Matasano Chargen » Blog Archive » Joanna: We Can Detect BluePill. Let Us Prove It!

Joanna: We Can Detect BluePill. Let Us Prove It!

Thomas Ptacek | June 27th, 2007 | Filed Under: Defenses, New Findings, Uncategorized

Nate Lawson, spilling the beans on our some of our Black Hat plans:

“The crux of the matter is that a perfect emulator of any sufficiently complex system would have to be a bug-free program, and we don’t know how to write those yet,” he argued. “The important thing to consider when writing a rootkit is what layer to implement it at. Joanna chose “entire x86 PC”, which we argue is too big a cross-section.”

Joanna, we respectfully request terms under which you’d agree to an “undetectable rootkit detection challenge”. We’ll concede almost anything reasonable; we want the same access to the (possibly-)infected machine than any antivirus software would get.

The backstory:

Dino Dai Zovi, under Matasano colors, presented a hypervisor rootkit (“Vitriol”) for Intel’s VT-X extensions at Black Hat last year, at the same time as Joanna presented BluePill for AMD’d SVM.
We concede: Joanna’s rootkit is coolor than ours. I particularly liked using the debug registers to grab network traffic out of the drivers. We stopped weaponizing Vitriol.
Peter Ferrie, the Symantec branch of our Black Hat team, releases a kick-ass paper on hypervisor detection. Peter’s focus is on fingerprinting software hypervisors (like VMWare), but he also comes up with a clever way to detect hardware virtualization.
Nate Lawson, Dino, and I are, simultaneously, working on hardware rootkit detection techniques.
Nate, Peter, Dino, and I join up to defend our thesis at Black Hat: if you surreptitiously “hyperjack” an OS, enabling hardware virtualization (or replacing or infecting an existing hypervisor), you introduce so many subtle changes in system behavior —- timing and otherwise —- that you’re bound to be detectable.

And so the stage is set for our Black Hat talk.

For the record: I’m the least scary member of this particular team, but have likely written the most code (by LOC) behind the talk. Obviously, Dino’s Vitriol work is what made it possible for us to figure this stuff out, and Joanna’s BluePill work —- which we haven’t seen —- is what makes it interesting.

I’ll have more to say in the coming weeks.

Viewing 9 Comments

Fionnbharr Davies 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Looks like Joanna has turned the contest around and given you the short straw, haha. Her blog post pretty much says that it's not even half finished so of course you'll be able to detect it with all your fancy timing tricks. Not to mention she'll get the source code to these tricks after the competition and it's not like you don't already have a similar rootkit so you don't get much out of that transaction.

This is interesting indeed!

reply edit reblog flag

http://fshypervisor.wordpress.com

one.miguel 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Yeah, and she wants you to find sponsors to pay her $384,000 so she can play! Six months, two developers @ $200/hr per developer to develop blue pill = lame.

reply edit reblog flag

Nate 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I've posted my response to Joanna here.

reply edit reblog flag

http://www.root.org/

Thomas Ptacek 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I don't think having our source code is going to help her make Blue Pill less detectable, even in the medium-short term.

What I do like is, "you can't peg the CPU for more than a second because it will be a drag for users". Like the performance cost of having SVM/VTX enabled isn't?

reply edit reblog flag

http://www.matasano.com/log

Technocrat 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Will you agree on an OS to use? XP? Vista?

reply edit reblog flag

http://djtechnocrat.blogspot.com/

Thomas Ptacek 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

I'm assuming it's Vista, but don't have a strong opinion.

reply edit reblog flag

http://www.matasano.com/log

Nicholas Weaver 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Does the rootkit have to be persistent? Can the system BIOS be write protected?

If so, there is always Yi Min Wang's Ghostbuster trick from Microsoft Research.

Persistent stealthy rootkits, in the face of a defender who can reboot the system and has a trusted BIOS and trusted media, are always detectible, unless the rootkit author solves the program-intent-detection problem (aka, the AV version of the Halting problem), gives up on stealth (not a rootkit), or gives up on persistent (reboot clears rootkit)

reply edit reblog flag

Thomas Ptacek 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

No, Joanna's rootkit doesn't persist itself.

reply edit reblog flag

http://www.matasano.com/log

Nathan McFeters 2 年 ago 1 point
Please login to rate.

Do you already have an account? Log in and claim this comment.

Is anyone else as excited for blackhat this year as any in recent history? I'm looking forward to this showdown!

reply edit reblog flag

Joanna: We Can Detect BluePill. Let Us Prove It!

Add New Comment

Viewing 9 Comments

Add New Comment

Trackbacks

People We Read

Things We Write

RSS Feed

Archives