Joanna’s Response To Our Talk

Thomas Ptacek | August 4th, 2007 | Filed Under: Uncategorized

At Black Hat, Joanna Rutkowska and Alex Tereshkin finally released the source code to “New Blue Pill” (NBP), thereby beating our team to the punch by allowing everyone in the field to read and understand their techniques. We congratulate them on that move and on an excellent presentation. Between the two talks —- hers and ours —- theirs was the more interesting and informative.

With that said: we can trivially detect NBP on any mainstream operating system.

This is not a surprise. Before Black Hat, Joanna conceded that NBP would not be ready for a direct challenge. And during her talk, she conceded that detection researchers wouldn’t have any trouble detecting this version of NBP. So, for the record:

• NBP doesn’t virtualize the “exotic local counters” (her words, but we’ll adopt them). Detectors can use the LAPIC timer, the HPET, or the ACPI timer to detect whether CPUID (on Intel) or RDMSR (on AMD) triggers a software-facilitated VM Exit as opposed to a hardware response.

• NBP has no defense against Peter Ferrie’s TLB sizing attack, or even of the published exploit of it that Keith Adams wrote [∗]. Detectors can desynchronize the TLB from the page directory hierarchy, color memory with known values, then watch to see whether an unexpected VM Exit evicts entries from the TLB.

• Though we didn’t mention it in the talk (we ran out of time just talking about the things we did), the universal consensus is that Edgar Barbosa’s multiprocessor “counter” attack is the most clever strategy for detecting virtualized rootkits. NBP has no defense for this attack either.

Joanna’s response to this situation is that “detecting virtualization is not the same thing as detecting Blue Pill”. This is a good point, one we had obviously thought of as well, and we cautiously agree. However, discussions along these lines quickly devolve into semantic chaos. I’ll briefly wade in:

There is a spectrum of things we can potentially detect:

1. Virtualization

2. Hardware virtualization

3. Unexpected hardware virtualization

4. Malicious hardware virtualization

5. One of the three current known HVM rootkits

6. An HVM rootkit derived from Blue Pill

I suggest that our team would gladly concede that we don’t have a reliable way of detection all the way up to (6) (Blue Pill itself), if Joanna would concede that we do have a reliable way of detecting at least all the way up through (3) (unexpected virtualization).

Joanna’s argument that “once everything is virtualized, you won’t be able to detect NBP by detecting virtualization” rings false. What she’s really arguing is, “you’d have to be an OS developer to detect NBP” —- at some point, your legit hypervisor runs in a context where it expects to be talking directly to the hardware, and at that point, it can verify that it’s not virtualized. But needing to be an OS developer isn’t a hurdle. Our detection code runs in-kernel already.

I think that at some level, Joanna agrees with this. After all, she spent a good portion of her presentation going into extreme detail on how to defeat virtualization probes, for instance by using instruction tracing to detect loops around the TSC (is it 1991 yet?), by guarding accesses to the PTEs (or shadowing the paging hierarchy entirely), and by submarining her rootkit into the kernel when it comes under attack.

Furthermore, knowing the line of attack we’re going to take against Blue Pill, Joanna herself acknowledges that she’d like to spend 6 months hardening her code against it.

Why go through all that effort if detecting virtualization is useless?

[∗] Black Hat presentations and blog posts are the frontier wilderness of academic publishing; neither venue provides the diligent record of citation that peer-reviewed journals do. With that said, we’d be unhappy trying to sap credit from Keith Adam’s blog post, which was the first to actually publish the TLB/PTE desync probe. I’ve been crediting TLB-sizing attacks to Peter Ferrie, our co-presenter, whose paper from earlier this year was the first place I saw the idea published, but it seems fair that some of this credit should be shared.