July 5th, 2007
Let users virtualize Vista because hypervisor rootkits are no threat
* Ryan Naraine is on vacation.
Guest editorial by Thomas Ptacek
Several weeks ago, reports surfaced that the threat of super-sophisticated “hypervisor malware” was preventing Microsoft from allowing their Windows Vista Home Edition operating system from running within virtualization software. Now, Microsoft may have a lot of good reasons for restricting Vista virtualization. But hypervisor malware shouldn’t be one of them, and at this year’s Black Hat security conference, a team of researchers including myself, Nate Lawson from Root Labs, and Peter Ferrie from Symantec will take the stage to prove it.
Some back story is in order. At last year’s Black Hat conference, security researcher Joanna Rutkowska made a splash with “Blue Pill”, a prototype rootkit (.pdf) that “invisibly” backdoors Windows Vista by installing a malicious hypervisor. Hypervisors are the kernels of virtualization systems like VMWare, and Joanna’s clever attack, called “hyperjacking”, uses X86 hardware directly to virtualize a running operating system out from under itself.
Hyperjacking appears devastatingly effective, because it allows the underlying X86 hardware to betray detection tools. If you can’t trust the software, and you can’t trust the operating system, and you can’t trust the hardware, how can you possibly detect something like Blue Pill?
As luck would have it, Dino Dai Zovi, then a teammate of mine at Matasano, also presented a hypervisor rootkit at Black Hat ‘06, called Vitriol (.pdf). After taking stock of Rutkowska’s work, we quickly decided that rather than competing with Blue Pill to weaponize virtualized malware, it’d be more interesting to square off against her and try to defeat hyperjacking altogether. At Black Hat this year, Joanna’s team is set to announce advancements in Blue Pill designed to make it even harder to detect. And instead of a new version of Vitriol, I’m working with a team of researchers to counter her.
Hypervisor malware seems hard to defeat, but it isn’t. Hardware virtualization offers great power to malware that can harness it. But with great power comes great responsibility. In the case of Blue Pill, that’s the responsibility of providing a pitch-perfect replica of the X86 platform it seizes control of. And that’s hard, because there’s much more to the X86 platform than meets the eye. That includes chipset features, obscure timing sources, and even hardware bugs, or “errata”, that sneak into the finished version of any chip. To hide a rootkit in a hypervisor, Blue Pill has to emulate all of that. To detect Blue Pill, our team only has to find one of place she missed.
Next –>
Pages: 1 2
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
