Rutkowska Faces 'Blue Pill' Rootkit Challenge 223
Controll3r writes "Three high-profile security researchers — Thomas Ptacek of Matasano Security, Nate Lawson of Root Labs and Symantec's Peter Ferrie — have issued a challenge to Joanna Rutkowska to prove that her 'Blue Pill' technology can create "100 percent undetectable" malware. The Black Hat 2007 challenge will feature two untouched laptops of the make/model of Rutkowska's choosing for her to plant Blue Pill on one. From the article: 'She picks one in secret, installs her kit, sets them up however she wants,' Lawson explained in an interview. 'We get to install our software on both and run it, [and] we point out which machine [Blue Pill] is on. If we're wrong, she keeps the laptop.' No word on whether Rutkowska will accept the challenge."
Actually, this is good for the white hats..... (Score:2, Informative)
Either way, they can come out ahead here...
Re:More Laptops (Score:5, Informative)
http://theinvisiblethings.blogspot.com/ [blogspot.com]
"First, we believe that 2 machines are definitely not enough, because the chance of correct guess, using a completely random (read: unreliable) detection method is 50%. Thus we think that the reasonable number is 5 machines."
She then goes on to detail how at least one but no more than four of the machines are infected and that the detection method must be automatic and return only "infected" or "not infected" as output.
There are some other details she proposes, some of which are head-scratchers such as "The detector can not consume significant amount of CPU time (say > 90%) for more then, say 1 sec."
Whole thing sounds pretty interesting though
Re:More Laptops (Score:5, Informative)
http://rdist.root.org/2007/06/28/undetectable-hyp
Timing Analysis (Score:3, Informative)
There are many other sources of timing information in a computer. Serial ports, parallel ports, USB ports, ethernet ports, IO space reads and writes, disk operations, the RTC (real-time clock), etc. I haven't thought too hard about using any of these things in particular, but I would be very surprised if a hypervisor could alter the behavior of all of these things in such a way that they couldn't be used as an alternate source of timing information when determining if an instruction you suspect is being intercepted is taking "too long" or not.
Given 2 identicle computers (Score:3, Informative)
1. create dd dumps of both drives and run diffs on the images. Added benefit of also seeing if any lower level filesystem stuff was changed and not just files.
2. find / -type f -exec md5sum {} \; compare md5sums to find which files are different. Though this will cause a problem with storing the md5, maybe use a ram drive or exclude /media or /mnt.
The State Of The Challenge So Far (Score:5, Informative)
Helu. I'm Thomas Ptacek, one of the four challenge team members --- Slashdot left out Dino Dai Zovi, who kicked this off by writing a virtualized rootkit at Matasano last year.
Joanna has responded to our challenge [blogspot.com]. We invited her to stipulate any terms she deemed reasonable. She proferred:
You can probably predict our response [matasano.com].
Here's where it stands: all parties agree that by Black Hat '07, Blue Pill will not be in a state where it is hard to detect. Our detection techniques are likely to detect Blue Pill at Black Hat. Blue Pill requires six months of engineering time to get to a state where Joanna is confident that we can't detect it.
Here's why you care: a few weeks ago, Microsoft decided that Vista Home would not allow virtualization, in part because of the threat of virtualized malware. To the best of our knowledge, there have been two (2) real hypervisor rootkits ever produced: Joanna's Blue Pill, and Matasano's Vitriol. Neither has ever been seen in the wild, because neither has been released to the public. Meanwhile, our team is preparing to demonstrate at Black Hat this year that hypervisor malware is actually even easier to detect than the kernel malware operating systems like Vista are already exposed to.
Joanna's Blue Pill work, along with all the rest of her work (check out this project [matasano.com], where she turns AMD security hardware against forensics devices), is top-notch. In a weird, secretive space like security, this is how science gets done. Joanna chooses a side: it's possible to make undetectable malware. We square off on the opposite side. Then we debate it using code, presentations, papers, and I guess Slashdot stories. Hopefully, in the end, we all learn something.
Hope this stays interesting for everyone. Thanks for paying attention!
Debunking Blue Pill myth (Score:5, Informative)
Debunking Blue Pill myth [virtualization.info]
Re:How to win the challenge (Score:2, Informative)
"...it should be simple to find ANYTHING that was added to either one."
While it might not always have been simple, it was at least in theory possible to find anything installed on a computer prior to hardware virtualization technologies [wikipedia.org] being introduced. The crux of this new challenge is that the newer chips from Intel [intel.com] and AMD [amd.com] have support for cpu-based virtualization. In other words, they implemeted some of the hard parts of VMWare in the processor itself.
With one of these newer processors, the host operating system on a machine can prepare one of the CPU for a guest operating system to run in a virtual session. When the guest operating system issues an interrupt to interact with hardware, say to read a block off of the hard drive, then the processor would let the host operating system handle the request transparently to the guest operating system rather than letting the hardware itself process the request. This means that if someone could install a malicious virus in the place of the host operating system and have it run your OS as the guest operating system, then it should, in theory, be impossible for your guest operating system to detect the virus.
Perhaps another way of stating it is that the virus isn't actually added to the "machine" that the operating system runs in; the virus is actually added to a host machine outside of the one the operating system runs in. This is why this type of attack is referred to as a "blue pill" [wikipedia.org] attack. That name references the premise of the Matrix movies where the world that people thought they lived in was just a virtual world being hosted by a malicious "host world" in which other entities were taking advantage of the humans in the virtual world without their knowledge.
Re:Rutkowska is such a babe. (Score:5, Informative)
Re:More Laptops (Score:5, Informative)
There's another reason for not consuming huge amounts of CPU. The reason is fairly obvious once you think about it hard enough.
The simple test for a rootkit that puts the computer into a virtual machine (I'm assuming that's happening here) is to test for the performance impact of a VM. If you monopolize the CPU (disable interrupts to prevent anything else from being scheduled, etc.) and run some complex processing for several seconds, you would be able to easily detect the difference in time needed to complete the operation (assuming that all of the computers are otherwise configured identically).
Such a test, while workable in theory, is not workable in real-world practical use, and thus should not be allowed. Putting a time limit on detection prevents such theory-only tests from succeeding. The same for other impractical tests like scanning the entire surface of the disk for signatures, doing comparisons of expected versus actual disk I/O performance to look for virtualized hard drives, etc.