bottom for guaranteed execution perfromance and then also host virtual machines to allow richer application contexts for more sophisticated apps than the real-time OS will support.
Indeed anyone who has ran a virtual machine after getting hit with the Sony root kit was in fact already running a virtual machine within a virtual machine. People who timeshare on racked servers may well already be renting a virtual machine and they in turn maybe instantiating virtual machines.
At this point all the detection modalities in the paper go out the window. The only part of the system that can actually have a shot at detecting it is not retro-VMed by a virus is the bottom one and that may not be one even the machine owner is allowed to touch. For example, perhaps some form of trusted computing will emerge where the primary OS that is simply a virtual bios that hosts the OS will be be burned into the hardware itself.
Some drink at the fountain of knowledge. Others just gargle.
validation because too much hardware has changed since the system was installed.
but what if you already run your system in a VM? What if a rootkit injects itself as another virtualization layer (at either side of your good VM)? How do you detect this sort of thing?
or not.
Are You Living In a Computer Simulation? http://www.simulation-argument.com/
All ideas^H^H^H^H^Hprocesses in this post are Patent Pending. (as well as the process of patenting all postings)
Johanna did not argue that VMM are undetectable. She argued that the presence of a malicious VMM would be undetectable on a system that is running another virtual machine. The idea is that all machines will be running virtual machines in the near future, so detecting virtual machines per se will be useless.
On a native machine, we achieved about 55-70 transactions per second, after that, the CPU of the machine was maxed out. This was a quad Xeon with about 16 gigs of ram. The same exact machine, running ESX host, and one single VM, one, our Windows 2003 server, was able to achieve about 2-5 transactions per second before the host throwing in the towel. Now I am sure ESX 3 will be faster. This wasn't ESX 3, was 2.something.
What I noticed was that:
- VMWare has a lot of trouble with applications who do a lot of context switches. Basically, object pools with significant usage. If the CPU has to swap from thread to thread, it kills VMWare.
- We did a few network tests with bizarre results like VM network latency being 50% more. This is a killer with any system remotely trying to get a decent transactions per secon. We had to de-virtualize our SQL server and SNA gateway, it wasn't able to hold the load.
- For some odd reasons MOM, anti-viruses and SMS can choke a host without any problems. My hypothesis is that missed file cache is brutal for VMWare, especially if other VMs are doing some I/O intensive stuff.
I wouldn't recommend anyone putting a server with moderate to high load as a VM. However, VMWare is awesome for very low load server, we can pack 6-10 of these servers easily on the same dual dual core Xeon. And could probably more.
Are we able to detect it?
It looks like they're just talking about detecting if you're virtualized or not. So perhaps some of these techniques could be used by user-hostile software publishers (i.e. you're not allowed to run our server in a VM without getting a special (i.e. more expensive) license, or you're not allowed to run our media player unless we know it is directly accessing the display hardare) but I don't see how this gives any rootkit-detection advantages.
And don't ever forget: from a security standpoint, detecting malware after it's already running, is vastly distant 9th-priority tool in your arsenal, compared to more practical and obvious policies, such as not executing malware in the first place(!!!). That's what makes ideas like "blue pill" virtually (heh) insignificant when you're thinking about malware. By the time the user has already chosen to install a malware VM and then started running it, their sensitive data has already been sent to an enemy, their disk wiped, spam sent, their keystrokes logged, or whatever. Who cares about closing barn doors after the horse is out?!? Detection techniques are nearly (ok, not quite, but almost) worthless.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
I really wish Slashdot editors would place the (PDF) warning before the link.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"That's undetectable!"
You keep using that word... I do not think it means what you think it means.
Girls are so cute when they talk like they know about computers.
There's rate limiting for AC. I generally write up my trolls, do something else for awhile, then click submit.
You have a point, but don't forget that I may choose to be running Red Pill (TM). Red Pill is MY virtualization software, run for MY reasons. As part of its startup, Red Pill does an extensive set of "metal checks" to make sure it's running on real metal, not on some Blue Pill. Lest some Blue Pill do "clock leveling" and make machine performance consistent, but at a lower level, Red Pill has had me input hardware configuration data, so it knows what the clock (and other aspects of the system) really ought to be, not just that it acts consistently.
Red Pill's code for making sure that something evil isn't running on the GPU is a little sketchier, since the necessarygut-level details aren't as readily available, but it will use whatever hardware data you can give it.
Of course Red Pill (TM) is purely hypothetical, and since none of my hardware has hardware virtualization support, and software-only virtualization won't cut the undetectable aspects, I'm not running it. But I'm also certain that if Blue Pill shows up in the wild, Red Pill will not be far behind. Another arms race.
The living have better things to do than to continue hating the dead.
Lastly, you failed to answer the GP's question - "if all you do with your computer is read e-mail, browse the web and run MS Word, why would you want a VM?" We all know why WE (==/.ers) are going to virtualise things, what's your answer for why Grandma Sixpack would want to? Ennui?
Why has everyone started hating on kdawson? Is it the 'in' thing?