×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Joanna Rutkowska Discusses VM Rootkits

Zonk posted more than 7 years ago | from the not-ready-for-it-cap'n dept.

105

Unwanted Software writes "There's an interesting interview on eWeek with Joanna Rutkowska, the stealth malware researcher who created 'Blue Pill' VM rootkit and planted an unsigned driver on Windows Vista, bypassing the new device driver signing policy. She roundly dismisses the quality of existing anti-virus/anti-rootkit products and makes the argument that the world is not ready for VM technology. From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

105 comments

been around forever (1)

grozzie2 (698656) | more than 7 years ago | (#16614844)

Hmm, I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around. It handled a virtual 8088 quite nicely....

Re:been around forever (0)

Anonymous Coward | more than 7 years ago | (#16614932)

How about before that even?

Try this for instance: CP-67 [wikipedia.org]

Re:been around forever (3, Insightful)

AKAImBatman (238306) | more than 7 years ago | (#16615010)

I guess this 'expert' doesn't realize that virtualization in hardware has been with us since the 80386 first came around.

Virtual 8088 mode was not comparable. The 8088 virtual machine was entirely controlled by the 80386 software, and was not able to affect the 80386 in any dangerous fashion. The best one could have done was build an 80386 program to "rootkit" an 8088 Operating System. Considering that the OSes of the day (e.g. DOS) didn't have security to begin with, I'm not sure what you would have gained.

Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

Of course, the Blue Pill may work a bit different. I haven't studied it. But there is at least a potential for abuse here.

Re:been around forever (1)

Amazing Quantum Man (458715) | more than 7 years ago | (#16615326)

In the Intel world, maybe. But the 68020 was self-virtualizing, though it required an external 68851. The 68030 was fully self-virtualizable without an external MMU.

Wouldn't that be "beneath" it? (1)

khasim (1285) | more than 7 years ago | (#16615438)

Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

I don't see how that is possible. If something is running on top of the OS, it should be subject to the OS.

Something running beneath the OS would be able to control the OS.

The "Blue Pill" stuff she's talking about starts above the OS, but then it (supposedly) moves the OS to a virtual machine while "Blue Pill" takes over the physical hardware.

I do not understand how that is possible. Nor have I seen it demonstrated anywhere else. So far it is just her statement that she has done this.

Re:Wouldn't that be "beneath" it? (1)

AKAImBatman (238306) | more than 7 years ago | (#16615508)

Wouldn't that be "beneath" it?

Beneath it, above it, outside of it, however you want to describe it. Yes, the malicious rootkit would be the host, and the regular OS would be the client. :)

So far, so good. (1)

khasim (1285) | more than 7 years ago | (#16615676)

Yep, the rootkit is the host OS and it runs the original OS as a guest OS, on a virtual machine.

I just don't see how she can accomplish that. And accomplish it in an undetectable fashion. Particularly given the state of hypervisors today. If it's difficult to do in a controlled environment today (run Win2003 with SQL 2005 in a hypervisor on Linux and see what hoops you have to jump through and what your performance is) I don't see it being a threat in the wild.

Seriously. If she can do this, then she's just solved EVERY LINUX DRIVER ISSUE.

Instead of worrying that your wireless card is not supported, run her "rootkit" and use the virtualized cards. The same with audio. The same with video. The same with EVERYTHING.

If she can do this, today, every OS vendor should be chasing her down to get the rights to that technology. Their OS's would reference known stable drivers and their functionality would improve.

Re:So far, so good. (2, Informative)

Sancho (17056) | more than 7 years ago | (#16616396)

It's not really that easy.

The way the rootkit works (and this particular MMU in general) is by allowing direct hardware access to the virtualized host. That is, under the rootkit scenario, if Windows makes a call to the video card to do anything (from getting EDIC info to rendering 3d), the MMU passes the request directly to the graphics hardware. Windows still needs to know how to talk to the hardware--because Windows uses a driver to make the call.

Only a few instructions must (by design) be trapped and handled by the MMU. This is why, in theory, you can get better performance out of this than traditional emulation, and it's also why doing it this way is easier than full emulation or instruction translation. Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.

Putting the device driver in the MMU would be interesting, but you really want the MMU to be as lean as possible to maintain performance. If the MMU is intercepting calls to the video card, sound card, network devices, etc, and presenting a generic interface to its clients, you'll lose quite a bit of performance.

That's my point. (1)

khasim (1285) | more than 7 years ago | (#16616682)

It's not really that easy.

That's my point. She seems to be saying that this is easy. And that it is undetectable.

Yet when I start pointing out the obvious benefits of her system, suddenly it isn't as "easy" or "undetectable" as it was before.

Because the "guests" can talk directly to the hardware, all of your devices are theoretically supported, as long as your client OS supports them.

No. When the guest OS's have direct access to the hardware such as the video card or network card, the "threat" breaks down.

If my "cracked" OS has direct access to the NIC, then I can monitor what is sent over it. I can tell if the "Blue Pill" has cracked my box and is calling home.

If I do not have direct access to the hardware so that I cannot monitor it, then she has solved the Linux driver issue.

Yes, I know. Next will be the "you only have some kinds of direct access to the hardware". No. In order to limit that, her crack needs to know how to talk to that hardware so it can intercept the calls the "cracked" OS is making. Any control of the hardware by her "Blue Pill" means that she has solved the Linux driver issue for that hardware.

That is why the OS's need "drivers" to talk to the hardware peripherals.

Re:That's my point. (1)

Sancho (17056) | more than 7 years ago | (#16617452)

It still depends on a lot of things. You say:

If my "cracked" OS has direct access to the NIC, then I can monitor what is sent over it. I can tell if the "Blue Pill" has cracked my box and is calling home.

Maybe, depending on how much and /what/ the MMU is hiding. For example, current rootkits may hide their processes, may patch netstat to hide sockets, and probably does this through hiding syscalls. A rootkitted MMU could use a the system's drivers and syscalls to do the dirty work, just like a standard rootkit, but could hide attempts to detect the kit by virtue of the fact that it can intercept memory calls. We're talking pretty sophisticated rootkits here, but ultimately, they're going to want to run on the most hardware. It makes more sense to use the OS (which already has the facilities to do anything the rootkit could want) and to hide with the MMU.

