flat assembler
Message board for the users of flat assembler.

Index > Heap > Interesting use of Pacifica (rootkit)

Goto page Previous  1, 2, 3  Next
Author
Thread Post new topic Reply to topic
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Someone here had assisted to Joanna's conference?
Post 11 Aug 2006, 19:24
View user's profile Send private message Reply with quote
0x4e71



Joined: 25 Feb 2004
Posts: 50
0x4e71
Some facts about this bs claim

Debunking the Blue Pill Myth
http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html
Post 12 Aug 2006, 12:01
View user's profile Send private message Reply with quote
bogdanontanu



Joined: 07 Jan 2004
Posts: 403
Location: Sol. Earth. Europe. Romania. Bucuresti
bogdanontanu
That is a stupid debunkng...
That guy has no ideea what he is talking about ...

Like somebody is going to sit with a stop watch nearby a computer and benchmark it by hand... that is purely stupid...

The reality is that everybody is astonished by Johanna revealing this...and they need some smoke and lies to cover it up until they find a cure ... if you buy that...ok

But honestly with the concepts of virtualization and what they do implay: there will never be a cure... we are just going down deeper and deeper Very Happy

Sweet deams Razz
Post 12 Aug 2006, 15:51
View user's profile Send private message Visit poster's website Reply with quote
0x4e71



Joined: 25 Feb 2004
Posts: 50
0x4e71
Not half as stupid as the blue pill!! Wink
Post 12 Aug 2006, 15:56
View user's profile Send private message Reply with quote
bogdanontanu



Joined: 07 Jan 2004
Posts: 403
Location: Sol. Earth. Europe. Romania. Bucuresti
bogdanontanu
Yeah, the name given to the technique is specific to the dramatism of the human race ...

However the thechnique described is accurate 99% while the arguments against it are 0.1% accurate and very much laughable.

I consider Johanna was kind of ironical with the sugggestion of an external stopwatch and they disperately took the "byte" Very Happy


Last edited by bogdanontanu on 12 Aug 2006, 16:20; edited 1 time in total
Post 12 Aug 2006, 16:12
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Someone had found the slides of the conference? She said that the slides will be available after the conference but the conference was a couple of week ago...
Post 12 Aug 2006, 16:16
View user's profile Send private message Reply with quote
0x4e71



Joined: 25 Feb 2004
Posts: 50
0x4e71
Yeah, I mean not that it is in itself stupid, but after the Matrix this name REALLY got abused. Shocked
Post 12 Aug 2006, 16:16
View user's profile Send private message Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
Just setting up a hypervisor and running the OS inside that is not going to be enough to avoid detection - you do need to (at least) mask out memory and whatnot. Not exactly an easy task.

I haven't read up enough on the VMX instructions, but can a VM running inside VMX set up a hypervisor itself? If not, that'd be a detection vector.

Of course timing with a stopwatch is silly, you wouldn't be able to measure anything that way. Even computer-based timing will be difficult with proper MSR.TSC adjustments.
Post 12 Aug 2006, 20:20
View user's profile Send private message Visit poster's website Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7721
Location: Kraków, Poland
Tomasz Grysztar
f0dder wrote:
I haven't read up enough on the VMX instructions, but can a VM running inside VMX set up a hypervisor itself? If not, that'd be a detection vector.

You can catch the tries of program running inside VM to use the VMX instructions, but then you probably have to emulate the VMX for it yourself.
Post 12 Aug 2006, 20:46
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid
could anyone link some (non-theoretical) info about that VMX thingy? i have seen only what it is for, nothing specific
Post 12 Aug 2006, 20:48
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
Tomasz Grysztar
Assembly Artist


Joined: 16 Jun 2003
Posts: 7721
Location: Kraków, Poland
Tomasz Grysztar
Here's what I got for the Intel one (the AMD's Pacifica instruction set for virtualization is almost exactly equivalent in functionality but is incompatible at binary level).


Description: Intel® Virtualization Technology Specification
Download
Filename: 197666_197666.pdf
Filesize: 960.66 KB
Downloaded: 261 Time(s)

Post 13 Aug 2006, 00:16
View user's profile Send private message Visit poster's website Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
I can tell you Microsoft and IBM view malicious hypervisors as a very real and significant threat. I met with Microsoft's Peter Biddle several months ago (google him to learn about his postion in Microsoft). Biddle told me Microsoft is extremely concerned about malicious hyperisors not only because of the potential damage they can do, but also because they are constructed properly and installed before they get there, they are undetectable. Microsoft teamed recently with the University of Michigan to create a prototype malicious hypervisor (see the attached document).

