Blue Pill Myth Debunked 128
njyoder writes "As previously posted about, Joanna Rutkowska claimed to have discovered an allegedly undetectable vulnerability in Vista that takes advantage of AMD cpu's virtualization capabilities. a virtualization professional (Anthony Liguori of the Xen project) has now voiced his opinion to state this is bunkum.
There are two parts two this — the ability to take over the machine and seamlessly drop the OS into a VM (which is very difficult, but possible) and the ability to have windows run in the VM undetectably (which is impossible). In fact, Rutkowska's prototype is VERY detectable.
This is unfortunate mistake that people make when they jump to conclusions based on what is unfounded speculation and that includes the assumption that this would somehow be Vista specific, if it worked (noting that Vista doesn't run with administrator privileges by default)."
Oh, *that* blue pill. (Score:1)
Is this really Slashdot? (Score:2)
I'd hit it [invisiblethings.org], assuming she's as cute as she looks in that picture.
"I'd hit it" (Score:2)
Re:"I'd hit it" (Score:2)
I always take (Score:2, Funny)
Detection (Score:5, Insightful)
Detection-My buddy, the program. (Score:1, Insightful)
And people are going to detect it how? That's right. Using a program. Just like we detect all the other stuff.
Re:Detection-My buddy, the program. (Score:3)
Re:Detection-My buddy, the program. (Score:5, Funny)
Re:Detection-My buddy, the program. (Score:2)
Re:Detection-My buddy, the program. (Score:2, Funny)
Re:Detection-My buddy, the program. (Score:2)
Re:Detection-My buddy, the program. (Score:5, Informative)
And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM. She discusses the possibility of a timing attack using an external clock, but also notes that this is infeasible in a large deployment. Certainly it would be infeasible for your average person running a computer (evidence by the fact that some of them don't even run antivirus/antimalware programs at all and get horribly infected!)
I was at Joanna's Black Hat briefing. Not once did she imply that this was Vista specific--in fact, she mentioned another briefing with the same sort of rootkit--only running on a MacBook. Her briefing was entitled "Subverting the Vista Kernel for Fun and Profit" because the first half of her talk was about elevating privileges in Vista, which would allow a rootkit such as Blue Pill to run.
I think that the danger here lies somewhere between "The end is very fucking nigh" and "This is absolutely nothing to worry about." Yes, it's extremely hard to implement. But that shouldn't mean we don't worry about it, because one implementation and it will be much easier to reverse engineer/modify to do other nasty things. Also, the eventual inability to detect in software means that if such an attack ever comes to pass, it will be extremely difficult to clean en masse (virtually requiring a reinstall or a livecd).
Re:Detection-My buddy, the program. (Score:2)
Re:Detection-My buddy, the program. (Score:3, Informative)
Re:Detection-My buddy, the program. (Score:3, Insightful)
And that's Joanna's point. Properly constructed, Blue Pill 2 (the successor with full emulation support coded in--she herself admitted that her prototype is imperfect) would be undetectable by software running inside the VM.
This is the fundamental problem I have. So she has a crappy prototype but claims that the next version will be undetectable? Where's the paper? What is she exploiting to make this actuall
Re:Detection-My buddy, the program. (Score:5, Informative)
I bet you can find a PDF of her slides somewhere online, if you're interested.
Re:Detection-My buddy, the program. (Score:2)
1) A Virtual Machine will not defend us from viruses, because the virus can detect when it is running under the VM.
2) Blue Pill or its successor can execute Windows inside an undetectable VM.
Thanks.
Re:Detection-My buddy, the program. (Score:2)
You're talking about two different types of VMs. #1 applies to software VM (like VMWare) and #2 applies to hardware virtualization.
That said, I don't recall making claim #1 at all, so I don't know what you're talking about or why you bring it up. Even if a virus could detect that it was running in a VM, unless it could escape the VM, it still would be contained.
Re:Detection-My buddy, the program. (Score:1)
I am a VMware consultant and work with virtualization every day. There are two reasons why I don't believe that this is much of a threat.