How to instrument a network driver. (1)

Ayanami Rei (621112) | more than 7 years ago | (#16618846)

How the malware instruments the system is to place traps in code paths of the guest system. So the hypervisor could temporarily take control during a TCP/IP queuing operation and copy buffers into it's own personal private area... and it could leak that information out later (replacing "leaky" outbound backets, say DNS or ARP, with this key information before they get checksummed).

You could detect this using timing tests, but it's not reliable. You need a good "before" profile which may be impossible to obtain if you don't know when you got hacked.

Of course, one thing she doesn't mention is that none of this matters if the hacked system is already a guest. I wouldn't deploy anything on a Pacifica or Vandermode-enabled platform without making sure some hypervisor is in place before my "primary" OS install.

Re:That's my point. (1)

aminorex (141494) | more than 7 years ago | (#16624110)

You seem to be describing systems before the VZ ISA extensions were incorporated into chip designs. I guess "easy" is always going to be subjective and arguable, but "conceptually simple" and "practically feasible" might be taken to add up, when both are applicable, to "easy". Yes it requires a skilled practitioner. No, it does not require anything non-obvious to a skilled practitioner.

Re:So far, so good. (1)

kscguru (551278) | more than 7 years ago | (#16619688)

One possibility is that the rootkit directly passes through all hardware - that's the "native" case (and actually required ... changing out the underlying hardware model while an OS is running is just short of impossible).

Except ... she's wrong. Once you pass through underlying hardware, you regain the ability to detect the rootkit. How?

For each page of memory:
DMA the page into a buffer
Compare that page against what reads to that page see
If you ever find a difference, you're either in a hypervisor, or you're at 0xa000 and playing with the SMM memory under the VGA adapter :-)

This problem is why all the modern virtualization solutions dare not pass through arbitrary hardware. It's a gross security violation because it allows the OS to subvert the hypervisor (just change the DMA read to a write). Want to be smart and virtualize DMA? That means virtualizing DMA on every PCI card (even unknown ones), plus DMA-analogues like the GART. VT-d could do it, but there are no working prototypes of that yet.

In short, a Blue Pill that performs as advertised is impossible.

Re:been around forever (1)

Salsaman (141471) | more than 7 years ago | (#16618536)

Why would I want that ? My systems run just fine without "virtualisation", and often times I need to access the hardware directly.

Re:been around forever (1)

AKAImBatman (238306) | more than 7 years ago | (#16618998)

Why would I want that ?

You wouldn't. The virus/rootkit would. The fact that the features exist are enough for it to exploit. If you were already running virtualization, you'd probably be safer.

Re:been around forever (1)

retro128 (318602) | more than 7 years ago | (#16618604)

Modern virtualization allows for a machine on top of a machine. So I could, in theory, place a controlling bit of kit above your Operating System where it can't see it, can't modify it, and can't realize that it's being toyed with by a rootkit overlord.

There isn't a great deal of information about how it actually works, but from I've been able to read from the author's blog, apparently when Blue Pill starts up it's able assert itself as a hypervisor and force the OS into running as a VM - dynamically, without a reboot. In other words, Blue Pill becomes the "host OS" and your OS becomes the "guest" in realtime. The hypervisor then has complete access to all system resources where presumably it can pick passwords out of memory, intercept disk writes, and a host of other nasty things. As you postulated, the OS would be none the wiser. I find it hard to believe since all the VM software I have seen abstracts the hardware, and I would think that Windows would royally freak out if it were forced to run as a VM in realtime - but then again I don't know much about the new hardware-based VM features in CPUs. Apparently it's possible since Blue Pill was demoed at a Black Hat conference...

Re:been around forever (1)

cookd (72933) | more than 7 years ago | (#16619582)

Think about VMWare -- Windows doesn't royally freak out when it is running as a VM under VMWare.

The hardware issue is very different for a rootkit versus VMWare. VMWare has to virtualize the hardware so that it can redirect the guest OS's calls to the host OS and make it play nice. A rootkit doesn't have to do this. It can let the "guest" OS directly access the hardware.

The rootkit doesn't have to help the guest OS share the hardware with another OS. All it has to do is hide itself and watch for interesting tidbits of information.

Re:been around forever (1)

retro128 (318602) | more than 7 years ago | (#16620258)

Think about VMWare -- Windows doesn't royally freak out when it is running as a VM under VMWare.

But it would if you changed it from a host OS to a guest OS without rebooting it. Or even if you did reboot it for that matter. That's what I was wondering about.

Re:been around forever (1)

cookd (72933) | more than 7 years ago | (#16621398)

How is it even going to know? Nothing really changes except that the processor is now in the VM mode. Since Windows doesn't look at the VM mode bit, as far as Windows can tell, nothing has changed.

Not to say that pulling this off is easy... Just that the challenge is not in fooling Windows or preventing it from freaking out.

Re:been around forever (1)

retro128 (318602) | more than 7 years ago | (#16623744)

Well, this is where my ignorance of the inner workings of CPU-based virtualization comes in. I thought that perhaps VM mode on the processors might abstract a common hardware set a la VMWare. ie. Let's say you're running on an Intel 975 chipset and now all of a sudden it switches gears and turns into a BX chipset on the fly. That's what I'm talking about. But the more I read, the more I gather this does not happen, and identical hardware is "emulated" in VM mode on the CPU.

With that said, you'd think there'd be an easy way for the OS to tell it was operating in VM mode. Couldn't one send an instruction to the virtual processor such that it says "yes, you are operating in VM mode". Of course the hypervisor of the system would have to be ignored in case it tried to spoof the answer to such a query, but that would be up to the CPU to stop that from happening....And, again...I know practically zero about how these new virtualization features are supposed to work.

Re:been around forever (1)

karlm (158591) | more than 7 years ago | (#16624072)

If you think you can always recover (or even decect) a compromise once the kernel has been commpromised, you're fooling yourself. All of this complaining is just knee-jerk reactions to suddenly discovering that the emperor has never been wearing any clothes.


The correct way to fight blue-pill would be to create a minimal hypervisor that always runs under windows, and only prevents new code from joining it in hypervisor mode.

Adding an instruction to check if you're inside a VM, without having that instruction trapped by the hypervisor, would violate the Popek-Goldberg virtualization requirements.

The whole point is that code can't tell if it's running on top of a hypervisor. It would be really stupid for Windows to be able to freak out and quit running if it noticed that it was sharing a machine with OS X and Linux and OpenBSD and BeOS. You want hardware that conforms to the Popek-Goldberg virtualization requirements. IBM has had such mainframe hardware since 1970. It's a Good Thing (tm).

