Exclusive Interview: Going Three Levels Beyond Kernel Rootkits

Taking The BluePill

Alan: The "kernel-level" rootkit is the one that gets all of the attention in the mainstream press. In this situation, the operating system kernel itself is compromised. Since there is nothing with a higher level of access, there's no ability to "look down" and search for the virus. That is, with a kernel root kit, when an anti-virus wanted to scan "infected.file," I could substitute a "clean.file" instead without anyone knowing.

Joanna: Right, the advantage of kernel-level rootkits over user-mode rootkits became pronounced after the various anti-virus products started to rely on kernel-mode agents to perform, for example, filesystem scans.

Having the two opponents (a rootkit and an A/V) operating at the same privilege level (ring 0) doesn't mean that either of the two is a clear winner in the long term. In fact, in the long term there is always a draw. It’s that malware usually wins in the short-term, and this is pretty bad because, for malware, it is just enough to survive a few weeks (or days maybe even) to do its job.

Alan: The kernel rootkit was thought to be the exploit with potentially complete stealth and limitless damage potential...

Joanna: No, it has never been. Since the early days of kernel-mode rootkits, even the original on Linux/*BSD back in the 90's, people have been coming up with various kernel-mode detectors for known types of rootkits or rootkit hooking.

Alan: Hold on, chicken and egg. When you have a kernel rootkit, it’s like the DOS era again. You could come up with the slickest kernel-mode detectors for detecting other kernel rootkits, but if I had a slick kernel rootkit, my version n+1 could detect your detector and then thwart that. That’s in contrast to a perfectly designed operating system where I’m the bad guy forced to operate in user-mode, and you’re the security guard operating in the kernel. You’d always have the upper hand and the only way to sneak around you is a bug in the software that lets me get into Ring 0. 

Joanna: Yes.

Alan: So the whole point of all the last 10 minutes was to emphasize the idea that it’s all about being one privilege level “more secure” than your opponent. For the sake of nomenclature, the smaller the number, the more access. So let’s talk about "Ring -1" exploits and your “blue pill."

Joanna: Ring -1 is an informal name, coined when AMD and Intel introduced hardware-based CPU virtualization (AMD-v and VT-x) some three years ago. Those new technologies introduced a new operating mode, which is called the "root mode" or "host," depending on which vendor spec you read. This has been informally called "Ring -1" to stress the fact that the hypervisor has more privileges then the OS kernel that was usually in Ring 0.

I wrote BluePill in 2006 to demonstrated how this hardware virtualization technology can be abused by malware to create a stealthy hypervisor and move, on the fly, the running OS into a virtual machine, controlled by this stealthy hypervisor.

Suppose we had a system integrity scanner, something that would be able to monitor all of the kernel code, data structures, and function pointers to see if any of them have been hooked. Even such an ideal scanner would be unable to detect BluePill-like malware. This is because, unlike all the previous kernel-mode rootkits, BluePill doesn't hook anything in the kernel code or data. It just sits above the kernel, and doesn't need to modify it in any way.

Another unique feature of BluePill, which has made it truly one of its kind, is its support for nested virtualization--one can load BluePill, and then, inside the virtual machine created by BluePill, start a normal hypervisor like Xen or Virtual PC (that itself makes use of VT-x/AMD-v). You can even load several instances of BluePills inside each other. I'm actually quite proud of this nested virtualization support!

Many people tried to prove that BluePill is "detectable" by writing various virtualization detectors (but not BluePill detectors). They simply assumed that if we detect a virtualization being used, this means that we are “under” BluePill.

This assumption was made because there were no products using hardware virtualization a few years ago. Needless to say, if we followed this way of reasoning, we might similarly say that if an executable makes network connections, then it must surely be a botnet.

Alan:Let’s clarify then. If I’m legitimately running inside a virtual machine and I have access to all of the tools that are out there, you’re saying that I can’t tell if the virtual machine manager (or hypervisor) has been compromised by BluePill? I can use the virtualization detector, but I already know I’m supposed to be virtualized!

