×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VM-based rootkits proved easily detectable

paleshadows (1127459) writes | more than 6 years ago

Security 0

paleshadows (1127459) writes "A year and a half has passed since SubVirt, the first VMM (virtual machine monitor) based rootkit, was introduced. The idea spawned two lively slashdot discussions: the first, which followed the initial report about SubVirt, and the second, which was conducted after Joanna Rutkowska has recycled the idea (apparently without giving credit to the initial authors). Conversely, in this year's HotOS workshop, researchers from Stanford, CMU, VMware, and XenSource have published a paper titled " Compatibility Is Not Transparency: VMM Detection Myths and Realities" which shows that VMM-based rootkits are actually easily detectable. The introduction of the paper explains that

"While commodity VMMs conform to the PC architecture, virtual implementations of this architecture differ substantially from physical implementations. These differences are not incidental: performance demands and practical engineering limitations necessitate divergences (sometimes radical ones) from native hardware, both in semantics and performance. Consequently, we believe the potential for preventing VMM detection under close scrutiny is illusory — and fundamentally in conflict with the technical limitations of virtualized platforms."

The paper concludes by saying that

"Perhaps the most concise argument against the utility of VMBRs (VM-based rootkits) is: "Why bother?" VMBRs change the malware defender's problem from a very difficult one (discovering whether the trusted computing base of a system has been compromised), to the much easier problem of detecting a VMM.""

Link to Original Source

0 comment

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...