Once the kernel has been compromised, it's game over, period. There are currently open-source pieces of software able to virtualize the x86 (Qemu running on x86, using the Qemu kernel module, for instance). Slight modifications to this software would allow the guest kernel direct access to the real hardware. Steps could be taken to supervise access to DMA and other routes that a kernel could tell that it's running in a virtualized environment. A rootkit could page out enough memory to make room for a Linux kernel and some virtualization software, then map all the rest of the memory into into the virtualization software's address space, and tell the virtualization software to start running the host kernel where it left off. The hosted kernel wouldn't be able to tell that it had suddenly been moved out of ring 0.

These new features that allow x86 hardware to conform to the Popek-Goldberg virtualization requirements simply make virtualization more efficient and less bug-prone. It would be very difficult to use efficiency to detect a rootkit, as the rootkit could modify the code that checks timings. The emperor has never been wearing clothes. Sorry to freak you out.

Re:been around forever (1)

Cyberax (705495) | more than 7 years ago | (#16621754)

Back in 90's resident anti virus programs were quite common. There WERE ideas to create a virus which will throw everything into virtual 8086 machine, but it was unfeasible because almost all programs used direct access hardware and it was impossible to virtualise it correctly.

Virtualization has been around much longer (3, Informative)

njdj (458173) | more than 7 years ago | (#16615048)

Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early

Virtualization was used in commercial machines as long ago as the early 1970s - IBM's VM/370 product was announced in 1972. The amount of hardware assistance for the virtualization depended on the 370 model. But this was the same kind of virtualization as recently introduced by Intel. You could run multiple different IBM operating systems under VM/370, and you could even run VM/370 under VM/370.

Re:Virtualization has been around much longer (1)

timeOday (582209) | more than 7 years ago | (#16615272)

But there is an enormous difference between the computing environment of a mainframe in the 60's and a $250 PC today. I would daresay that not only is the PC much faster, but it lives in a MUCH more hostile environment. And instead of a professional staff to configure and operate it, you get... not much.

That said, I don't understand the new virtualization features anyways. I'm a longtime VMWare Workstation user, and was hoping for a big performance boost due to hardware virtualization support with my new Core Duo laptop. But looking into it, VMWare denies that the new virtualization hardware support is even beneficial, while others claim that Parallels uses it and gets huge improvements. So you can argue whether we're "ready" for it, but the mainstream deployment sure seems immature at the moment.

Re:Virtualization has been around much longer (1)

Sancho (17056) | more than 7 years ago | (#16616194)

My wife just got a new Macbook. I haven't put Windows on it natively, yet, but I did try Parallels. Saying that I felt like I was running native Windows would be an understatement. It was the snappiest "emulation" I've ever seen.

Frankly, I was expecting to be disappointed. Parallels seemed like a lot of hype. Not so! The only drawback is a lack of snapshot support, which I feel is somewhat necessary if you're doing development.

Re:Virtualization has been around much longer (1)

Extide (1002782) | more than 7 years ago | (#16618484)

I use VMWare daily for work, and I can tell ya that v5.5+ is amazingly fast. It sure feels as fast as running native. Previous versions of VMWare (5.0 and below) had some noticeable lag. I do support for LANDesk, so I need to have ~6-8 VM's running on a box at a time, usually 1-2 clients are XP Pro and the rest 2003s running a LANDesk core and MSSQL database. This stuff can really bring a modern day pc to its knees quickly. So far what I have found is that disk I/O FAR outweighs the CPU as a bottleneck in most cases. Multicore machines really shine here, and Hyperthreading is really nice too (not quite as nice as a real dual core but still way better than nothing), but any machine ~p4 3ghz range does nicely. I currently use a p4 3.0, 3gb ram, with a single hd for most of my vm's, I used to have a dual 2.8 xeon's with 2gb of ram but 3x5K scsi drives striped, it was WAY faster heh. I got some of the old intel dev boxes we had laying around (2.4ghz conroes) to play with next. :)

Re:Virtualization has been around much longer (1)

Sancho (17056) | more than 7 years ago | (#16618620)

That's a fair counter. I can't claim that VMWare isn't good--it is. But to really test it, I'd need to use Bootcamp on my wife's Macbook--something I don't think she's particularly interested in!

I use VMWare daily at my job, too (Linux is the host, though). I only have 1gig of RAM, so that's probably my limiting factor. Nevertheless, it feels more sluggish to me than the Macbook does.

Relative specs: P4-3.2GHZ vs CoreDuo 1.87GHZ, 1gig ram in each machine, slightly faster hard drive on the Linux box. I typically assign 512megs to the virtual host, though if I'm going to be running multiple machines, I'll drop that down a bit.

Re:Virtualization has been around much longer (1)

SillyNickName4me (760022) | more than 7 years ago | (#16616424)

Abd the 370 was the second generation of such machines, the first implementation was on the 360

Re:been around forever (0)

Anonymous Coward | more than 7 years ago | (#16615252)

Why don't you familiarize yourself with the bluepill concept and then write such uninformed posts?

Re:been around forever (0)

Anonymous Coward | more than 7 years ago | (#16615364)

Woah, is the blue pill the one that make you bigger, or is that the other pill?

And It Spreads (1)

ettlz (639203) | more than 7 years ago | (#16614858)

Nothing for you to see here. Please move along.

Gahh, NO! You can't force-virtualise my mind!

MOD THIS DOWN (0)

Anonymous Coward | more than 7 years ago | (#16618172)

It's lame, predictable, and not even that funny. Please, please, just for once don't reward this shit?

Half Baked (1)

FST (766202) | more than 7 years ago | (#16614876)

One of the questions there is
Why should we be worried about stealth malware? Do you see this as a big trend going forward?

To which we received only a half baked answer. Why didn't she say more about this?

Personally, however, I think it's mostly irrelevant to discuss whether this going to be a big trend or not. It's not about whether 100 companies or 100,000 companies are going to be infected next year using targeted, sophisticated attacks using "Stealth by Design" malware (i.e. one which does not create extra system objects) of Type II or Type III. It's about whether we would be aware of those infections at all. We already know it's possible to create such a malware, so we need to do something about it.

