Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?

Joanna Rutkowska Discusses VM Rootkits 105

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"
This discussion has been archived. No new comments can be posted.

Joanna Rutkowska Discusses VM Rootkits

Comments Filter:
  • by shawnce ( 146129 ) on Friday October 27, 2006 @04:38PM (#16614986) Homepage
    I would say that few, very few are actually using the hardware virtualization.
    That is not her point. It doesn't matter if software does or not exist exists that uses the capabilities of the hardware.. the issues is that operating systems are running on hardware that has virtualization capabilities built-in but the operating system aren't really tooled to properly secure this capability to prevent it being used to subvert the operating system.
  • by njdj ( 458173 ) on Friday October 27, 2006 @04:42PM (#16615048)

    Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early

    Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.

  • by Foolhardy ( 664051 ) <csmith32@@@gmail...com> on Friday October 27, 2006 @05:21PM (#16615660)
    Have you seen Clock in a Linux Guest Runs More Slowly or Quickly Than Real Time [vmware.com]? It can happen when the 2.6 kernel requests more interrupts for the purposes of clock updates than the host can provide, especially if the host is Windows. The kernel will try to compensate for lost ticks, but this doesn't always work correctly. The main solution is to set the clock interrupt rate back to 100Hz like it was in the 2.4 series (requiring a kernel recompile).
  • Backstreet Ruby (Score:2, Informative)

    by foobsr ( 693224 ) on Friday October 27, 2006 @05:44PM (#16615994) Homepage Journal
    You could have it for quite a time, just an example [demon.co.uk].

    But dou you honestly think that anyone would market that? Instead, overtime to buy multiple whatevers is proposed to be the best.

  • Re:So far, so good. (Score:3, Informative)

    by Sancho ( 17056 ) on Friday October 27, 2006 @06:19PM (#16616396) Homepage
    It's not really that easy.

    The way the rootkit works (and this particular MMU in general) is by allowing direct hardware access to the virtualized host. That is, under the rootkit scenario, if Windows makes a call to the video card to do anything (from getting EDIC info to rendering 3d), the MMU passes the request directly to the graphics hardware. Windows still needs to know how to talk to the hardware--because Windows uses a driver to make the call.

    Only a few instructions must (by design) be trapped and handled by the MMU. This is why, in theory, you can get better performance out of this than traditional emulation, and it's also why doing it this way is easier than full emulation or instruction translation. Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.

    Putting the device driver in the MMU would be interesting, but you really want the MMU to be as lean as possible to maintain performance. If the MMU is intercepting calls to the video card, sound card, network devices, etc, and presenting a generic interface to its clients, you'll lose quite a bit of performance.
  • by Anonymous Coward on Friday October 27, 2006 @11:53PM (#16619308)
    Blue Pill is bullshit. Don't believe me, believe the experts:

    o Keith Adams, of VMware fame (binary translation and Intel VT work): http://x86vmm.blogspot.com/2006/08/blue-pill-is-qu asi-illiterate.html [blogspot.com]
    o Anthony Liguori, of Xen fame (paravirtualization work): http://www.virtualization.info/2006/08/debunking-b lue-pill-myth.html [virtualization.info]

With all the fancy scientists in the world, why can't they just once build a nuclear balm?