Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security

Hacker Defeats Hardware-based Rootkit Detection 126

Posted by CmdrTaco from the immovable-object-vs-unstoppable-force dept.
Manequintet writes "Joanna Rutkowska's latest bit of rootkit-related research shatters the myth that hardware-based (PCI cards or FireWire bus) RAM acquisition is the most reliable and secure way to do forensics. At this year's Black Hat Federal conference, she demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU. The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said."
This discussion has been archived. No new comments can be posted.

Hacker Defeats Hardware-based Rootkit Detection More

Hacker Defeats Hardware-based Rootkit Detection

Comments Filter:

  • I thought this was invalid anyway (Score:4, Insightful)

    by LiquidCoooled ( 634315 ) on Sunday March 04, 2007 @12:08PM (#18226862) Homepage Journal
    I was under the impression that the only way to reliably detect a root-kit is to examine the system from another clean system?

    ie remove the drive/devices and check them all.

  • well (Score:1, Insightful)

    by mastershake_phd ( 1050150 ) on Sunday March 04, 2007 @12:15PM (#18226928) Homepage
    If sony could rootkit your computer and your hardware couldnt tell, would they?

  • Re:I thought this was invalid anyway (Score:5, Insightful)

    by JackHoffman ( 1033824 ) on Sunday March 04, 2007 @12:19PM (#18226958)
    The rootkits that are written to the disk aren't the biggest problem. Like you said, one can "simply" look at the drive from a clean system. The problem is with rootkits that are only installed in RAM, while the system is running. The attacker exploits some hole in an application or in the OS and then transfers the whole system into a virtual machine that looks exactly like the real thing, so the rootkit can't be detected from inside the OS. Nothing is written to disk, so when the system is powered down, the rootkit vanishes into thin air. Servers are unlikely to be powered down often and even if they are, the cracker can simply attack again. With the rootkit undetected, it is likely that the exploited bug has not been corrected. Common wisdom was that this type of attack can be detected by looking at the contents of the RAM in a way which bypasses the OS. The rootkit has to be somewhere, right? Well, according to this article, there is a way to hide the real RAM contents from hardware assisted forensic methods.

  • DRM (Score:3, Insightful)

    by Athrun Zala ( 1071446 ) on Sunday March 04, 2007 @12:27PM (#18227028)
    "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said."

    Yay, DRM in every piece of hardware to the rescue!

  • Re:DRM (Score:4, Insightful)

    by ymgve ( 457563 ) on Sunday March 04, 2007 @12:38PM (#18227094) Homepage
    Yay, DRM in every piece of hardware to the rescue!

    Sounds actually like the exact opposite. DRM tries to hide away things, while this would give devices the ability to see everything that goes on inside the system RAM.

  • Re:she shatters two myths really ... (Score:3, Insightful)

    by Eivind ( 15695 ) <eivindorama@gmail.com> on Sunday March 04, 2007 @12:45PM (#18227142) Homepage
    This stopped being funny like literally 2 decades ago, if ever it was.

    It's true that there are more males than females in in CompSci, but the ones which are there are no more and no less attractive than the average girl in any other line of work. Same goes for the males.

    What the people in CompSci do share is an above-average passion for computing, abstract thinking and maths. (or if they don't they don't belong in CompSci regardless of sex) but neither of these things have any influence on looks.

  • BIOS (Score:2, Insightful)

    by tepples ( 727027 ) <tepples.gmail@com> on Sunday March 04, 2007 @12:46PM (#18227152) Homepage Journal

    How would a rootkit install itself above a hypervisor on a box where the boot sector is on write protected FLASH?
    By flashing the BIOS.

  • Trying to have her cake and eat it too? (Score:5, Insightful)

    by kscguru ( 551278 ) on Sunday March 04, 2007 @12:55PM (#18227226)
    Let's see ... last year, she got all over the headlines claiming that virtual machines are a Bad Idea because rootkits could use them to remain undetectable (even though virtual machine experts [blogspot.com] discounted her "trivially easy and left unimplemented" parts as technically intractable).

    And now a year later, she claims we need specialized hardware interfaces to scan memory for rootkits, even though this problem is laughably easy in the world of virtual machines.

    And on to the actual work [com.com] ... the research basically observes that MTTR registers (some of the MSRs in the CPU) can cause memory mappings to look different between the CPU and the northbridge, and then comes up with a pretty easy way to cause the northbridge to either lock up or read data that is different (really easy once you see the specs for the appropriate registers). And she totally ignores the possibility of a system defending itself against this attack by verifying the registers she's modifying. Lousy research, girl.

    Oddly enough, this "hack" is ALREADY IN USE ON YOUR SYSTEM and is actually necessary. See, when the processor is running in SMM (System Management Mode), it switches to exactly this configuration: the PCI bus sees VGA hardware mapped at the well-known address, but the processor maps the RAM at that address, which gives SMM mode a few kilobytes of memory that the normal system can't touch. SMM mode is used for things like "legacy USB devices" (e.g. having your USB keyboard act like PS/2 so DOS can use it) and other implement-in-software hacks that your OS doesn't know about, but your BIOS vendor gives you as "value-added features".

  • good luck... (Score:3, Insightful)

    by sholden ( 12227 ) on Sunday March 04, 2007 @01:20PM (#18227436) Homepage
    The MPAA/RIAA would just *love* it if there was a port on your motherboard you could just plug something into and get direct access to the contents of RAM, bypassing OS completely.

  • Quite the opposite (Score:3, Insightful)

    by Opportunist ( 166417 ) on Sunday March 04, 2007 @02:29PM (#18228054)
    We don't need DRM, we need truely "trusted computers". But not computers that some content industries trust, computers that we can trust. Computers where we can actually tap the wires and "listen" to what's going on inside.

    DRM is exactly the opposite. Locking away your computer's inner workings from you, taking away your chance to see what's going on inside.

  • Re:AACS "Improvement" (Score:2, Insightful)

    by Anonymous Coward on Sunday March 04, 2007 @02:29PM (#18228058)
    The difference is that with HD-DVD / Blu-Ray players you *know* there is a key in there, so you will try different (unreliable) methods until you find it. For a rootkit, you're not sure if there is one to start with, so you'll never be sure when to stop searching if you're not finding any.

  • Re:I thought this was invalid anyway (Score:3, Insightful)

    by andreyw ( 798182 ) on Sunday March 04, 2007 @09:14PM (#18232194) Homepage
    No technical information? Did you happen to miss Rutkowska's slides linked from the page? There is more than enough information, when coupled with the freely available manuals from AMD, to understand the issue at hand....

Slashdot Top Deals

"A car is just a big purse on wheels." -- Johanna Reynolds

Close