Virtualization presents static virtual hardware - whatever virtualization method that they utilize would present the same hardware to every vrtual machine (unless they coded it with a huge library of different virtual devices, which involves recoding the drivers for each device). From the device manager, you could check to see if the hardware in your system matches the
Re:Detection-My buddy, the program. (Score:3, Insightful)
1) The hardware is the same unless the hypervisor changes what the software sees. All the hardware in the device manager will look just like it did pre-virtualization. This was demonstrated at Black Hat.
2) This is simply not true with hardware virtualization. It may b
Re:Detection-My buddy, the program. (Score:2)
Yes, I believe that Blue Pill is perfectly possible. (The fact that a functioning prototype exists aside.) The suggested objections are trivial. However, they have nothing to do with hardware virtualization vs software virtualization. Hardware virtualization makes the process much easier, but it doesn't enable it.
The difference is in function of the package. A virtualization product like VMWare presents a virtual machine to the user. As that is what the GP is used to, I can unders
Re:Detection-My buddy, the program. (Score:2)
Is it possible (in software) to replace the OS with a virtualized one, passing all but privileged instructions to the hardware, and trap certain key instructions to be handled by your virtualizer, all while the
Re:Detection-My buddy, the program. (Score:2)
The only gotcha is that the computer has constrai
Re:Detection-My buddy, the program. (Score:2)
It's also possible to detect by careful
observation of subtle behavioural changes.
Re:Detection (Score:3, Insightful)
So would the best solution is to try to run 3d FPS games to see if they work?
As far as I know one of the problems with VM is that 3d acceleration may not work as expected, but most VM companies are trying to get around this with much success.
Re:Detection (Score:2)
Well, this is Vista. In theory, most PCs should be able to run some of the 3D effects (maybe not all of them). So you should notice a lack of the 3D effects all of a sudden, and a huge slowdown as Windows is no longer relying on the video card for desktop drawing.
Re:Detection (Score:3, Insightful)
Re:Detection (Score:5, Informative)
The only way to tell the hypervisor is there is to find a CPU call that the hypervisor *does* care about, and compare how long it takes to run that command before & after the rootkit pushes the OS to a guest OS. That's what the Xen guy is talking about.
(I was at Rutkowska's talk...I'm not sure I buy the Xen guy's response.)
Re:Detection (Score:3, Informative)
She admitted that timing attacks were her weakness, as did the other guy who talked about virtualization-based rootkits. The problem is that you have to have a benchmark to compare it to, and you have to assume that the hypervisor doesn't modify the time whenever it is called. If the time does get modified, then the only way we know of to detect the rootkit is to measure clock skew on the infected PC using a real time source. This, of course, assumes that there isn
Re:Detection (Score:2)
The difference is order of magnitudes. Hypervisor exits incur penalties on the order of thousands of cycles. If you don't know the specifics of the system you're on, you can always compare the cost relative to a similiar instruction.
Re:Detection (Score:2)
Or do I misunderstand?
Re:Detection (Score:2)
We're talking about anti-virus software here--not the average end-user. Anti-virus software just has to use NTP (or invent it's own time-keeping protocol) to check external time. There is of course a skew when checking time over the internet so you just make
Re:Detection (Score:2)
This is a whole new battlefield, and while (as I've said before) I don't think this is the doomsday exploit that some people are claiming it is, I think it's something to be taken seriously if you're concerned a
Re:Detection (Score:1)
Re:Detection (Score:2)
Maybe. But then, you use some other sort of protocol. It's just like the arms race between today's virii and anti-virus software. It's pretty much exactly what we've been dealing with for years.
Re:Detection (Score:1)
I agree that comparing the run times of instructions that will be trapped to those that won't is the way to go. I also agree that using an external time source would work well. I work with phototiming for a living, and have an external device with a 1PPM (part per million) clock in it. I can ask for the time over the network on any port using any arbitrary format that Blue Pill could not possibly know about. In that situation I know that the time I'm getting is reliable. (
Re:Detection (Score:2)
Re:Detection (Score:2)
Now obviously you can glance at your watch at see if some operation takes longer...
