funsec mailing list archives
Re: Microsoft Makes Concessions to Security Software Makers
From: Blue Boar <BlueBoar () thievco com>
Date: Sun, 15 Oct 2006 12:52:53 -0700
Dude VanWinkle wrote:
One way to defend against Blue Pill is to disable the virtualization capability in the processors, but that makes no sense. "People spent years developing those new processors with virtualization, and now you buy those new processors just to disable the virtualization, right? Where's the logic?" she asked.
It was off by default on the Dell Precision 380 I was using. Or maybe the person who had the machine before me turned it off, I can't tell. I didn't even notice for a while. You would have no reason to use it at all, until you wanted to do some VM work. In my case, I had even been using VMware for a couple of days with it off, and it wasn't until I tried to use a 64-bit guest OS that it complained.
So I kinda have to disagree with her there. If something is a potential risk, and I'm not using it, why wouldn't I turn it off?
A more practical defense is for Microsoft to disable the paging of kernel memory in Vista, which means loading the kernel code and drivers, approximately 80MB of data, into main memory. This would prevent Blue Bill from accessing the kernel and executing code. "Who cares about 80MB? That's why I'm so surprised that even though I showed this attack at the end of July at the SysCan conference, it still hasn't been fixed in RC1," Rutkowska said, referring to the latest preproduction version of Vista.
That is confusing one method of getting code to run in the kernel with blue pill itself. They are separate.
disabling the paging of kernel memory doesnt seem like too much to ask for. Maybe MS has removed that in the latest build. I guess an admin could also turn off the paging file altogether and mitigate this issue for machines with processors that support virtualization, so at least there is a workaround
I agree that that is probably a fine default, and I'm not sure why they don't just set that setting.
BB _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Microsoft Makes Concessions to Security Software Makers, (continued)
- Re: Microsoft Makes Concessions to Security Software Makers Valdis . Kletnieks (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 15)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)