Tuesday
Aug072007
Slides From VT-x Rootkit Detection Talk
Aug 7, 2007 at 1:29AM Thomas Ptacek There will be more to come, but for those of you interested, or who missed the talk,
here's our slides from the rootkit talk, showing how we can detect unexpected virtualization to ferret out all known virtualized rootkits on any mainstream operating system.
Reader Comments (20)
Hello,
I'm discovering security and I read both your slides and bluepill ones and I still have one question:
I understand that detecting that you are into an VM is feasible BUT a question is that it is possible to make a difference between running under an unknown version of an VMM (because maybe everybody will run VM in a near future) and a known VMM malware ?
Is it possible for a process inside an VM (your rootkit detector) to analyze memory outside its boundaries ? (bluepill that don't affect any memory inside the VM)
Thanks
Certainly a lot of good work in there. However, I do have to admit that Joanna has a point when she says that detecting rootkits merely by inferring that there is virtualization is going to be less and less useful as time goes on. I run pretty much all of my personal (server) things on VMs, and we use VMs to a great extent at work as well.
At the risk of sounding like a VMware sales droid, VMs really are making a lot of headway in the server space. 3 out of 3 of the last server hardware class systems I've invested in personally (outside of worrk) have all ended up running VMs, and I know we're giving consideration to deploying production services on VMs here at work.
Now, obviously, there are a lot of scenarios that will probably never (or at least for a very long time) see meaningful virtualization - end user client systems being a big one, especially home users (at least not while things like virtualized video card still gives poor performance and functionality compared to the real deal). But at least as far as dedicated/noninteractive servers go, I think that the window at which it is going to be feasible to say "I'm running in a VM [unexpected]yl, therefore I am rootkit'd" is going to be fast disappearing.
Very good point Skywing and I have thought of these situations before also. Looking over the blackhat slides such as
http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Baker
is giving more proof to your point that "“I’m running in a VM [unexpected]yl, therefore I am rootkit’d” is going to be fast disappearing."
One interesting thought is how will people be able to detect if they are running in a wanted of unwanted VM. When windows moves their servers to full virtulazation and even more the desktop, how will users be able to tell that just the windows hypervisor is under them or if there is some malware running parallel to the hypervisor or even under it.
I also am interested when people will start using the instructions from an offensive stance ( maybe that is too boring for some ).
the "TLB checking with colored memory" technique has a pretty short expiration date as more systems become virtualized, but the timer-based approach actually seems to have merit; provided that the timers are profiled pre-emptively and often. Timers really can't tell you which virtualization layer you have, but it can tell you if you have one you didn't expect to have.
Cool stuff. Wish I'd been at the talk! Any chance you'll write it up like you did with your last Black Hat talk?
Also, why "Samsara"? I have a passing familiarity with the word (took a Buddhist Philosophy class in college), but I'm not seeing the connection to rootkit detection...
Matt - I believe it refers to the cat and mouse game mentioned in the presentation.
sam·sa·ra n. Hinduism & Buddhism
The eternal cycle of birth, suffering, death, and rebirth.
Detection of a VMM is merely the first step. Then comes recognition (it's BluePill or it's not) and identification (which version of BluePill it is).
Having never seen BluePill before the presentation, we had no way to know how to recognise it, let alone identify it. However, we did not present our work as a "BluePill detection" (because it's not) - we presented it as a VMM detection (which it is). That it finds BluePill is a corollary.
Now, given the BluePill code, we can find anomalous behaviours - e.g. VPC 2007 can't coexist yet, so if the cause is isolated then a heartbeat app can be created in its place. If the heartbeat stops, then we've recognised BluePill, and even identified it as v0.11. Of course, that will be fixed in v0.xx, but we'll just find something else (there are other things, but this comment is already too long). The cat and mouse game is being played.
Yes, the future is virtualisation in the OS (and eventually in the firmware), but then the BluePill problem goes away.
Great slide deck! Congrats on the great work Tom, Nate and Peter.
The question isn't "is it possible for a Windows application to detect that it is running under a virtualized rootkit?" If you want to trick Windows applications, you can do that reliably without virtualizing the whole system.
The question is, "can the system detect malicious virtualization?" All benign virtual machines --- indeed, all benign components of the system --- can be made to cooperate with that effort. Malware cannot. It is distinguished by that fact. Once the highest-privileged component in the system (usually, the "root" hypervisor) is enlisted, malicious virtualization is detected simply by looking for unexpected virtualization.
The balance of Joanna's argument is that VMWare and Microsoft are never going to sully their hypervisors with "hacks" to detect Blue Pill, and I agree; malicious virtualization is unlikely to be important enough to merit that effort. But if virtualized malware ever becomes that big a problem, know that Microsoft and VMWare have a response.
[...] Tereshkin’s “New Blue Pill” vs. Peter Ferrie, Nate Lawson, and Tom Ptacek’s VT-x Rootkit Detection techniques. This included some follow-up material on the Matasano blog including Side-Channel [...]
I wish to wish all pregnant women of good mood, easy pregnancy and natural sorts!
Good luck also are happy! Give birth easily and independently! Let not doctors give birth for you, and you! Also adjust itself on chest feeding of the kid! Read the necessary information!
Be, lovely pregnant mums and expecting posterities of the daddy, are healthy and wise!
your blog is really great! 770
Stem cells in an organism of the adult person are developed by a bone brain. It is their basic source, but it is far not the unique. Also stem cells are found out and in a fatty fabric, a skin, muscles, a liver, lungs, an eye retina, practically in all bodies and organism fabrics. They provide restoration of the damaged sites of bodies and fabrics.
Very interesting points
yes virtualized malware is a minor issue. but computer security is not minor.
Thanks for the link rootkit talks, I had missed it and it was nice to keep up with it.
Thanks again..
hello Thomas . thanks for sharing this info. it was really great to see the tech stuffs in your slides. keep posting such good ones :)
Thanks. I use this post in my work. I hope it is OK.
ed hardy hoodies
cheap christian audigier bikini
ed hardy shirts
cheap christian audigier hoody
women ed hardy clothing
ed hardy hoody uk
ed hardy jacket
ed hardy uk
ed hardy shirts
ed hardy swimwear
ed hardy ugg boots
ed hardy shoes uk
ed hardy hoody uk
buy ed hardy shirts
ed hardy womens shoes
ed hardy handbags uk
ed hardy at uk
ed hardy t shirts uk
ed hardy sunglasses uk
ed hardy womens tiger hoodie
I have always liked Outdoor movies, a child standing at the window, looked out from home to the following. Will be able to see the staff busy figure, a huge white cloth has a child hang up and soon will be able to see the movie.
tag heuer carrera