Re: Malware plays Defense

[Valdis.Kletnieks () vt edu]

On Fri, 05 Oct 2007 09:09:22 EDT, der Mouse said:

> Software cannot tell when it's running under emulation, if the
> emulation is sufficiently good; this just means that VMware is not
> "sufficiently good" for those purposes.  There must be something
> they're not emulating correctly (where "correctly" here means "the way
> real hardware does it").

Right. The problem is that some pieces are really hard to emulate well enough.

> Perhaps someone should approach the VMware people about producing a
> version that *is* "sufficiently good"?

There may be hardware issues that prevent it.  You basically have 2 ways you
can do a virtual machine:

1) Software emulate each opcode, which allows (at least in theory) a 100%
chance of doing a perfect emulation, but which comes with some nasty performance
hits.

2) Let the software run natively, but in a box that traps all traps and privileged
opcodes and emulates those.  This allows it to run at near-hardware speed, but
has a hardware-dependent issue:

You're screwed if there's a non-privileged opcode that will reveal which ring
or privilege level you're running in (as you need to be in a lower-priv ring
than expected in order to cause the traps and interrupts that drive the
emulation).

The 32-bit x86 architecture is *known* to not be fully virtualizable, as are
earlier 64-bit from both AMD and Intel.  So basically, if you're on an x86
chipset that doesn't have the VM extensions, you're *known* to be screwed,
and the jury is still out on whether the VM extensions are sufficient, or if
there's still errata and loopholes.

Attachment: _bin
Description:

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.