redpill vs. Microsoft rootkit...

[Joanna Rutkowska <joanna () invisiblethings org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I find it quite funny that my little redpill, which many people used to
consider as malicious, can now be used to detect advanced rootkits, like
the one from MS Research:

http://www.eecs.umich.edu/Rio/papers/king06.pdf

It's interesting how some technology, which was invented as offensive or
defensive at some point in time, within a next few years starts being
used in the exactly opposite way...

SIDT attack (redpill) and the use of Virtual Machines to implement
rootkits is just one example. We also remember TLB tricks used by PaX a
few years ago to prevent exploitation and now we can see almost the same
techniques exploited by Shadow Walker rootkit. How about executable
packing/morphing? Originally used by legal applications to make cracking
difficult, then used by malware to make signature scanning hard (or was
it in the reverse order?) and now used by rootkit detectors to defend
against implementation specific attacks. We also see Dave, using his
canvas technology to implement nematodes, the good worms... Is this kind
of a "natural balance in the nature" thing?

OK, back to technical discussion - I must say that I really enjoyed
reading this paper about VM based rootkits (especially the emulated
power-off mode;), but didn't quite like how they addressed SIDT attack
(AKA redpill) against VMM... Basically they just check (from within VMM)
if the program which the guest OS is going to load is redpill.exe and
provided it is, they set up a breakpoint at the SIDT instruction... this
is what we call a "holly_father-like attack" ;) But the truth is that
they were not able to do it in any other way, just because ia32
architecture is buggy by design (BbD ;) and doesn't support 100%
virtualization...

It's maybe a good time to say (before people start advising having
redpill.exe run regularly as part of everybody's anti-rootkit defender
toolkit) that redpill was more of a joke rather then an usable tool...
It naively assumes that if IDT address is greater then magic number
0xd0000000 then we're inside VM. It should be clear that this is just a
*very* simple heuristic, which used to work in the past on most of the
systems I tested, but today will probably generates lots of false
positives, especially on systems having lots of physical memory and
having more then one CPU/core.

It seems that the most reliable way for implementing redpill-like
detector would require it to have also a kernel mode component, which
would execute SIDT in ring0 (allowing VMM to happily emulate it) and
then compare it with the IDT addresses returned by SIDT ran in ring3
(which cannot be caught by VMM)... Yes this is yet another example of
cross view based detection... It also means that VMBR is not SbD. It's
also not type II :P But still is very cool :)

If you really don't know what this whole redpill discussion is about,
you might want to check out this old paper for some background info:

http://invisiblethings.org/papers/redpill.html

joanna.
-----BEGIN PGP SIGNATURE-----

iD8DBQFEFePfORdkotfEW84RAqpUAJ9ekJSqyslBhDyluz3QSEUSYuzPUwCfRrc9
VbaETfXid5Mq+0bVVKxQf0E=
=zol1
-----END PGP SIGNATURE-----