Let the computer swallow the Blue Pill and take control of it. This is an interesting issue in the recent ‘Security Now! Podcast #54’. It’s amazing that the concept in the ‘Matrix’ movie comes to the real world. After googling the internet, I found that this is really a hot topic in the field of information security these days.
Joanna Rutkowska, the most mentioned name in my search result pages, is the one who carried out the idea. In her own interpret ion, the Blue Pill works in the following steps:
1. The computer – actually the operation system – swallows the Blue Pill at such circumstances as executing an intentional script or program in which way most malware start their plot.
2. The Blue Pill grab the HyperVisor privilege of the computer on-the-fly which means no reboot is needed.
3. The Blue Pill then take over the full control of the host OS using its HyperVisor power and place the OS in a Virtual Machine environment while the OS will never feel anything about this disastrous alternation.
Just as we are running another OS via Virtual PC program in our Host System, power on the machine or shutting it down as we like, the Blue Pill can perform any unexpected tricks to the VM mode OS. What an impact it brings to the security of our computer!
As is claimed by Joanna, the Blue Pill root kit is un-detectable since it’s not relying on any flaws or bugs of the victim OS and all the actions to be taken are on-the-fly. As a result, neither the operation system nor the user will found any clues. Furthermore, when the Blue Pill rip off the HyperVisor privilege, it can make any camouflages needed to keep away from those scanning process. After all, the OS is under virtual machine mode which means its just a toy in the hand over the Blue Pill.
According to Joanna’s explanation, the Blue Pill mechanism relies on Hardware layer technology which has be provided by the latest AMD chip – SVM, an CPU level support for virtualization. Also, Joanna established a prototype of the Blue Pill with a small Blue Pill program in C Language which can take effect on Windows Vista running on the new AMD chip.
However, there are also different voices. Toward the claim-to-be invincible Blue Pill, Anthony Liguori from IBM Linux Technology Center shows different attitude. He argued that the ideal effect claimed for Blue Pill is impossible. There two aspects he held for his contradiction.
1. The self-aware problem.
The host OS is still able to detect whether its running under a VM mode. This is the most controversial point while Joanna, the establisher, insists that detection is by no means implemental.
2. The clock-time problem.
There will be a considerable difference in the time of instruction execution between VM and non-VM OS which can be a critical clue to check whether the system has been taken over by the Blue Pill. According to Anthony, the clock-cycle can be sub-categorized to two types: internal and external. Though he confessed that the internal clock-time problem can be concealed due to the HyperVisor privilege of the Blue Pill, the external one is unavoidable.
Though he didn’t demonstrate a detailed method to support his arguments, there is a feasible principle illustrated by the host of the podcast ‘Security Now!’ and I’ll mention this later in my passage.
An optimistic manner kept by Anthony upon the Blue Pill threat, he yet gave a passive solution by recommending the manufacturer of the chip turning off the virtualization function on the CPU side.
Differ from the sharp positions hold by Joanna and Anthorny, Steve Gibson and Leo Laporte in the ‘Security Now!’ podcast organized a neutral discussion on the Blue Pill Issue.
Firstly, they demonstrated a common routine taken by general malware root kit to hide from detection: process hiding and file hiding. As for me, when I feel any suspicious mal-function or slow reaction in my computer, I would check the process list in the task manager and then search for evil files on my hard drive with the help of the anti-virus tools. So, a malware usually tries its best to conceal itself both in the process list and the file filter. The process list is a chained data structure—the task monitor maintains a pointer to the first process and each process has a pointer to the next process. When we open the task monitor in Windows, processes are sequentially visited and listed according to the chain structure. In order not to be found in the task monitor, an evil process break the chain at the node of itself by removing the pointer to itself from the predecessor object and link the pointer of the predecessor to the next process. As a result, the evil process disappears in the task monitor. Regarding the file hiding, the principle is similar. When the search procedure is enumerating the files, the root kit extracts its related files from the file list by intercepting the search API so as not to be displayed in the result.
The root kits of the general malware are always detectable owing to the common mechanism they employed—API hooking. And API hooking skill is traceable. Therefore, anti-malware tools can always give warnings when system is haunted. However, when it comes to the Blue Pill attack, problem shifts. The malware encapsulated in the Blue Pill can surpass the OS level and operate without bothering the APIs.
Besides showing us the terrible situation after the system is intruded by the Blue Pill, Steve also described possible ways to detect the Blue Pill threat in detail for Anthony’s arguments.
In Anthony’s words, Blue Pill is detectable. Steve partially agrees with him. He picked out some registers in the AMD chip which supports CPU-level virtualization and is now the best seedbed for Blue Pill. The value of such registers can indicate whether the Host OS is under VM mode or not. However, considering the HyperVisor privilege of the swallowed Blue Pill, it can still ‘filter’ such read-operation to these critical registers which means the value reflected from these VM-stated related registers can still be camouflaged if actions are taken by the Blue Pill.
Another weak point of Joanna’s Blue Pill prototype is more focus-worthy – the clock cycle delay problem. As we all know, OS performs obvious different in efficiency between VM mode and non-VM mode. Steve mentioned the RDMSR instruction particularly to figure out that the time stamp result can easily tell whether the system in VM mode. In his explanation, normal cycle time is around 90 while in VM mode it can rocket to 2100. But, here comes the same problem for auto detection via time stamp as the first solution meets – register reading filter controlled by the Blue Pill. The return value of the time stamp can still be changed by the malware if it hopes to. Then, Steve gave another idea about the time stamp detection – Manual Detection (external clock cycle as is mentioned by Anthony). Since the unit for time is extremely small, if such kind of detection is expected, the time stamp checking operation needs to be performed over millions of times to reveal the perceptible delay the users. And what seems to be ridiculous is that the user will have to tap their stopwatch every few hours or even minutes to ensure their system is not abducted.
In Steve and Leo’s perspective, the Blue Pill is not a brand new concept. The research department of Microsoft has established a similar program named ‘SubVirt’ which can achieve similar functions as Blue Pill does. However the Blue Pill is more advanced in the following ways.
1. SubVirt requires system reboot to take effect while Blue Pill is all on-the-fly.
2. SubVirt is hardware based in the way it store its root kit on the hard drive while Blue Pill just slip in to the memory without leaving any clues on the hard drive.
3. SubVirt is detectable while Blue Pill claims to be not.
Joanna Rutkowska also wrote a small program called Red Pill which can run tell whether the OS is under VM mode or not in and only in VM Station and Virtual PC environment. The Red Pill checks a certain offset in the memory to make the judgment. The Red Pill and Blue Pill seems to be a pair of spear and shield but currently the Blue Pill gets the run upon the other owing to its HyperVisor privilege.
Steve believes that the Blue Pill would be a big problem for Microsoft Vista OS and his advice for Microsoft is produce their its own Blue Pill first and get the highland of the computer before other Blue Pills try to intrude.
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