Re:Half Baked (0)

Anonymous Coward | more than 7 years ago | (#16621802)

Yea, and this q/a bothered me too:

On your primary machine, what OS is running? What kinds of security software are you using? On my primary machine, I run Windows XP x64. I don't use any anti-virus products to secure any of my machines. The reason--I just don't like their approach, which is to block only known malware. Needless to say, I also don't believe in all those AI-based Host Intrusion Detection Systems to stop the unknown attack vectors. So, I just try to be careful when surfing, use NoScript, never open suspicious e-mails or PowerPoint/PDF documents...

Now I do respect her opinions on not liking there approach and to her credit she does mention later on running custom tools to check but just by nature, a security professional saying she "just tries to be careful" surfing a web on a os well known for exploits makes me descredit and disregard anything she has to say about any security subject.

What? (1)

drinkypoo (153816) | more than 7 years ago | (#16614902)

It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.

I could give a damn what the major operating system vendors are unable to do. I'm more worried about what the hobbyist operating system authors are able to do.

Re:What? (1)

hurting now (967633) | more than 7 years ago | (#16614968)

Isn't that kinda her point? She is trying to underscore the fact that the major O/S's haven't utilized these features and that someone else might... and it could be for less than noble reasons.

Re:What? (1)

drinkypoo (153816) | more than 7 years ago | (#16617982)

No, what I'm saying is I could give a fuck if every windows and mac system in the world is compromised and rooted. I don't have any data I want to keep private on my work computer, and my home machine runs linux. :P (Also, it doesn't have hardware virtualization features, heh heh. But I'd feel the same way if it did.)

Re:What? (1)

bigberk (547360) | more than 7 years ago | (#16619500)

You're going to care a lot more once all those infected zombies eventually clog and spam the internet to the point where the global hostile environment impedes upon your own use. Does email spam bother you? You are getting that spam because of infected windows hosts. There are no more UNIX open relays. That spam is coming from worldwide windows installations.

No Win Situation (1)

mvea (158406) | more than 7 years ago | (#16615290)

I think that is taking a somewhat simplistic perspective. It doesn't really matter whether the major OS products make use of virtualization. The entire point of a successful rootkitting is leaving no visible trace of your presence. A well crafted rootkit would take hold from the bootprocess, virtualize the environment and then load the operating system. Thus - who cares if Microsoft, Linux or Apple makes use of virtualization, if the rootkit detects an appropriate target loaded into its context ... BAM, ownership.

The only way true way to detect a rootkit is to shut down a system and reboot from a separate, read-only instance of an OS dedicated for rootkit scans. No business, however, wants to hear that answer given to them as a course of action. They'll question their IT staff why they let the system get infected in the first place. They'll ask how such an action will impact on their financials. And if the scan comes up clean - IT looks like paranoid idiots. If it comes up infected - IT looks incompetent.

~ Matthew Vea
Rootkit Theory @ http://www.omninerd.com/2005/11/22/articles/43 [omninerd.com]

In a business enviroment (1)

hurting now (967633) | more than 7 years ago | (#16614908)

I would say that few, very few are actually using the hardware virtualization. For that matter, VMWare (or other VM products) are still not considered main-stream. This author is accurate on her assertion that this technology may have been released early.... at least in the extent that there is little other technology that makes use of it.
But honestly, isn't that what drives a market? I know that the jury is still out on this specific technology, and it may never see its full potential... this isn't to say its a bad idea though. Something else may prove to be better.

We are starting to implement VM within our environment, but it is slow going. We do not have anything in live production yet. I know that we are behind when it comes to this, but if we cant put VM into a live enviro, how the heck can we utilize the Hardware virtualization properly??? I know I'm not alone in this.

Re:In a business enviroment (3, Informative)

shawnce (146129) | more than 7 years ago | (#16614986)

I would say that few, very few are actually using the hardware virtualization.
That is not her point. It doesn't matter if software does or not exist exists that uses the capabilities of the hardware.. the issues is that operating systems are running on hardware that has virtualization capabilities built-in but the operating system aren't really tooled to properly secure this capability to prevent it being used to subvert the operating system.

Where I work, it's common (2, Interesting)

spun (1352) | more than 7 years ago | (#16615390)

We use VMware on IBM Blades. Very many other businesses are doing the same. All the CIO management rags are all abuzz over VM. Your workplace is indeed a little behind the times.

You do know that it doesn't matter if people are using hardware virtualization, right? All new Intel and AMD chips have it, whether you use it or not, it's there for a rootkit to exploit.

There are several other VM packages that also use the hardware VM. Xen is one, and it's open source. And in any case, it's not about how VMWare or Xen deal with the new hardware, it's how Windows and Linux deal with it. If mainstream OSs don't take steps to lock down the VM hardware, undetectable rootkits will be the result.

As someone who has worked quite a bit with VMware, let me say that I am more concerned with it's freakish inability to keep accurate time. I've got a cronjob running every five minutes to reset the time via ntpdate. Running ntp on the server won't help, the offset is too random and too large to compensate for. In five minutes between running ntpdate, I've seen clocks be off by a minute.

Re:Where I work, it's common (2, Informative)

Foolhardy (664051) | more than 7 years ago | (#16615660)

Have you seen Clock in a Linux Guest Runs More Slowly or Quickly Than Real Time [vmware.com] ? It can happen when the 2.6 kernel requests more interrupts for the purposes of clock updates than the host can provide, especially if the host is Windows. The kernel will try to compensate for lost ticks, but this doesn't always work correctly. The main solution is to set the clock interrupt rate back to 100Hz like it was in the 2.4 series (requiring a kernel recompile).

Re:Where I work, it's common (1)

spun (1352) | more than 7 years ago | (#16615760)

Thank you! This is going to really, really help us here. I've tried the other VMware recomended solutions like using the VMWare tools clock synch feature with no luck. I will definitely try this.

Re:Where I work, it's common (1)

NormalVisual (565491) | more than 7 years ago | (#16616490)

Even then, I've experienced problems with it. On the Intel box at home, Workstation runs absolutely perfectly and keeps flawless time. At work on the AMD X2 box, you can feel a vacuum from the temporal displacement going on there - it will gain at least six hours per day, and I've tried everything I could find, including the link you offered. I eventually ended up just working around it by re-syncing anytime I did a build at work, and practically it's more of an annoyance than a real problem.

From what I understand, at least part of the problem is that a lot of the AMD X2 chips don't keep the individual TSCs for each core synced very well which ends up confusing the hell out of VMware. I hear that this is usually not a problem with dual-core Opterons, and I've not run into it on any Intels although I have read that their dual-cores can sometimes be subject to the same problem.

