[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] Re: Regarding Xen security....

To: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
From: Anthony Liguori <aliguori@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 23:38:24 -0600
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, David Pilger <pilger.david@xxxxxxxxx>
Delivery-date: Wed, 17 Jan 2007 02:44:35 -0800
List-id: Xen developer discussion <xen-devel.lists.xensource.com>

Mark Williamson wrote:

The vast majority of this is, as Keith Adams put its, "quasi-illiterate
gibberish."

http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html

Having VT/SVM doesn't really change anything wrt rootkits.  Most of what
is floating around is FUD.  There's nothing you can do today that you
couldn't do before VT/SVM.

This is true in some manner, it's just that VT/SVM let a rootkit hide
itself pretty well from the operating system that it is already
attacking. But no doubt it's FUD. At the other end though, Intel
invests a lot of efforts in marketing VT as a synonym for security.

I always thought the principle behind blue pill was quite sensible. It's notdemonstrating a fundamental flaw / bug in the hardware design (I'm not sureit was originally presented that way, although I've certainly seem it treatedas if it did).

I'm a bit bias on the subject but the author did announce her work witha paper claiming "100% undetectable malware". That simply isn't true.

Discussing the practicality of hiding malware is certainly aninteresting and research worthy topic. However, IMHO, VT/SVM reallydoesn't make it any easier than it was in the past.

You could always hook the IDT. That is considerably easier than settingup a full VT/SVM environment.


Regards,

Anthony Liguori

I see it as just a (rather neat and clever) proof of concept to show that theVMX/SVM extensions add a new class of attack and a new stealth mechanism forrootkits; no more no less. A heads-up to the security community. And worthpointing out, since existing rootkit detection mechanisms may not be able todetect it once the VMX stealthing is enabled...
I have a feeling that this research has both been reported to be much more,and much less than it really is. The important thing is that it doesn't opena new loophole, but does provide a new tool for attackers (and fordefenders!).
Cheers,
Mark



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

References:
- [Xen-devel] Regarding Xen security....
  - From: Praveen Kushwaha
- [Xen-devel] Re: Regarding Xen security....
  - From: Anthony Liguori
- [Xen-devel] Re: Regarding Xen security....
  - From: David Pilger
- Re: [Xen-devel] Re: Regarding Xen security....
  - From: Mark Williamson

Prev by Date: [Xen-devel] How to read/modify interrupt descriptor table in Xen
Next by Date: [Xen-devel] Re: [PATCH] qemu-dm monitor doesn't support the quit command
Previous by thread: Re: [Xen-devel] Re: Regarding Xen security....
Next by thread: [Xen-devel] [PATCH] Support newer microcode
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.