Re:Detection (Score:5, Interesting)
They've added extensions to facilitate trap-and-emulate virtualization.
The side-effect of this is that the hypervisor can simply tell the bios "I'm the hypervisor...but, only call me when these specific requests are made."
VT/SVM have absolutely nothing to do with the BIOS. Instead, they both introduce a new processor mode that can be entered at any point that allow certain operations to be trapped. These operations are more or less the set of classic x86-sensitive instructions.
So, the hypervisor could simply choose to ignore the sound and video hardware, leaving those as fast as they were before.
Yup. But we're not talking about hardware here. Keep in mind, that if you do allow direct access to hardware, one now has a channel to access all of memory which could be used to detect a virus in RAM. Let's ignore that for now though
The only way to tell the hypervisor is there is to find a CPU call that the hypervisor *does* care about, and compare how long it takes to run that command before & after the rootkit pushes the OS to a guest OS.
Yup, and as I pointed out to Joanna, there are a number of CPU operations that one would *have* to trap. Things like %cr3 moves, msr reads/writes, etc. Otherwise, one can just search memory for a signature. BTW, how does she hide the memory of the VMM from the guest? I didn't address this because there are some potential solutions (like memory hotplug) but this, in practice, would be a very hard problem to solve. You can just take away memory from an Operating System and expect things to function normally.
Why do you think she addressed this in her talk? I brought it up to her before she presented...
Anyway, you have to take a trap at some point. There are only a small number of possible instructions that trap. A very thorough "detector" could simply check the timing of every trapable instruction.
If she's not trapping any instructions, then the monitor is never getting run so is it really a monitor anymore?
BTW, on VT at least, the VMM doesn't get a choice for certain instructions. They always trap no matter what.
Re:Detection (Score:2)
Feel free to correct me if I've mis-understood, but your position seems to be that while it may be prohibitively hard to detect the a trojan hypervisor, it's still technically possible. Joanna presented as if BluePill were undetectable, you're contesting that it's detectable, just hard.
From a practical point of view, there's little difference between those two positions. In fact, if it's so hard that no one will do it, there's operationally zero differ
Re:Detection (Score:2)
The blue pill can continue running vista within itself, but it's not going to be able to put the first hypervisor in it
Go figure.
Any time you suspect something fishy is going on, you could pause the entire thing using the "top most" hypervisor and scan.
IMO it's high level malware that will be harder.
Example: whether the following actually executes malicious code or not is dependent on what the se
Re:Detection (Score:2)
Re:Detection (Score:1)
Re:Detection (Score:2)
It can think it got out, it can relaunch Vista in it's own "blue pill" Matrix, but it is not out.
You may also wish to see:
http://en.wikipedia.org/wiki/X86_virtualization
(we are talking about the new x86 stuff after all).
Re:Detection (Score:2)
No, not really. I'm saying that in all circumstances, it's detectable. I'm claiming that even with all the engineers in the world working on this thing, it's still detectable (although it may be hard).
Practically speaking,
Re:Detection (Score:2)
Re:Detection (Score:2)
Re:Detection (Score:2)
debunked? I don't think so... (Score:5, Interesting)
A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app before it actually puts it in the execute queue, or subtly mucks with its registers while it's executing. Now the program blissfully reports just what the VM wants it to report... "no VM detected.".
Now how are you going to get around THAT? If you are running on a totally owned system, you cannot tell me there is anything you can do that is guaranteed to work, especiially if you are using a commonly available tool that the vm author had access to..
You simply cannot win at their game if they are the ones writing the rules. You can claim victory for a day or two, until the VM authors get their hands on your tool and make the necessary modifications to their VM to cripple your tool, and then you are back to the drawing board.
Re:debunked? I don't think so... (Score:2)
Periodic live-CD system file scanning?