Re:Where I work, it's common (1)

martinm_76 (22905) | more than 7 years ago | (#16621700)

On my Linux machines using 'clock=pit' as a boot option is all it takes (and then letting the vmware tools sync to the host, of course :))

I didn't see this mentioned in the other replies so I thought I'd mention it.

Re:In a business enviroment (1)

Sancho (17056) | more than 7 years ago | (#16616428)

Every Mac has hardware VM in it. I'm not sure, but I believe it's on by default, too. Just because the OS or user doesn't use it, doesn't mean that rootkits can't.

Re:In a business enviroment (1)

Firehed (942385) | more than 7 years ago | (#16618488)

Which is why it's a good thing that a whitehat discovered the flaw. My understanding is that she alerted MS and Apple so that they can make apporpriate changes to their OS and patch the hole (in effect, basically initialize the VM during boot and keep it reserved until a valid request is made, in effect just beating the rootkit). Steve Gibson and Leo Laporte explain [www.twit.tv] it a bit better than I can.

Re:In a business enviroment (0)

Anonymous Coward | more than 7 years ago | (#16619446)

> until a valid request is made

Please define "a valid request". If you have a rootkit, then you are root. You can fake any "valid request" the host wants to see.

Repeat after me: "Blue Pill" is quasi-illiterate gibberish. Nothing new. Moving on...

This has nothing to do with typical VMWare. (1)

Ayanami Rei (621112) | more than 7 years ago | (#16618928)

It has more to do with concepts like Xen 3+ or VMWare ESX server, specifically.

On your hardware assisted virtual machines, your guest OSs run "native", in that you can give them access to actual hardware and they directly manipulate page tables. A hypervisor makes it possible for more than one guest (with an associated group of tasks, GDTs and LDTs, etc.) can feel like they have the whole box. You can emulate hardware that you can't or won't dedicate to each guest (say a common network interface, iSCSI volumes that look like IDE drives, etc.)

What Blue Pill does is carry its own tiny hypervisor, and if the guest is running "normally" on the system, it can assert the hypervisor role and do so in such a fashion that the OS still has access to everything, and notices nothing.

Yet the hypervisor could set breakpoints, change memory behind its back, etc. without the host (now guest) knowing any different.

Of course, if you are ALREADY running a proper hypervisor on a hardware-VM capable system, then Blue Pill won't work.

So the answer is: play with Xen more. Learn about other hypervisors. And don't deploy anything critical on a hardware-vm capable box without a simple hypervisor already in place.

Yes, but how do you get mature technology. (4, Insightful)

mmell (832646) | more than 7 years ago | (#16614956)

It starts as immature technology. Sure, you work with it in a lab for as long as you're able, but at some point you have to expose your work for all to see (and hammer away at).

In software, we used to have a saying, "No program is ever complete, but it has to go to market sooner or later."

I'd hit it like the fist from an angry god! (4, Insightful)

adolfojp (730818) | more than 7 years ago | (#16615138)

You are missing the point guys! I don't know who she is or what she is selling but if she is a geek and looks like this
http://common.ziffdavisinternet.com/util_get_image /13/0,1425,sz=1&i=135407,00.jpg [ziffdavisinternet.com]
http://static.flickr.com/66/206241643_d48861f49c.j pg [flickr.com]
I am subscribing to her newsletter. ;-)

Re:I'd hit it like the fist from an angry god! (0)

Anonymous Coward | more than 7 years ago | (#16615474)

Rofl, I love that the first mod on this was "Insightful"

Re:I'd hit it like the fist from an angry god! (4, Funny)

Anonymous Coward | more than 7 years ago | (#16615812)

Yeah, I'd root her box, all right. Penetrate her firewall. Invade her deep logic. Assert administrative privileges and disable all virus protection. Reconfigure her RAID array with a dedicated controller. Put new batteries in her UPS. ... Wait, what were we talking about?

Re:I'd hit it like the fist from an angry god! (1)

glwtta (532858) | more than 7 years ago | (#16616806)

... and disable all virus protection

That one's not a good metaphor.

Re:I'd hit it like the fist from an angry god! (2, Funny)

fbjon (692006) | more than 7 years ago | (#16617242)

Assert administrative privileges and disable all virus protection.
Now that is just vile.


I almost feel like posting a lengthy rant on the immaturity of the average slashdotter, and the repellent factor it has towards women in the industry, like has been discussed before here. This post would be the poster child. But...


.. I laughed too. Damn you, hypocrisy!

Re:I'd hit it like the fist from an angry god! (0)

Anonymous Coward | more than 7 years ago | (#16619784)

I almost feel like posting a lengthy rant on the immaturity of the average slashdotter...

I think a lot of people were missing the fact that my post was a rant on the immaturity of the average Slashdotter. See, I was riffing off the notion of the stereotypical geek who never even gets around to introducing himself to women, much less hitting on them, because he's always getting distracted by some obscure technical issue or the latest trendy system upgrade. (And now I've taken it to the next metalevel by deconstructing my own irony. What were we talking about, anyway?)

Re:I'd hit it like the fist from an angry god! (1)

failure-man (870605) | more than 7 years ago | (#16615928)

Hate to interrupt your private moments, but that appears to be a ring. ;)

Re:I'd hit it like the fist from an angry god! (0)

Anonymous Coward | more than 7 years ago | (#16616298)

That is not a wedding ring. She is Polish and in that part of Europe they wear their wedding rings on the right hand.

Re:I'd hit it like the fist from an angry god! (1)

ameline (771895) | more than 7 years ago | (#16618076)

I'm sure she gets this all the time. And I'm sure it wore somewhat thin very quickly.

I wish I had mod points -- I'd mod you all down.

Respect and admire her for the brilliance of her work -- leave the gender issues out of it.

Oh, and remember -- this is /. -- not fark.

Re:I'd hit it like the fist from an angry god! (1)

blue l0g1c (1007517) | more than 7 years ago | (#16618970)

Lighten up. You'll notice that outside of the crude^H^H^H^H^Hplayful comments, she's being admired primarily because she is intelligent. Being attractive AND intelligent vaults her into a category that is often spoken of, but rarely witnessed. The fabled she-nerd.

And if you think any woman grows weary of admiration, well...that's just plain silly.

