This is about 3 months out of date (announced in June — hey, I’m just catching up on my reading) but a colleague just pointed me to an interesting technique designed to subvert Windows Vista security when runing under AMD 64 CPus. Named “Blue Pill“, it was developed by Joanna Rutkowska of Singapore security firm COSEINC and circumvents the Vista requirement for runtime code to be signed by running inside a hypervisor through AMD Pacifica SVM hardware virtualization and either disabling OS signature checking entirely, or, in the case of what she refers to as “level 2″, completely hiding the memory portion where Blue Pill sits.
According to Rutkowska, this is OS-independent; the malware can be injected at runtime through a privilege weakness in how Vista handles paged memory, and is persistent across reboots. Theoretically, this could be ported to Intel VT as well.
George Ou has an ZDNet blog entry that raises the interesting question of being able to detect this by running timing analysis — apparently, there is a possibility of hybernating the malware if a timing analysis is detected. He doesn’t address the possibility of something like just hitting the host in question with constant, random semi-DoS attacks to generate load and thus obfuscating results of a system timing check. On second thought, I assume any such well-written process would take this into consideration (as the network stack would just be handling additional load within its design parameters.) But as he points out, any malware could just diddle with the system clock anyway.
Virtualization.info has an interview with Anthony Liguori titled “Debunking Blue Pill Myth” that doesn’t really go very far towards debunking anything — part of his point is that virtualization under Vista will rely on TPM-based attestation, which is interesting, seeeing how a lot of enterprises I’m familiar with actually turn off TPM functionality, especially in laptops due to management issues.
We’ll see, I guess. Very cool though.
More links at
Recent Comments