Joanna: We Can Detect BluePill. Let Us Prove It!
Nate Lawson, spilling the beans on our some of our Black Hat plans:
“The crux of the matter is that a perfect emulator of any sufficiently complex system would have to be a bug-free program, and we don’t know how to write those yet,” he argued. “The important thing to consider when writing a rootkit is what layer to implement it at. Joanna chose “entire x86 PC”, which we argue is too big a cross-section.”
Joanna, we respectfully request terms under which you’d agree to an “undetectable rootkit detection challenge”. We’ll concede almost anything reasonable; we want the same access to the (possibly-)infected machine than any antivirus software would get.
The backstory:
Dino Dai Zovi, under Matasano colors, presented a hypervisor rootkit (“Vitriol”) for Intel’s VT-X extensions at Black Hat last year, at the same time as Joanna presented BluePill for AMD’d SVM.
We concede: Joanna’s rootkit is coolor than ours. I particularly liked using the debug registers to grab network traffic out of the drivers. We stopped weaponizing Vitriol.
Peter Ferrie, the Symantec branch of our Black Hat team, releases a kick-ass paper on hypervisor detection. Peter’s focus is on fingerprinting software hypervisors (like VMWare), but he also comes up with a clever way to detect hardware virtualization.
Nate Lawson, Dino, and I are, simultaneously, working on hardware rootkit detection techniques.
Nate, Peter, Dino, and I join up to defend our thesis at Black Hat: if you surreptitiously “hyperjack” an OS, enabling hardware virtualization (or replacing or infecting an existing hypervisor), you introduce so many subtle changes in system behavior —- timing and otherwise —- that you’re bound to be detectable.
And so the stage is set for our Black Hat talk.
For the record: I’m the least scary member of this particular team, but have likely written the most code (by LOC) behind the talk. Obviously, Dino’s Vitriol work is what made it possible for us to figure this stuff out, and Joanna’s BluePill work —- which we haven’t seen —- is what makes it interesting.
I’ll have more to say in the coming weeks.
9 Comments so far
Leave a reply
Looks like Joanna has turned the contest around and given you the short straw, haha. Her blog post pretty much says that it’s not even half finished so of course you’ll be able to detect it with all your fancy timing tricks. Not to mention she’ll get the source code to these tricks after the competition and it’s not like you don’t already have a similar rootkit so you don’t get much out of that transaction.
This is interesting indeed!
Yeah, and she wants you to find sponsors to pay her $384,000 so she can play! Six months, two developers @ $200/hr per developer to develop blue pill = lame.
I’ve posted my response to Joanna here.
I don’t think having our source code is going to help her make Blue Pill less detectable, even in the medium-short term.
What I do like is, “you can’t peg the CPU for more than a second because it will be a drag for users”. Like the performance cost of having SVM/VTX enabled isn’t?
Will you agree on an OS to use? XP? Vista?
I’m assuming it’s Vista, but don’t have a strong opinion.
Does the rootkit have to be persistent? Can the system BIOS be write protected?
If so, there is always Yi Min Wang’s Ghostbuster trick from Microsoft Research.
Persistent stealthy rootkits, in the face of a defender who can reboot the system and has a trusted BIOS and trusted media, are always detectible, unless the rootkit author solves the program-intent-detection problem (aka, the AV version of the Halting problem), gives up on stealth (not a rootkit), or gives up on persistent (reboot clears rootkit)
No, Joanna’s rootkit doesn’t persist itself.
Is anyone else as excited for blackhat this year as any in recent history? I’m looking forward to this showdown!