From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 00:45:54 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1347D1065678 for ; Thu, 12 Jun 2008 00:45:54 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id D57BB8FC19 for ; Thu, 12 Jun 2008 00:45:53 +0000 (UTC) (envelope-from jeffrey@goldmark.org) Received: from compute1.internal (compute1.internal [10.202.2.41]) by out1.messagingengine.com (Postfix) with ESMTP id 457BF115366; Wed, 11 Jun 2008 20:45:53 -0400 (EDT) Received: from heartbeat2.messagingengine.com ([10.202.2.161]) by compute1.internal (MEProxy); Wed, 11 Jun 2008 20:45:53 -0400 X-Sasl-enc: UNKUYTCA5wMXD44LTzV8i3spHrur6AhgymkXxNzRJROo 1213231552 Received: from hagrid.ewd.goldmark.org (n114.ewd.goldmark.org [72.64.118.114]) by mail.messagingengine.com (Postfix) with ESMTPSA id B7A132BBFA; Wed, 11 Jun 2008 20:45:52 -0400 (EDT) Message-Id: From: Jeffrey Goldberg To: dfeustel@mindspring.com In-Reply-To: <20080612001713.D1B718FC1B@mx1.freebsd.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v924) Date: Wed, 11 Jun 2008 19:45:51 -0500 References: <20080612001713.D1B718FC1B@mx1.freebsd.org> X-Mailer: Apple Mail (2.924) Cc: FreeBSD List Subject: Re: FreeBSD and User Security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 00:45:54 -0000 On Jun 11, 2008, at 7:17 PM, dfeustel@mindspring.com wrote: > A relatively new security threat known as 'The Blue Pill', based upon > hardware, is a class of virtual rootkits that can silently take over > Intel and AMD systems. A good site to visit to learn about these > virtual > rootkits is http://invisiblethings.org/index.html. That is simple (in concept) yet absolutely brilliant! I'm sure that people much smarter that I am have thought about these things more carefully than I have, but I'm not convinced that a blue pill would be completely undetectable. First it should consume memory. A very complete test of memory through a modified memtest should be able to detect whether system reported memory is accurate. Secondly, a blue pill would need to be reinserted after a hard reboot. Therefore a look at the boot process (of a non-live system) should be able to see whether there is something that reinserts the blue pill. But even if detection is possible these ways, a Blue Pill would be extremely difficult to detect once inserted, and so the focus would have to be entirely on prevention. Again, these are just my first thoughts after looking at this very briefly. The people who come up with this stuff and do proper analysis are both smarter and more knowledgeable than I am. Cheers, -j -- Jeffrey Goldberg http://www.goldmark.org/jeff/