RE: eWeek: Government-Funded Startup Blasts Rootkits

["Justin Polazzo" <jpolazzo () thesportsauthority com>]

-----Original Message-----
From: Technocrat [mailto:dj.technocrat.listmail () gmail com] 
Sent: Tuesday, April 25, 2006 8:45 AM
To: Justin Polazzo
Cc: Larry Seltzer; funsec () linuxbox org
Subject: Re: [funsec] eWeek: Government-Funded Startup Blasts Rootkits

How would this product handle VM malware. Such this isn't a huge threat
at this time...but it should be looked at.

http://www.eecs.umich.edu/virtual/papers/king06.pdf

I don't see any reason why a VM couldn't cloak a rootkit from a
PCI/Parallel OS device. Comments? Input?

IMHO, no detection method is foolproof and the "good guy" are currently
losing the cat and mouse game...perhaps this will give us the step ahead
for a short time.

------------

Copilot apparently look for anomalies in the OS and system calls, I
wouldn't think that it would matter if it was a virtual OS or an
"actual" one, as long as the PCI card was looking at the commands coming
into the processor. If the HDD OS loaded the PCI card, then this
wouldn't be easy to accomplish. If the PCI card booted first, then this
wouldn't be a problem, I think.

I am getting into areas I don't know much about, but that's how we learn
eh?

Can the PCI device be the first one to boot, then boot the HDD OS (which
would then boot its own VM images)?

If not, then I would imagine that the PCI device requires drivers, and
that the drivers can be corrupted as well, and that this device wouldn't
be all that secure.

-JP<who is in over his head>

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.