Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Threats 3 Levels Beyond Kernel Rootkits

Posted by kdawson on from the close-to-the-machine dept.

GhostX9 writes "Tom's Hardware has a long interview with security expert Joanna Rutkowska (which is unfortunately split over 9 pages). Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some years. Joanna is most well known for the BluePill virtualization attack (Ring -1) and in this interview she chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is: 'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill. This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'" Rutkowska says that for her own security, "I don't use any A/V product on any of my machines (including all the virtual machines). I don't see how an A/V program could offer any increased security over the quite-reasonable-setup I already deployed with the help of virtualization." She runs three separate virtual machines, designated Red, Yellow, and Green, each running a separate browser and used for increasingly sensitive tasks.

3 of 264 comments (clear)

  1. You don't use A/V? Are you insane? by Anonymous Coward · · Score: -1, Troll

    If you run a recent, patched version of Linux or OS X, fine. But if you run a win32 or win64 variant, you shouldn't make the choice to place all of us at risk by running around without antivirus. It's irresponsible, and selfish.

  2. My partner, by Anonymous Coward · · Score: -1, Troll

    My partner, who is a totally non-tech person, also uses a similar setup on her Mac, and she finds it usable. So, I guess it's not as geeky as it might sound.

  3. Re:Well... by tepples · · Score: 0, Troll

    I've spent approximately 300 seconds to date fiddling with NoScript. [...] As is I use linux, and feel extraordinarily thankful to have that option.

    How many seconds did you spend fiddling with Linux to get your hardware to work?