Home > Uncategorized > Virtualization and Security – Part 2

Virtualization and Security – Part 2

In my last blog posting, I asserted that virtualization is from a security point of view very much a two-edged sword. Nothing supports this assertion more than the Blue Pill rootkit developed by security researcher Joanna Rutkowska, who has developed what she calls a 100 percent undetectable rootkit (“Blue Pill”) that circumvents the Vista integrity-checking process for loading unsigned code into the Vista kernel. This rootkit uses AMD’s secure virtual machine, designed to boost security, to hide itself. In short, something that was intended to elevate security can be subverted to cause security nightmares.

If a completely undetectable rootkit existed, it would indeed be a catastrophe from a security perspective. Fortunately, however, it is not at all clear that Ms. Rutkowska’s claims are justified—the issue of delectability of this rootkit is currently far from resolved. It is true that a great preponderance of well-known rootkit detectors cannot find the Blue Pill rootkit. At the same time, however, this rootkit is relatively new. Many researchers are attempting to develop code that will detect it. In time, it is highly probable that one of them will succeed. Additionally, not too long ago two researchers from a well-known anti-virus software company challenged Ms. Rutkowska’s assertion that this rootkit is completely undetectable. They proposed a test involving two identically-configured computers, both of which would run the Vista operating system as well as the same applications. In this proposed test, one of the computers would, unbeknownst to the researchers, be infected with the Blue Pill rootkit, but the other would not be. According to their proposal, the researchers would have to manually inspect both computers to determine which of the computers was infected. If successful in doing so, the researchers would, according to the challenge, win a prize—Ms. Rutkowska’s own computer. If they were not, Ms. Rutkowska would win their computer. Ms. Rutkowska backed down, and in so doing, lost considerable credibility. After all, if the Blue Pill rootkit is so undetectable, why wouldn’t the developer stand behind this assertion in the face of such a challenge?

Since the time of the faceoff between the security researchers and Ms. Rutkowska, I attended her presentation on the Blue Pill rootkit at a recent conference. She appears to have shifted her position from claiming that this rootkit is undetectable to one in which she proposes possible ways to detect a rootkit of this nature. In this respect, she has been very wise, in that in computer science claims absolutes seldom turn out to be true. In simple terms, she has proposed hypervisors that monitor what happens within individual VMs, thereby enabling detection of malicious conditions and events.

Ms. Rutkowska’s proposal makes considerable sense. Unmonitored virtual environments spell nothing but potential for major trouble. The moral of the story, therefore, is that security must be ubiquitous; it must permeate every function and process, even if the function or process is virtual.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.