Re:I'd hit it like the fist from an angry god! (2, Insightful)

bigberk (547360) | more than 7 years ago | (#16619524)

I'm sure what she dislikes is rude, immature male attention. And she probably dislikes people ignoring her or not taking her seriously because she's a woman (a well known phenomenon of gender prejudice in academia) ... but I'm sure she has no problem with compliments that point out, not only is she an intelligent and skilled researcher but she is also quite attractive. A fantastic combination IMHO

Re:I'd hit it like the fist from an angry god! (0)

Anonymous Coward | more than 7 years ago | (#16618694)

Nothing sadder than a geek who starts humping the leg of anything with breasts and a brain.

Security in the Market and Risk Assessment (1)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#16615164)

I think she's mostly right. If you're migrating your OS to a chipset that enables virtualization, you bloody well better make sure code run on top of your OS can't take over and become the hypervising OS. I rather assumed that this was the case, but it seems I was mistaken. Upon reflection, I realize I have no clear idea of how the hypervisor is determined and what it takes to get code running in that mode. My laptop is running OS X with parallels using the VM technology to run Linux and Windows. I assumed that such a new, hack-like implementation would be a security concern, but now I'm thinking there really needs to be OS-level support for VMs.

Part of the issue is, I'm not sure the market will demand this level of security. It is not like users are going to choose the most secure OS, in general, so what would motivate Microsoft to put this in Windows? The other part of the equation is, in order to be wormable, or even useful, the rootkit needs to run on the existing OS. What level of permission does it need? Will running it in an existing hypervised OS stop it, or will it take control anyway? What about running it in a sandbox ala SELinux? OS X 10.5 is supposed to include both mandatory access controls and application signing. The latter should make it harder to insert this, but will the former have any affect at all?

Rootkits (1)

cybrzndane (632057) | more than 7 years ago | (#16615178)

I have had a couple machines infected with non VM based rootkits. Those were bad enough. The only reason I caught them was binaries like netstat were segfaulting. A VM based rootkit would be awful. Servers could run for years with no sign that the host machine is infected.

Re:Rootkits (0)

Anonymous Coward | more than 7 years ago | (#16615366)

Don't worry, this is what the TPM is for.
One rootkit to rule them all! Would you like some ice with your kool-aid sir?

WHAT major operating system vendors? (1)

jimicus (737525) | more than 7 years ago | (#16615246)

Seriously, what major OS vendors?

Most architectures other than x86 in common use today either have supported virtualisation for years or don't at all. In either case, the "problem" as described is unique to the x86-64 architecture.

And there's only one major OS vendor there. Almost everyone else is using a kernel which by its very nature is open to all - so as soon as the issue is addressed, it will be available to all.

You dont need hardware assisted virtualization (1)

Billly Gates (198444) | more than 7 years ago | (#16615306)

Just wrote a VM for the bios and reflash it. Any os installed will run under it and I will have full control. Kind of scary because it would be impossible to detect and malicious enough would be impossible to get rid of unless you throw the whole computer away.

Re:You dont need hardware assisted virtualization (0)

Anonymous Coward | more than 7 years ago | (#16615392)

Just wrote a VM for the bios and reflash it. Any os installed will run under it and I will have full control. Kind of scary because it would be impossible to detect and malicious enough would be impossible to get rid of unless you throw the whole computer away.

See also: TCPA

VM malware threat is overblown (and isn't new) (1)

Eric Smith (4379) | more than 7 years ago | (#16615332)

From the article: 'Hardware virtualization, as recently introduced by Intel and AMD, is very powerful technology. It's my personal opinion that this technology has been introduced a little bit too early, before the major operating system vendors were able to redesign their systems so that they could make a conscious use of this technology, hopefully preventing its abuse.'
If chips weren't available (publicly, not just a few samples to big OS vendors), the OS vendors wouldn't have bothered to even start thinking about what to do with it.

Anyhow, the scare over hardware-VM-based malware scare is overblown. It was entirely possible to write VM malware without hardware VM support, just as VMware can provide virtual machines using software only, on systems without hardware VM support.

The only way to avoid such malware is to either not let it get onto your computer in the first place, or make sure it's running in a tight enough security environment that it can't get down to the bare metal. If you system isn't secure enough to prevent software from modifying the MBR or OS files, and prevent it from running at "ring 0", there's not a damn thing you can do.

Naturally, Windows is normally installed so that the main user has adminsistrative access, which means that any software he or she downloads can do exactly those kinds of potentially destructive operations.

By contrast, real operating systems are normally installed such that the user is not privileged by default.

Ultimately, it call comes down to how smart and well-educated the end user is. If the malware can trick the user into providing privileged access, all bets are off.

Potential Uses Not Good For PC Manufacturers? (2, Interesting)

no_pets (881013) | more than 7 years ago | (#16615344)

I must admit that my only experience in hardware virtualization comes from IBM AS/400 and RS/6000 environments. But, if hardware virtualization is (mostly) ready on the PC and PC OSes could make use of it, it could hurt PC manufacturers such as Dell.

What I'm getting at is many families are getting multiple PCs in the house now. One (or more) for the kids and one (or more) for the parents. Most of these people are just browsing the web, checking email, low CPU usage things. What if, like on these enterprise class platforms, you could order one PC with a dual core (ore more) CPU, two (or more) keyboards, monitors, mice then slice up the processing power in two then run two OSes and basically have 2 virtual PCs out of the same hardware?

It may not save money just running 2 virtual PCs but if it could run 3 or 4 it should save money once they get into mass production.
Okay, this is slightly OT but someone mentioned that there isn't much use for this technology at the consumer level but I disagree. Of course a rootkit running on top of it all wouldn't be good.

Backstreet Ruby (2, Informative)

foobsr (693224) | more than 7 years ago | (#16615994)

You could have it for quite a time, just an example [demon.co.uk] .

But dou you honestly think that anyone would market that? Instead, overtime to buy multiple whatevers is proposed to be the best.

CC.

Writing-low-level-assembly female? (1)

radu.stanca (857153) | more than 7 years ago | (#16615376)

Did you hear that? Something like the sound of thousand geek rushing to their bathrooms... Sorry guys, but you know it`s true :p

Which side does she take??? (1)

pla (258480) | more than 7 years ago | (#16615466)

I don't use any anti-virus products to secure any of my machines. The reason--I just don't like their approach, which is to block only known malware.

