Wednesday, August 09, 2006

"Blue Pill" is quasi-illiterate gibberish.

I'm surprised at the hullaballoo surrounding the so-called "blue pill" pseudo-exploit. The non-exploit consists of a boot-loaded VT/SVM hypervisor that "undetectably" compromises your chain-loaded host. Recall with me the fundamental theorem of VT/SVM: "VT and SVM make nothing possible that was not possible before." VMware's pre-VT/SVM products are an existence proof.

This case is particularly hilarious, because "cloaking" a rootkit is actually harder to do with VT/SVM than with plain-jane, pre-virtualization x86 technology. Without getting into all the gory details here, malicious code that runs at CPL 0 (a pre-requisite, remember, for the ostensible "attack") can simply map itself in a convenient portion of the kernel address space (say, the top megabyte), modify the limit fields in the running kernel's code and data descriptor table entries, et voila: it's "undetectable", at least in the limited sense in which the blue pill hypervisor was undetectable. Yeah, there are some dots to connect; you have to point the IDT at the rootkit, and you may even ultimately need an x86 emulator if the kernel tries really hard to detect you. But x86 emulators aren't exactly the stuff of science fiction; they're pretty much commodities, which is a handy thing, since you need one in VT/SVM hypervisors, too.

The funny thing is that setting up an IDT and smashing a few GDT entries is actually a good deal simpler than setting up a full-fledged hypervisor, which needs a richer set of trap handlers, its own address space, probably needs to set up a shadow CR3 to protect itself from the guest, certainly needs a GDT and IDT, and so on. Most of that "life support" code can simply be stolen from the exploited host if you take the simpler approach outlined above. I'll go so far as to say that this "blue pill" hype is straightforward attention-whoring; virtualization is hot, and finding some sense in which it might be "bad" seems contrarian and interesting, so people's ears prick up. There's really nothing to see here, though.


Blogger Anthony Liguori said...

Moreover, any such claim is going to be false. VMM's by their nature change the timing characteristics of the guest. This is always detectable provided one has access to a wall clock.

I pointed this out to Joanna and she subsequently blocked my comments to her blog and referring to the timing attack in her talk as a "theoritical" way to circumvent the system. Oh well.

9:59 PM  
Blogger Alessandro Perilli said...

anthony and me published a little insight about the whole gibberish:

Any further comment would be great.

4:00 PM  

Post a Comment

<< Home