I met last week with Charles Palmer, PhD (head of IBM Security and Privacy Research - google him too to see his credentials). Palmer confirmed for me that IBM is taking the malicious hypervisor threat very seriously.

Here's an interesting recent article on malicious hypervisors: http://www.eweek.com/article2/0,1895,1936666,00.asp

I'm currently building a hypervisor product that contains security utilities such as intrusion detection, firewalls, virus scanning and systems monitoring services. I've decided to make it hypervisor based because hackers will have an extremely difficult time detecting the protection let alone disabling them because they are contained deep, deep, deep in the hypervisor. Oh, and a hypervisor is an excellent technique for providing fault tolerance.


Description:
Download
Filename: subvirt.pdf
Filesize: 204.53 KB
Downloaded: 141 Time(s)

Post 13 Aug 2006, 03:48
View user's profile Send private message Visit poster's website Reply with quote
MazeGen



Joined: 06 Oct 2003
Posts: 975
Location: Czechoslovakia
MazeGen
Thanks for sharing all these informations about VMs, HyperVista Smile
Post 13 Aug 2006, 07:59
View user's profile Send private message Visit poster's website Reply with quote
f0dder



Joined: 19 Feb 2004
Posts: 3170
Location: Denmark
f0dder
By the way, I suppose a HyperVisor could easily mask out the CPU features to the VMs, so the VMs won't see that the CPU has VMX capabilities... This ought to give good protection against malicious use of VMX.

On the other hand, a malicious hypervisor doing the same, would be easily detectable - through user knowledge of "my CPU supports VMX, but this app says it doesn't".

Tomasz Grysztar wrote:
f0dder wrote:
I haven't read up enough on the VMX instructions, but can a VM running inside VMX set up a hypervisor itself? If not, that'd be a detection vector.

You can catch the tries of program running inside VM to use the VMX instructions, but then you probably have to emulate the VMX for it yourself.

Sounds like a MASSIVE undertaking Smile

_________________
Image - carpe noctem
Post 13 Aug 2006, 12:26
View user's profile Send private message Visit poster's website Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
locodeassembly - i have joanna's slides but it's too big to upload here (reached my upload quota Sad ). if you provide me a private e-mail account, i'll forward it to you. fyi, part one of her slide deck deals with inserting nasty driver into windows vista. part two is her bluepill (malicious hypervisor) talk.
Post 21 Aug 2006, 11:56
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Is really, really big? You can use www.rapidshare.de to upload it if the slides are less than 300 MB and this way all of us can get the slides Very Happy

I'll PM my email now but it's a google account which has a maximun of 10 MB per mail (you should take in mind that Base64 makes attachments bigger).

Thanks!!
Post 21 Aug 2006, 14:28
View user's profile Send private message Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
no, it's not that big (6M). not sure why i couldn't upload it here, but tried twice with same result ("file too big") ... ??

file is located here: http://rapidshare.de/files/30222113/070_Rutkowska.pdf
Post 21 Aug 2006, 14:38
View user's profile Send private message Visit poster's website Reply with quote
HyperVista



Joined: 18 Apr 2005
Posts: 691
Location: Virginia, USA
HyperVista
Here's another, more interesting, briefing on hypervisor based rootkits. This one was given by Dino A. Dai Zovi at Blackhat 2006 in Las Vegas the other week. I think this briefing is more interesting than Joanna's simply because it goes into more detail.

http://rapidshare.de/files/30225160/036_Zovi.pdf.html
Post 21 Aug 2006, 15:07
View user's profile Send private message Visit poster's website Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Very interesting both. Very nice the swapfile trick too, really good idea Very Happy

Thanks for sharing the slides

Regards
Post 21 Aug 2006, 15:45
View user's profile Send private message Reply with quote
UCM



Joined: 25 Feb 2005
Posts: 285
Location: Canada
UCM
What about memory? The hypervisor would have to take up *some* memory, so an "intelligent" OS could find out, and if it paged it out to disk, well (you see the problem.)
Post 21 Aug 2006, 18:25
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar.

Powered by rwasa.