Riiiiiight... So, for fear of future threats, we should totally ignore current ones? Why do I not feel inclined to take advice from this person?

Overall, she makes a good point about how vulnerable current systems seem to VM rootkits. I disagree about the recentness of VM tech (we've had it in the x86 line since the 386, and in Big Iron for almost half a century), but yes, we do need some way to protect ourselves from inherently undetectable malware.

Rootkits in WM? (0)

Anonymous Coward | more than 7 years ago | (#16615830)

Does this mean Sony has branched out to include rootkits in VMWare?
*me ducks* ;)

IBM Mainframe VM (1)

Spiked_Three (626260) | more than 7 years ago | (#16615966)

I was a big fan of VM, in particular IBM's version of it back in the 70-80s. It did exactly what we are seeing today - it allowed you to run multiple OS(s) of your choice AND depending on the hardware you had it gave various performance boosts via hardware assists.

BUT, in the long term, I only saw it used as a solution to solving temporary problems. It was used often when customers were migrating from/to other IBM Operating System (DOS to MVS). It was used to temporarily house a new OS build while new hardware was being installed. It was occasionally used as a partitioning tool for application protection. But the simple fact is that the total throughput under VM (or its hardware equivalent LPAR) never matched native performance.

I see over and over again 'new' ideas showing up in PCs that are just a repeat of what the mainframes did 20 years ago. I see no reason to believe the PC outcome will be any different for VM. It will never be mainstream and always just be a solution available and appropriate for a few temporary problems. And yes, the hardware vendors 20 years ago were saying the same things these guys are saying now, about how it WILL be mainstream and will perform etc etc. It never happened.

Sic! (1)

foobsr (693224) | more than 7 years ago | (#16616216)

Quote from "z/OS Workload Manager: How It Works and How to Use It"

The z/OS Workload Manager (WLM) component introduces the capability of dynamically allocating or re-distributing server resources, such as CPU, I/O, and memory across a set of workloads based on user defined goals and their resource demand within a z/OS image. Looking over the fence of the z/OS image the Workload Manager is able to perform this function also across multiple images of z/OS, Linux or VM operating systems sharing the zSeries processor. Another function of the WLM is to assist routing components and products to dynamically direct work requests associated with a multi- system workload to run on a z/OS image within a Parallel Sysplex that has sufficient server resources to meet customer defined goals.

No virtualization here, move along.

CC.

Re:IBM Mainframe VM (1)

Sloppy (14984) | more than 7 years ago | (#16616556)

It will never be mainstream and always just be a solution available and appropriate for a few temporary problems.

I disagree.

The reason the mainframe virtualization of the 1970s didn't become "mainstream" was simply due to the fact that the mainstream can't afford mainframes.

If a major player in the OS (or even server app) market decides to use virtualization as a security/compartmentalization technique, then use of the feature will spread like wildfire. It'll be just another feature like chroot or jails. For example, if the default installation for Apache on Linux were to run in a VM, then that would be that: millions of people using VM.

Can user mode install a hypervisor? (1)

Sloppy (14984) | more than 7 years ago | (#16616404)

The thing I don't get about the "blue pill" threat, is that I ass/u/me that you have to be running in Supervisor mode in order to install a hypervisor. True?

If no, then it sounds like the virtualization "feature" is really a bug -- a way around the supervisor/user distinction. So yeah, I see a threat, but it's such a glaringly huge and obvious one that I can't believe the designers didn't anticipate it. And that's really what it comes down to: I don't believe it. If anyone tells me user mode is able to install a hypervisor that modifies the execution of supervisor code, my bullshit detector is going to go off.

If yes, then I don't see what the big deal is. If you postulate that hostile code will be run in supervisor mode (so that it can install a hypervisor), then you're screwed no matter what. Virtualization doesn't change the situation much. The fact that it's "impossible" to detect such a compromise is irrelevant, because it's already nearly impossible to provably verify the system is uncompromised. Just because the mainstream relies on malware scanners, doesn't mean the technique's invalidation is significant. Anyone who has thought about it, already knows that searching for malware was never serious security technique.

That's exactly what's broken in Vista (1)

Myria (562655) | more than 7 years ago | (#16620526)

Vista 64's driver signing system is touted as preventing rootkits. Security researchers trust Microsoft that driver signing will help with this. However, as the parent poster says, once code is running at supervisor level it's all over. It's absurd to try to make administrators not administrators. Also, why are corporations magically trusted but not the computer's owner?

The whole thing is really about DRM, protecting wmplayer.exe from debuggers' eyes. (Of course, you could just virtualize the whole OS and dump out data from the sound card that way, regardless of any stupid driver signing...)

I am still angry at Joanna. When she presented at Black Hat, she stated that she was in favor of Vista 64's driver signing, and presenting it was a way to get it fixed. I was incensed, because I'd discovered the same hole independently (before her presentation but after she'd found it), and wanted to wait until after Vista's consumer release to do maximum credibility to Microsoft. I didn't even code it - I described the whole thing in 1 sentence, and any competent NT programmer could have implemented it. On the Xbox Linux Team I fought for years against operating systems' use of digital signatures to restrict whose programs you can run; I wasn't about to help Microsoft do that for Vista.

Guess what the result of her presentation is: user-mode programs, even Administrator/LocalSystem, cannot raw write to disks in Vista. This is going to be loads of fun for disk utilities. Suddenly they have to be made by corporations, and the entire utility must be in kernel mode or it will break the driver signing "security".

Microsoft has already stated their intention on MSDN that in the next version of Windows, only corporation-signed programs will be able to run as Administrator regardless of the wishes of the computer's owner. Microsoft wants to make all PCs into Xbox 360s.

I found two more attacks against their digital signature system, and like hell am I going to tell them (or anyone else). Since I now know it's DRM related, it would be a felony for me to disclose it to anyone but Microsoft, and I'm not going to tell them.

Melissa

Re:That's exactly what's broken in Vista (1)

Sloppy (14984) | more than 7 years ago | (#16623066)

I found two more attacks against their digital signature system .. Since I now know it's DRM related, it would be a felony for me to disclose it to anyone but Microsoft

Are you really sure about that?

DMCA violations are felonies, and disclosing details (as opposed to "trafficking in" actual implementations) isn't a violation anyway, and there's also a quite a bit of lattitude about what the "primary purpose" of an implementation would be, anyway. If there aren't already products on the market that depend on the signature system, it would be damn near impossible for someone to make a coherent argument that your disclosure was intended to bypass the security on their nonexistant product.

