Matasano On Ice: Live at Microsoft BlueHat

Dino Dai Zovi | October 16th, 2006 | Filed Under: Gatherings

DaveG and I will be at Microsoft’s BlueHat security conference this week. I’ll be giving an updated presentation on my HVM rootkit, Vitriol:

Hardware-supported CPU virtualization extensions such as Intel’s VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel(r) Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a “rootkit hypervisor” that transparently runs the original operating system in a VM. This presentation will describe how VT-x can be used by rootkit authors and demonstrate a rootkit based on these techniques that migrates the running operating system into a hardware virtual machine on the fly and installs itself as a rootkit hypervisor. Hypervisors of this sort can also be used to bypass PatchGuard on 64-bit systems. The presentation will conclude with a demonstration of Vitriol, a VT-x based rootkit.

If you read our blog, we’d like to meet you, so find us and say “hi”.

There has been some confusion around how or whether hypervisors can “bypass” PatchGuard. This is not an attack against or weakness in PatchGuard itself, it is more a demonstration of how a hypervisor controls the entire universe in which an operating system runs and can mislead or lie to any operating system running inside it, thus defeating security defenses running on the guest VM.