From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 01:08:56 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 333A91065682 for ; Thu, 12 Jun 2008 01:08:56 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from fw.farid-hajji.net (fw.farid-hajji.net [213.146.115.42]) by mx1.freebsd.org (Postfix) with ESMTP id AAB058FC2A for ; Thu, 12 Jun 2008 01:08:55 +0000 (UTC) (envelope-from cpghost@cordula.ws) Received: from epia-2.farid-hajji.net (epia-2 [192.168.254.11]) by fw.farid-hajji.net (Postfix) with ESMTP id 5ECE83535C; Thu, 12 Jun 2008 03:08:54 +0200 (CEST) Date: Thu, 12 Jun 2008 03:08:51 +0200 From: cpghost To: Jeffrey Goldberg Message-ID: <20080612030851.032afa26@epia-2.farid-hajji.net> In-Reply-To: References: <20080612001713.D1B718FC1B@mx1.freebsd.org> Organization: Cordula's Web X-Mailer: Claws Mail 3.4.0 (GTK+ 2.12.9; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: FreeBSD List , dfeustel@mindspring.com Subject: Re: FreeBSD and User Security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 01:08:56 -0000 On Wed, 11 Jun 2008 19:45:51 -0500 Jeffrey Goldberg wrote: > On Jun 11, 2008, at 7:17 PM, dfeustel@mindspring.com wrote: > > > A relatively new security threat known as 'The Blue Pill', based > > upon hardware, is a class of virtual rootkits that can silently > > take over Intel and AMD systems. A good site to visit to learn > > about these virtual > > rootkits is http://invisiblethings.org/index.html. > > That is simple (in concept) yet absolutely brilliant! I'm sure that > people much smarter that I am have thought about these things more > carefully than I have, but I'm not convinced that a blue pill would > be completely undetectable. > > First it should consume memory. A very complete test of memory > through a modified memtest should be able to detect whether system > reported memory is accurate. What if memtest already runs within the virtualization box? How can it determine what the "right" amount of memory is supposed to be? And if the virtualizer hot-patched memtest instructions, either on loading it or dynamically while it runs, it could make it report whatever it liked. > Secondly, a blue pill would need to be reinserted after a hard > reboot. Therefore a look at the boot process (of a non-live system) > should be able to see whether there is something that reinserts the > blue pill. Yes, but you've got to have a very close look at it, as it won't necessarily appear on the screen -- being caught as well by the virtualizer. And Joanna also has a paper about fooling hardware capture cards into reporting bogus data on her site, so you won't even be able to detect that RAM contains something else upon boot than those hardware capture cards are supposedly reporting. If all this is as she's described, it is truly brilliant from a technical POV... and a very worrying thought as well. > But even if detection is possible these ways, a Blue Pill would be > extremely difficult to detect once inserted, and so the focus would > have to be entirely on prevention. > > Again, these are just my first thoughts after looking at this very > briefly. The people who come up with this stuff and do proper > analysis are both smarter and more knowledgeable than I am. > > Cheers, > > -j -cpghost. -- Cordula's Web. http://www.cordula.ws/