Joanna Rutkowska Discusses VM Rootkits 105
Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"
Re:In a business enviroment (Score:4, Informative)
Virtualization has been around much longer (Score:4, Informative)
Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early
Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.
Re:Where I work, it's common (Score:3, Informative)
Backstreet Ruby (Score:2, Informative)
But dou you honestly think that anyone would market that? Instead, overtime to buy multiple whatevers is proposed to be the best.
CC.
Re:So far, so good. (Score:3, Informative)
The way the rootkit works (and this particular MMU in general) is by allowing direct hardware access to the virtualized host. That is, under the rootkit scenario, if Windows makes a call to the video card to do anything (from getting EDIC info to rendering 3d), the MMU passes the request directly to the graphics hardware. Windows still needs to know how to talk to the hardware--because Windows uses a driver to make the call.
Only a few instructions must (by design) be trapped and handled by the MMU. This is why, in theory, you can get better performance out of this than traditional emulation, and it's also why doing it this way is easier than full emulation or instruction translation. Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.
Putting the device driver in the MMU would be interesting, but you really want the MMU to be as lean as possible to maintain performance. If the MMU is intercepting calls to the video card, sound card, network devices, etc, and presenting a generic interface to its clients, you'll lose quite a bit of performance.
"Blue Pill" is quasi-illiterate gibberish. (Score:2, Informative)
o Keith Adams, of VMware fame (binary translation and Intel VT work): http://x86vmm.blogspot.com/2006/08/blue-pill-is-q
o Anthony Liguori, of Xen fame (paravirtualization work): http://www.virtualization.info/2006/08/debunking-