8.01.2007

BLACK HAT field report #2: Don't tell Joanna the virtualization rootkit's dead

Thomas Ptacek & Nate Lawson talk about Hypervisor rootkits work and why they are detectable, maybe even more so then Kernel rootkits.
Thomas and Nate created a hypervisor rootkit called 'Vitriol' for OSx (Very similar to 'BluePill' for Vista) to test their virtualization rootkit detection methods. This all stems from a debate between them and Joanna Rutkowska that's been going on for a year. Ultimately she didn't give them permission to try to detect 'BluePill' on stage, so here we find ourselves.
'Vitriol' is similar but not identical to 'BluePill', it's less weaponized and more of a proof of concept. 'BluePill' was made for the AMD architecture. 'Vitriol' doesn't hook the network, and has a less stealthy loader.
After a 'Vitriol' vs. 'BluePill' comparison there was a discussion on the detection of virtualization in general, behavior or state changes introduced by hypervisors, also timing variations introduced by a hypervisor. Virtualized malware can be detected by examining the cross section of the hyhpervisor vs. the OS and how much the hypervisor needs to exactly emulate the OS to remain undetected.

Detection:
Strategy One - Side channel Attacks
VM overhead creates detectable 'trails' through microarchitecture that are hard to conceal.

Strategy Two - Vantage point Attacks
VM cross-section forces it to recognize and emulate the OS/hardware.
problem: Talk directly to the hardware(which will betray you), or emulate the hardware, with perfect fidelity.
Performance Event Counters: instructions retries, cache misses, branches, etc.
HPET counters, ACPI timers, and MSR's would all need to agree for attackers to win.

Strategy Three - Vulnerability attack
Finding Hypervisor Bugs


Conclusions: how to make it harder for attackers
Introduce data-dependence (many heuristics)
Force to emulate microarchitecture (branch buffers, etc)
Force them to Emulate Obscure Features (HPET, PerfCounters, AGP GART)
Tie them to a single architecture (intel VT, Op Roms, etc.)

www.matasano.com/log

Posted by Sean V. Coyne at 13:19

1 comments:

d said...

Actually Vitriol was released at the same time as bluepill last conference by Dino Dai Zovi Matasano Alumni

5/8/07 22:13

Post a Comment

Subscribe to: Post Comments (Atom)