Or is your "felony" concern about something other than DMCA? Would you be breaking some NDA that you signed?

Kernel holes, not virtualization, are the problem. (4, Interesting)

Animats (122034) | more than 7 years ago | (#16616636)

Before an attack can install something like "Blue Pill", it has to be running in kernel mode. At that point, it already has full control of the machine. The only question is what to do with that control. Installing a hypervisor underneath the OS is kind of neat, but there are lots of other things to do.

What this does demonstrate is that after-the-fact malware detectors are a dead end.

There's a great comment in the article:

The solution (includes) checking all the possible "dynamic hooking places" in kernel data sections.

(This) is actually impossible to achieve 100 percent as nobody knows all those dynamic hooking places, but we could at least start building a list of them. I believe the number of the hooking places is a finite number for every given operating system.

In other words, there is only a finite number of "ways" to write Type II malware of any specific kind (e.g. a keystroke logger).

Now that's a big part of the problem - Microsoft's use of "dynamic hooking", or places where user code can insert callbacks which privileged code might access, is so messed up that security researchers can't even find all the places where it is allowed. "Dynamic hooking" is really a lame method of interprocess communication left over from the DOS version of Windows. It should never have made it into NT/W2000/XP/etc.

There's less of a temptation to do this in open source operating systems, since, if you really need to legitimately add a feature, you can put it in the source, rather than tapping into some binary. The Linux netfilter/ipchains mechanism offers a "dynamic hooking" attack vector into the kernel, though, so Linux isn't immune to attacks of this type.

I speak for hundreds of geeks... (1)

Nicolay77 (258497) | more than 7 years ago | (#16617446)

... when I ask: Is she HOT ?

Re:I speak for hundreds of geeks... (2, Funny)

Jugalator (259273) | more than 7 years ago | (#16617698)

Here she's sitting between two other geeks that looks to be slightly confused by the situation:
http://www.prabu.us/wp-content/Fabio_Joanna_prabu_ Small.jpg [prabu.us]

Please don't confuse the leftmost man named Fabio there with the model of the same name.

Re:I speak for hundreds of geeks... (0)

Anonymous Coward | more than 7 years ago | (#16621066)

What's somewhat more interesting, but few people outside of Poland realize, is that Ms. Joanna attended BlackHat 2003 as Mr. Jan (http://www.google.com/search?q=%22jan+k.+rutkowsk i%22 [google.com] ) and spoke on Advanced Rootkit Detection. As such, I'd advise caution ;-)

Please check out the BluePill presentation (0)

Anonymous Coward | more than 7 years ago | (#16617624)

Check out the BluePill presentation here:
http://blackhat.com/presentations/bh-usa-06/BH-US- 06-Rutkowska.pdf [blackhat.com]

Basically the whole thing about it being able to subvert the OS is based on an inherent security problem in the way Vista handles direct block access. This is just basic OS architecture. If the OS won't load anything but signed driver but will still allow anyone to write anything to the swap area, then that's just an insecure OS. Because even if it wasn't some virtualization thing that was getting loaded, then page file modification would be a wonderful attack vector for lots of other stuff.

Unfortunately media has focused way too much attention on the "virtualization" part of this stunt, but reporters were probably not smart enough to understand that the blue pill thing actually exploits a intrinsic weakness of Vista (and she hasn't really made an effort to dispell that -- on the contrary, she's claimed from day 1 that the exploit isn't based on any OS flaw or weakness, which left me scratching my head until I finally got my hands on her presentation and discovered this part of the claim is bull). Fortunately for MS, though, it seems that they have smart engineers because as she admits in the article refered to in the Slashdot summary, they've made the page file out of reach. She, though, continues to think that this is somehow the wrong answer (as she hints in her presentation) ... Clearly _real_ OS design and security aren't her specialty.

Her name should be (2, Funny)

woodengod (863603) | more than 7 years ago | (#16617744)

Joanna ROOTkowska

Re:Her name should be (0)

Anonymous Coward | more than 7 years ago | (#16622150)

actually in Polish language her name is Rootkowska. [u] is pronounciated as English [oo]

Not ready? (2, Insightful)

Schraegstrichpunkt (931443) | more than 7 years ago | (#16619044)

Major operating systems aren't ready for virtualization? We could have used virtualization five years ago.

The only OS that has any sort of problem with virtualization is Windows, and there is no reason to believe that Microsoft would have suddenly fixed thingsif hardware virtualization had been put off for another 5-10 years.

"Blue Pill" is quasi-illiterate gibberish. (2, Informative)

Anonymous Coward | more than 7 years ago | (#16619308)

Blue Pill is bullshit. Don't believe me, believe the experts:

o Keith Adams, of VMware fame (binary translation and Intel VT work): http://x86vmm.blogspot.com/2006/08/blue-pill-is-qu asi-illiterate.html [blogspot.com]
o Anthony Liguori, of Xen fame (paravirtualization work): http://www.virtualization.info/2006/08/debunking-b lue-pill-myth.html [virtualization.info]

quasi-technical personal abuse .. (1)

rs232 (849320) | more than 7 years ago | (#16622010)

"Blue Pill is the prototype resulting from a security study made by Joanna Rutkowska, which took advantage of new virtualization capabilities of AMD processors (known as SVM and previously as Pacifica) to inject a rootkit in a running [virtualization.info] Vista operating system"

When people have to resort to abuse to support their argument it makes me suspect that they are trying to distract from the facts. Adams don't actually debunk blue-pill, he calls the research quasi illiterate gibberish and accuses the researcher of attention-whoring, what ever that is. Nothing in the two cited articles provides any actual technical information as to why the injection technique wouldn't work.

"The non-exploit consists of a boot-loaded VT/SVM hypervisor that "http://x86vmm.blogspot.com/2006/08/blue-pill-is-q uasi-illiterate.html [slashdot.org] ">undetectably" compromises your chain-loaded host. Recall with me the fundamental theorem of VT/SVM: "VT and SVM make nothing possible that was not possible before."

But one of the alleged benefits of VM was total isolation of the client OSs. If a VM machine can't protect a client OS from malicious processes then what is it for. Answer me that one and name calling don't count as a valid response.

key words: attention-whoring, quasi-illiterate gibberish, Re: "Blue Pill" is quasi-illiterate gibberish.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...