Thursday, June 28, 2007

The Purple Pill?

This story highlights one of the problems in Internet security.

Joanna Rutkowska has been talking about "hypervisor rootkits", a way of creating undetectable malware on a machine. It's pretty cool stuff, regardless how you look at it. However, she describes it as being "100% undetectable", which of course, challenges other researchers to prove that it is indeed detectable. They have challenged her to infect one of their systems at random, and that they can detect it.

However, Joanna has already admitted that her Blue Pill can be detected in a laboratory setting. What she is claiming is that vendors won't be able to ship a product that will detect it in practice.

What this is highlighting is how much that happens in our industry is done in "bad faith". One of those challenging Joanna is Nate Lawson. If you'll remember earlier this year, Lawson attacked Barnaby Jack claiming that he unjustly hyped a presentation for CanSecWest. As it turns out, Barnaby's presentation was about something new and interesting, and the press article talking about it was 100% non-hype. Banarby delivered, as promised, a "new class of attacks target[ing] embedded devices". Lawson was wrong.

In much the same fashion, Lawson is ignoring Joanna's comments that her stuff can be detected in a laboratory, and challenged her with a laboratory setting. They created rules that do not address what Joanna has already claimed. They bet her that if she installs a hypervisor rootkit on one of their machines that they can detect it in the laboratory.

What would a good-faith bet be? They should publish a hypervisor detection tool on their website, then challenge Joanna to create a hypervisor that evades it. They should challenge the rest of us to install it on our machines to prove that it is robust and doesn't cause problems (like slowing our machines down). Better yet, they should provide source for their tool with BSD licensing so that anti-virus vendors can include it with their offerings.

All of this is largely theoretical. I don't see botnets using Blue Pill technology yet (although that's because it's so easy to evade detection they don't need more advanced techniques). I likewise don't see vendors providing defense for this. The entire debate is like betting whether Batman could beat Spiderman in a fight. The only relevancy that this debate has is to the spooks at the NSA worried about Chinese hackers installing rootkits in the DoD. And for the NSA, Joanna has an easy answer: don't worry about detection, just worry about defense and install a hypervisor on all your machines that prevents another hypervisor from being loaded.


David Maynor said...

This is just crazy, everyone knows Batman would win!

Robert Graham said...

Keep dreaming appleboy! Spiderman would total pwn Batman in the face!

Thomas Ptacek said...

You know, I always did think one of the problems with "our industry" was Nate Lawson.

Let me get this straight.

You run a company with an official policy of not releasing Apple findings back to Apple so that they can fix them, instead selling them to your pentest and "Hacker Eye View" program.

And your problem with our challenge is that we haven't explained to you how we're going to open-source the code?

You seem to think this challenge is about whether or not BluePill is detectable "outside of a lab setting". I would love to hear more of your thoughts about why hypervisor malware is only detectable in a lab.

As long as I don't have to pay for those thoughts.

Robert Graham said...

As I've said before, we'll notify Apple of all our vulns as soon as they publish their vuln handling policy. We want an Apple where engineers run vuln handling and focus on fixing them, not an Apple where the notorious spin doctors are in control.

I have no opinion on this one way or the other, although I'd probably side with you that nothing is 100%. I'm just pointing out that you didn't actually challenge her claims, you instead challenged something else that she didn't claim. It's like challenging somebody to break into a machine remotely, but disabling the network adapters. You need to make a few changes to your challenge to disprove what she claimed.

alexandru said...

There seem to be other people thinking it's not that hard to find out if a VMBR is present:

Compatibility is Not Transparency: VMM Detection Myths and Realities [research paper presented at USENIX 2007]

In a nutshell, timing attacks are the easiest way to determine the presence of a VMBR. It's probably the OS that should attempt detection, though, although I would suppose with the proper kernel hooks a security application could try to do that too.

Robert Graham said...

Joanna has quasi-accepted the challengr on her site. I'm interested to see where this goes next. I'm rooting for Joanna, but I suspect ultimately she won't be able to invest enough time in it.

George said...

Why not disable VT or AMD-V in the BIOS so that you don't need to worry about it?

Nicholas Weaver said...

Given an external time/reference source and knowledge of the CPU specs, there are so many items which can be measured, eg from the Garfinkel et al paper.

Also, if allowed to reboot and the rootkit is persistent, there is always the Ghostbuster trick of Yi Min Wang.