309249
submission
+- VM-based rootkits proved easily detectable-> on Sunday September 30 2007, @10:55PM paleshadows
Submitted
by
paleshadows
on Sunday September 30 2007, @10:55PM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
paleshadows writes "A year and a half has passed since
SubVirt, the first VMM (virtual machine monitor) based rootkit, was introduced.
The idea spawned two lively slashdot discussions:
the first, which followed
the initial report about SubVirt,
and
the second, which was conducted after
Joanna Rutkowska
has
recycled the idea (apparently without giving credit to the initial authors).
Conversely, in this year's HotOS workshop,
researchers from Stanford, CMU, VMware, and XenSource have published a paper titled
"
Compatibility Is Not Transparency: VMM Detection Myths and Realities"
which shows that VMM-based rootkits are actually easily detectable.
The introduction of the paper explains that
"While commodity VMMs conform to the PC architecture, virtual implementations of this architecture differ substantially from physical implementations. These differences are not incidental: performance demands and practical engineering limitations necessitate divergences (sometimes radical ones) from native hardware, both in semantics and performance. Consequently, we believe the potential for preventing VMM detection under close scrutiny is illusory — and fundamentally in conflict with the technical limitations of virtualized platforms."
The paper concludes by saying that
"Perhaps the most concise argument against the utility of VMBRs (VM-based rootkits) is: "Why bother?" VMBRs change the malware defender's problem from a very difficult one (discovering whether the trusted computing base of a system has been compromised), to the much easier problem of detecting a VMM.""
Link to Original Source
"While commodity VMMs conform to the PC architecture, virtual implementations of this architecture differ substantially from physical implementations. These differences are not incidental: performance demands and practical engineering limitations necessitate divergences (sometimes radical ones) from native hardware, both in semantics and performance. Consequently, we believe the potential for preventing VMM detection under close scrutiny is illusory — and fundamentally in conflict with the technical limitations of virtualized platforms."
The paper concludes by saying that
"Perhaps the most concise argument against the utility of VMBRs (VM-based rootkits) is: "Why bother?" VMBRs change the malware defender's problem from a very difficult one (discovering whether the trusted computing base of a system has been compromised), to the much easier problem of detecting a VMM.""
Link to Original Source
I've run DOOM more in the last few days than I have the last few
months. I just love debugging ;-)
(Linus Torvalds)
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
VM-based rootkits proved easily detectable 0 Comments More Login /
Get More Comments