Security Threats 3 Levels Beyond Kernel Rootkits
Submitted
by
GhostX9
GhostX9 writes "Tom's Hardware recently interviewed security expert Joanna Rutkowska. Many think that kernel rootkits are the most dangerous attacks, but Joanna and her team have been studying exploits beyond Ring 0 for some time. Joanna is most well known for the red pill/blue pill virtualization attack (Ring -1) and in this interview chats a little bit about Ring -2 and Ring -3 attacks that go beyond kernel rootkits. What's surprising is how robust the classic BluePill proof-of-concept is:
'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill.This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'"
'Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are "under" BluePill.This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.'"
Security Threats 3 Levels Beyond Kernel Rootkits More Login
Security Threats 3 Levels Beyond Kernel Rootkits