Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Threats 3 Levels Beyond Kernel Rootkits

Posted by kdawson on from the close-to-the-machine dept.

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

3 of 264 comments (clear)

  1. Re:o.k. by NotBornYesterday · · Score: 4, Informative

    Come back later when you're coherent.

    When 4 cores and several gigs of ram are available in inexpensive off-the-shelf systems, and VM software is freely available and easier to deploy, paranoid levels of security become more and more practical.

    --
    I prefer rogues to imbeciles because they sometimes take a rest.
  2. Re:I have to agree it is idiotic by Sycraft-fu · · Score: 3, Informative

    If your AV software screws over your system, then get a better one. NOD32 is exceedingly fast and thus low impact on system resources. Also, with any good one, like NOD, you can configure what it scans so you don't have to scan everything if you don't want to.

  3. Re:Well... by lagfest · · Score: 4, Informative

    Already exists for windows: http://www.microsoft.com/windows/products/winfamily/sharedaccess/default.mspx

    And it's free.