Re:debunked? I don't think so... (Score:2)
Yes, but writing code from the VM to reach inside OS-specific structures (or even read their contents) is difficult and fragile -- you need to find structures with known memory locations and find a way to fol
Re:debunked? I don't think so... (Score:2)
Re:debunked? I don't think so... (Score:2)
Re:debunked? I don't think so... (Score:2)
A vm that sees you load BluePillDetect.exe just goes in and twiddles a few bits here and there in the app
There exists an infinite number of bit patterns performing the task of BluePillDetect.exe. 99.99999% of them will be unrecognized by the malware. If the user can install one of them, or even type one in, then the malware is not "100% undetectable." So the claim has been debunked.that's funny. (Score:2)
Anyway, the blue pill stuff is overrated.
AFAIK the new x86 hardware VM features are supposed to allow you to run VMs in VMs and other stuff.
So, just make sure you boot Vista or whatever O/S of you choice in a hardware VM right from the very beginning. Call that sort of thing a "white pill" if you want.
Then the white pill can just scan for or intercept blue pill stuff. The white pill can use whatever tricks the blue pill
When the heart rules the mind.... (Score:2, Interesting)
I would probably take heart to this if a hardware (or firmware) engineer spoke up and noted that this is a possibity. Are processors now offering virtualizaton in-chip?
Re:When the heart rules the mind.... (Score:3, Informative)
Of course this is intended for highend systems. Like all other technology expect to see it in regular systems in no time.
Re:When the heart rules the mind.... (Score:1)
Re:When the heart rules the mind.... (Score:2)
Which, by the way, brings up a THIRD faulty assumption from the demo: this tactic is absolutely NOT AMD-specific. Intel's "Vanderpool" offers a slightly different ISA but ends up at an equivalent Ring -1, with the same theoretical risks and rewards.
Re: (Score:1, Flamebait)
Re:That's great! (Score:1, Informative)
Impossible to not be detected? (Score:3, Insightful)
While i agree it would really really damned hard to do it, you could create a VM that the host os wont reconize as being a VM. Sure, it would have to accomodate for each new PC out there as hardware changes, and that it would be a massively complex beast that more then likely could never be turned into a worm/virus/trojan that you wouldnt see coming a mile away, but it could be done.
Never say impossible when logic says it could be done. Just say impractical..
Re:Impossible to not be detected? (Score:5, Insightful)
There are actually things in computer science that are impossible. Usually, they are problems in the form "figure out whether another program has propery X". Classic examples are the halting problem.
Recall, I'm disputing the claim of "100% undetectable". You could make something that's really, really, really hard to detect.
Re:Impossible to not be detected? (Score:2)
my take (Score:5, Interesting)
Most people in the security community are well aware of http://www.ephemeralsecurity.com/mosref [ephemeralsecurity.com] demo at http://static.ephemeralsecurity.com/mosvm/demo1.h
If mosquito and similar tools are not moving towards VMMs, I'd be very suprised. After all, it is a logical step (From VM as a payload, to a VMM as a payload).
Re:my take (Score:5, Informative)
Of course, VMM's can be used to do all sorts of nasty things. VMM-level virus could certainly be nasty. And, an important point to note, is that it may be entirely possible for a virus to be hidden in a VMM and for a virtual machine not to be able to detect that virus. Will VMM's need anti-virus software? I hope they don't suck that much.
What "blue pill" is though is something much different. It's claim is that you can take a native Operating System and turn it into a virtual machine without the OS knowing about it.
Of course it's difficult to do in Vista (Score:5, Interesting)
Re:Of course it's difficult to do in Vista (Score:2)
Re:Of course it's difficult to do in Vista (Score:2)
vista running with admin privledges? (Score:2, Interesting)
Re:vista running with admin privledges? (Score:2, Informative)
Re:vista running with admin privledges? (Score:2)
An admin account does need to be set up after all so you should expect that to continue. OS X does it too.