Joanna: Yes, detecting virtualization versus detecting if your (legitimate) hypervisor has been itself bluepilled are two different things.

Alan: So the only reason the virtualization detection strategies work is that, in my host/root operating system, I shouldn’t be in a virtual machine and if I am, something’s fishy?

Joanna: Theoretically, you can try to do time profiling of certain instructions in order to measure if, or how many, additional "layers" of nested hypervisors are above your legitimate one. We showed that at Black Hat last year when talking about bluepilling the Xen hypervisor. But that's a very tricky approach, which is very sensitive to the actual implementation of the hypervisor that sits directly above us (the legitimate one)--we need to perfectly know its timing characteristics to be able to "extract signal from the noise." I think such an approach to solve the problem of Bluepill-like malware, although well suited for an academic paper (lots of charts!), is a blind avenue. To make it clear though, I don't believe we will see BluePill-like malware in the wild anytime soon because the currently-used, good old kernel-mode malware seems to work just fine. The anti-virus industry  sucks at even detecting and preventing against this kind of threat. So, there is little incentive for the organized crime to migrate towards a much more complex technology. Of course, we security researchers should not wait, and start thinking now about how to make sure such malware will never get into the wild. One solution is Intel TXT (Ed.: that's Trusted Execution, for those of you who don't know) technology, that we, however, bypassed a few months ago at Black Hat DC earlier in February.

Create a new thread in the US Reviews comments forum about this subject
This thread is closed for comments
65 comments
Comment from the forums
    Your comment
    Top Comments
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
    11
  • Anonymous
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
    11
  • Other Comments
  • johnbilicki
    I presume 4GB is limiting on a casual-use laptop because Joanna also runs virtual operating systems on her general purpose laptop?

    How did you two end up talking about Macs instead of something like rootkits or other things more relative to Joanna's line of work?

    As a web developer security is very important though I find it's fairly easy in most regards as attacks, bots, spammers, etc overwhelmingly (though not always) use the same approach methods so there are plenty of patterns that differentiate from normal web traffic. Easy isn't where the fun is though. I'm curious as to the parallels with software in general?
    6
  • truehighroller
    I think she has very nice fat looking lips. xD
    -15
  • johnbilicki
    truehighrollerI think she has very nice fat looking lips. xD


    ...not to pick a fight truehighroller...but I don't think most women would find such a statement very "welcoming". Nerd girls rock a hundred times more then girls with only cliche interests, but comments such as yours aren't only unwelcome or alienating by most women they annoy those like myself who highly appreciate women with more refined qualities. Show some dignity and respect and stay on topic or please go else where.
    11
  • Anonymous
    Interesting interview, and kudos for treating her as a "security expert" and not as a "female security expert".

    In the majority of interviews with young female professionals the interviewer "just have to mention" their hair colour, clothes or makeup. Nice to see a break from that rather tiresome practice
    11
  • Humans think
    I also use Macs myself (also windows systems and linux ones), but I had to say it: Alan Dang you sure are an Apple fanboy :P
    This woman knows what she is talking about, I think I am in love :)
    7
  • Anonymous
    thx for spending the time to discuss this complex world in easy to understand terminology. good luck with the R-3 presentations!
    -austinmc
    3
  • haplo602
    read the interview because I was curios about the girl on the picture. turned out to not even be interesting.

    f.e. the bluepill thing. ok you can jail the OS into a VM transparently. Now what can you do ? you have to implement a mini OS by yorself into the hypervisor to do anything usefull (i.e. data collection), you need to read the FS, interrupt the network etc. the only usefull thing is to infect the system again after it was cleaned (again you need to know the FS). but since the AV knows you are there, it knows what to do about it.

    ok AV vendors are a step behind (or 2), but once they figure out the attack vector and means, you are done and have to come up with a new attack technology. there are only limited options available on each architecture that change with each revision, so the AV companies win in the end by closing all the gaps they know about.

    these are only backdoors to break the AV protection or work in a dimension higher than the AV protection. however the usefull data is still on the same level as the AV protection (user space).
    -1
  • candide08
    Being SUCH an obvious fanboy makes me suspect many other aspects of your judgment. Please TRY to stay objective.
    6
  • coolkev99
    Interesting... and way over my head. Yet I couldn't help but feel like they were trying to out-geek each others commments.

