Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Threats 3 Levels Beyond Kernel Rootkits

Posted by kdawson on from the close-to-the-machine dept.

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

11 of 264 comments (clear)

  1. Re:o.k. by NotBornYesterday · · Score: 4, Informative

    Come back later when you're coherent.

    When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems, and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

    --
    I prefer rogues to imbeciles because they sometimes take a rest.
  2. Re:Well... by Deanalator · · Score: 2, Informative

    That's what the noscript is for. It does more than just blocking javascript these days.

  3. Re:huh? by JustOK · · Score: 2, Informative

    And the building itself.

    --
    rewriting history since 2109
  4. Re:I have to agree it is idiotic by Sycraft-fu · · Score: 3, Informative

    If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.

  5. Re:Well... by lagfest · · Score: 4, Informative

    Already exists for windows: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

    And it's free.

  6. Re:I would love to fcuk Joanna Rutkowska by Anonymous Coward · · Score: 2, Informative

    She's also a man, baby!

    http://www.rutkowska.yoyo.pl/

  7. Re:I would love to fcuk Joanna Rutkowska by mikechant · · Score: 2, Informative

    Very strange... why would someone become transgendered and then turn lesbian?

    You don't 'become' trans-gendered. Current medical opinion is that it's a brain structure thing you're born with.
    And you wouldn't 'turn' lesbian either, typically you would be born with the tendency to be oriented towards men/women/both.
    Gender identity (whether you 'feel' that you are male or female) and sexual orientation (whether you are attracted to men or women or both) are separate issues. It's not a question of 'what is easier', it's a fundamental identity issue.

  8. DEP is overrated by Anonymous Coward · · Score: 1, Informative

    While DEP is nice, it cannot prevent all exploits from buffer overflows. Google for return-to-libc, it's even in the wikipedia article you linked. Thus, if DEP was enabled by default exploit authors would switch to return-to-libc against Win7 instead of using "classical" exploits. Same as AV: It keeps the stupid attackers out, but the good ones will circumvent it.

  9. Re:o.k. by vivaelamor · · Score: 2, Informative

    Virtualbox doesn't run on "*nix", so the simplicity of your example is misleading. Windows, Linux, Macintosh and OpenSolaris are the only supported operating systems. The guest OS support is similarly limited.

    Hang on, suddenly MacOSX, linux and OpenSolaris are not *nix?

    MacOSX is registered Unix 03, OpenSolaris is based on System V Unix and Linux is a non registered Unix clone. Which of those don't you consider *nix? The ones without nix on the end (which leaves Linux) or the ones that aren't Unix (which at least leaves MacOSX)?

    You could also throw FreeBSD into the mix which is similar to Linux in that it conforms to many of the same standards without being registered as Unix, there is an experimental version of VirtualBox available for FreeBSD.

  10. Re:Why does DEP come disabled in Win 7? by Anonymous Coward · · Score: 2, Informative

    It's only disabled for 32-bit software. 64-bit software always runs with full DEP.

    The reason is that there's still TONS of poorly written 32-bit software out there that rely on DEP being off.

    That said, I agree that they should still turn it on by default and let the informative error message sort out the mess.

  11. Re:I have to agree it is idiotic by drinkypoo · · Score: 2, Informative

    It wasn't the oldest or the newest cracks. The cracks I'm using right now (almost literally; I quit Simcity 4 less than two minutes ago) certainly weren't identified.

    My understanding of the false positives in no-CD checks is that they are UPX false positives. Avira defaults to not go off on every packed executable. It found actual viruses in the no-CD check patches it removed. One of them was one I downloaded which was a current version, and one wasn't. The perils of removing protection...

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"