Re:vista running with admin privledges? (Score:2)
Re:vista running with admin privledges? (Score:2)
It's a prototype (Score:3, Insightful)
'two' does not equal 'too' (Score:1, Funny)
Re:'two' does not equal 'too' (Score:2)
Re:'two' does not equal 'too' (Score:1)
Re:'two' does not equal 'too' (Score:2)
Re:'two' does not equal 'too' (Score:1)
Not the only one to come to this conclusion... (Score:3, Informative)
Re:Not the only one to come to this conclusion... (Score:2)
1) Won't work on some systems, by design (like mine)
2) Has a high risk of damaging your data, due to the complete lack of multi-thread race considerations.
This is why... (Score:1)
Why undetectable? (Score:2)
I'm thinking any subversive VM thing would be like an uber-rootkit. When infected, the user's ntldr or winload.exe (for Vista) would be overwritten to load our new OS instead of Windows. On the next boot (which could come early by the delivery system resetting the computer), the new OS would load which would be little more than a very thin VM wrapper around windows. It would immediately boot up windows, and the user would be none the wiser. Basic things it would do (that would classify it as a rootkit)
this stuff is what bothers me (Score:3, Interesting)
With closed source code of any type I have no such option. Instead all I get is 'experts' to tell me. But these guys have to eat, so they get paid by someone, and have a vested interest in being paid tomorrow. Therefore there can be no impartial advice.
Heck, if the cheif engineer on the shuttle program can be convinced to retract his refusal to sign off the shuttle because of O-ring problems, what hope is there for trustworthy answer from anyone regarding closed source software?
Ok, possibly I'm being too extreme with my example, but seriously I worry about the *true* safety of using an operating system which has not, in fact, been designed with consumers in mind. It is, by microsofts own cheerful admission, purposely built to help 'rights holders' of stuff you use keep you from deviating from their precious business plan.
Perhaps this is fair enough, but there should be a trade off. I see no evidence that the rights of the OS purchaser are being properly considered. Even XP assumes you are a pirate unless proven otherwise. That reveals a lot about their views of the lowly home consumer.
Re:this stuff is what bothers me (Score:2)
Re:this stuff is what bothers me (Score:2)
His complaint is not about a technical matter. Openness may have a very limited (or no) effect on whether or not a compromise is possible. But it does have an effect on whether or not the threat is analysed and whether or not you can trust that analysis.
It's really a question of integrity and loyalty. It may be strange to talk about an inanimate object (software) having "loyalty" but it's the best analogy I can come up with. Free software gives its ultimate loyalty and allegiance to the user. You can
Re:this stuff is what bothers me (Score:2)
Re:this stuff is what bothers me (Score:2)
(I never believed that story, and my opinion is that Ken was pulling peoples' legs. But it's nevertheless a valid point about a theoretical weakness in toolchains, so..) That is a potential weakness that would be equally likely in both free and proprietary software. Free software is still much more open to unbiased analysis.
I'm still amazed by today's AV methods (Score:2)
I'm still just amazed that people don't do this anyway. My understanding is that today's approach to AV is that people run AV applications on possibly infected systems,
In theory, the theoretical is practical (Score:1)
Re:In theory, the theoretical is practical (Score:2)
The lack of proper AV tools doesn't make the users any less doomed. Malware isn't interested in excuses.
If Windows installations cannot be properly diagnosed and repaired, then it either needs to be made bulletproof so that compromises are impossible, or else it just isn't ready for use on The Internet.
I predict this "Internet" fad is going to take off, and by 1994 we're going to see more Internet users than ever before. Microsoft better start thinking about addressing this, or else MacOS 7.5, OS/2 War
Hmm... (Score:1)
Yes, it is.
Stupid name (Score:2)
Am I the only one... (Score:2, Funny)
Re:Am I the only one... (Score:2)
Going offtopic, the spam I've been getting recently has taken the curious (and some might say disturbing) turn of offering not Viagra-like products, but things that can reputedly increase, er, raw throughput. Quite why anyone would want to make any more mess than necessary is beyond me (unless they're trying to appeal to the subconscious male intent to sire as many offspring as possi
Well, I am glad (Score:2)
May be he should attend the presentation (Score:2)
Crashnow instruction? (Score:2)
Melissa