    She is to nerds what nerds are to normal people. Don't get me wrong, much respect and admiration!
    5
  • Anonymous
    A interesting and informative article but there is a lot of self praise and back slapping, seems that these folks are not the geniuses they make them selves out to be:
    http://en.wikipedia.org/wiki/Blue_Pill_(malware)
    -1
  • bounty
    Wayne963, I'm not sure I get your point. They also made red pill and discussed at length in the interview about being able to detect a hypervisor, but that fingerprinting it would be a bitch.

    haplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.
    0
  • redeye
    I find her hot!, but I have no chance (of course); that body was/now only satisfied by a girl!...
    -7
  • haplo602
    bountyhaplo602, that's like arguing that taking control of the memory doesn't get you anywhere, you still have to read the FS, implement sniffing routines etc. While the AV may know it's there, it doesn't have final say. VM says remove kav.exe, kav.exe says 'nooooooooooooooo' as it's being deleted. kav.exe stops bothering VM.


    well the issue is as I described. you cannot delete anything from outside the OS unless you ask the OS to do so. and once you do, the AV will catch it.

    taking control of the memory only enables you to see what others see. it's like network man-in-the-middle attacks. they too are not detectable (or very hard to do), yet you still have to decode the data you are capturing to use it and you have to interrupt the data stream with very accurate data to alter it. this only leads to content encryption being your last stop.

    look at DRM in Vista and expand it to all the data. what you get is a virtualised OS that is a blackbox for the rootkit. so you have control of the memory, but it's no use to you. simple and effective. of course there are performance hits etc., but this we already get with each new windows version :-))
    0
  • thejerk
    I lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.

    I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.
    -3
  • DarkMantle
    thejerk +1 hahahaha, it was the same for me. I lost interest after that too.
    -3
  • Shadow703793
    This is so ironic. Talking of security, I spent the last 2 hours getting Bastille to work on SUSE. (lol, it should have been only 10 minutes, but my perl install went to dependency hell).

    For those that tun Linux, it's a very good idea to get Bastill up and rnning. Also read: Hacking Linux Exposed 2nd ed

    Bastille: http://bastille-linux.sourceforge.net/
    2
  • Shadow703793
    *damn the submit button and the lack of editing*

    Anyways, good to know a few people actually know what the hell they are talinkg about. These people should help the gov't because unlike most at the gov't these people have knowledge. (Cybersecurity any one? :lol: Any one who uses that term should be wiped with CAT5e cable :P).

    @Author: WTH is up with the Mac stuff?
    4
  • 222222
    In 2006 she claimed she created the 100% undetectable rootkit, Blue Pill. When invited to challenge, she rejected unless she is paid 400,000$ to do its rootkit better claiming this is "funny challenge".

    So she lied in order to get some publicity.

    - stupid claims
    - arrogant behavior
    2
  • maximiza
    222222 did she dump you or something? probably 400 g's is chump change to her. Look at D.C. I think in general if you have enough resources any I/O system can be compromised. Since people are imperfect there designs will always be imperfect. I had a Ti99/4a too, the speech programing was a blast.
    0
  • Marcus52
    thejerkI lost interest in the entire article as soon as she began speaking of how pretty her Mac is... seriously. I don't care how talented she is, now. I'm annoyed.I just bought my girlfriend a Kate Spade baby bag. I bet Joanna thinks it's beautiful, too.


    If that's all you got from her talk, then you are too clueless to get what she was talking about to begin with. It's good you didn't read the article because it clearly would have been a waste of your time.

    The important parts you missed were 1) OS X is no more secure than Windows, and both are more secure than Linux distros, and 2) She'd go with Windows and PC hardware over OS X and Apple's hardware choices unless aesthetics are more important to you than what Windows provides.

    If you are out to burst Apple's bubble, as I am, this article is an indictment of Apple's claims, not a fan-girl advertisement.
    0