Slides From VT-x Rootkit Detection Talk

Thomas Ptacek | August 7th, 2007 | Filed Under: Defenses, Matasano, Uncategorized

There will be more to come, but for those of you interested, or who missed the talk, here's our slides from the rootkit talk, showing how we can detect unexpected virtualization to ferret out all known virtualized rootkits on any mainstream operating system.

Viewing 9 Comments

    • ^
    • v
    Hello,

    I'm discovering security and I read both your slides and bluepill ones and I still have one question:

    I understand that detecting that you are into an VM is feasible BUT a question is that it is possible to make a difference between running under an unknown version of an VMM (because maybe everybody will run VM in a near future) and a known VMM malware ?

    Is it possible for a process inside an VM (your rootkit detector) to analyze memory outside its boundaries ? (bluepill that don't affect any memory inside the VM)

    Thanks
    • ^
    • v
    Certainly a lot of good work in there. However, I do have to admit that Joanna has a point when she says that detecting rootkits merely by inferring that there is virtualization is going to be less and less useful as time goes on. I run pretty much all of my personal (server) things on VMs, and we use VMs to a great extent at work as well.

    At the risk of sounding like a VMware sales droid, VMs really are making a lot of headway in the server space. 3 out of 3 of the last server hardware class systems I've invested in personally (outside of worrk) have all ended up running VMs, and I know we're giving consideration to deploying production services on VMs here at work.

    Now, obviously, there are a lot of scenarios that will probably never (or at least for a very long time) see meaningful virtualization - end user client systems being a big one, especially home users (at least not while things like virtualized video card still gives poor performance and functionality compared to the real deal). But at least as far as dedicated/noninteractive servers go, I think that the window at which it is going to be feasible to say "I'm running in a VM [unexpected]yl, therefore I am rootkit'd" is going to be fast disappearing.
    • ^
    • v
    Very good point Skywing and I have thought of these situations before also. Looking over the blackhat slides such as

    http://www.blackhat.com/html/bh-usa-07/bh-usa-0...

    is giving more proof to your point that "“I’m running in a VM [unexpected]yl, therefore I am rootkit’d” is going to be fast disappearing."

    One interesting thought is how will people be able to detect if they are running in a wanted of unwanted VM. When windows moves their servers to full virtulazation and even more the desktop, how will users be able to tell that just the windows hypervisor is under them or if there is some malware running parallel to the hypervisor or even under it.

    I also am interested when people will start using the instructions from an offensive stance ( maybe that is too boring for some ).
    • ^
    • v
    the "TLB checking with colored memory" technique has a pretty short expiration date as more systems become virtualized, but the timer-based approach actually seems to have merit; provided that the timers are profiled pre-emptively and often. Timers really can't tell you which virtualization layer you have, but it can tell you if you have one you didn't expect to have.
    • ^
    • v
    Cool stuff. Wish I'd been at the talk! Any chance you'll write it up like you did with your last Black Hat talk?

    Also, why "Samsara"? I have a passing familiarity with the word (took a Buddhist Philosophy class in college), but I'm not seeing the connection to rootkit detection...
    • ^
    • v
    Matt - I believe it refers to the cat and mouse game mentioned in the presentation.

    sam·sa·ra n. Hinduism & Buddhism
    The eternal cycle of birth, suffering, death, and rebirth.
    • ^
    • v
    Detection of a VMM is merely the first step. Then comes recognition (it's BluePill or it's not) and identification (which version of BluePill it is).

    Having never seen BluePill before the presentation, we had no way to know how to recognise it, let alone identify it. However, we did not present our work as a "BluePill detection" (because it's not) - we presented it as a VMM detection (which it is). That it finds BluePill is a corollary.

    Now, given the BluePill code, we can find anomalous behaviours - e.g. VPC 2007 can't coexist yet, so if the cause is isolated then a heartbeat app can be created in its place. If the heartbeat stops, then we've recognised BluePill, and even identified it as v0.11. Of course, that will be fixed in v0.xx, but we'll just find something else (there are other things, but this comment is already too long). The cat and mouse game is being played.

    Yes, the future is virtualisation in the OS (and eventually in the firmware), but then the BluePill problem goes away.
    • ^
    • v
    Great slide deck! Congrats on the great work Tom, Nate and Peter.
    • ^
    • v
    The question isn't "is it possible for a Windows application to detect that it is running under a virtualized rootkit?" If you want to trick Windows applications, you can do that reliably without virtualizing the whole system.

    The question is, "can the system detect malicious virtualization?" All benign virtual machines --- indeed, all benign components of the system --- can be made to cooperate with that effort. Malware cannot. It is distinguished by that fact. Once the highest-privileged component in the system (usually, the "root" hypervisor) is enlisted, malicious virtualization is detected simply by looking for unexpected virtualization.

    The balance of Joanna's argument is that VMWare and Microsoft are never going to sully their hypervisors with "hacks" to detect Blue Pill, and I agree; malicious virtualization is unlikely to be important enough to merit that effort. But if virtualized malware ever becomes that big a problem, know that Microsoft and VMWare have a response.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus