From owner-freebsd-questions@FreeBSD.ORG Thu Jun 12 02:05:56 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0EA04106567E for ; Thu, 12 Jun 2008 02:05:56 +0000 (UTC) (envelope-from davidfeustel@comcast.net) Received: from QMTA07.westchester.pa.mail.comcast.net (qmta07.westchester.pa.mail.comcast.net [76.96.62.64]) by mx1.freebsd.org (Postfix) with ESMTP id 56DD08FC14 for ; Thu, 12 Jun 2008 02:05:55 +0000 (UTC) (envelope-from davidfeustel@comcast.net) Received: from OMTA02.westchester.pa.mail.comcast.net ([76.96.62.19]) by QMTA07.westchester.pa.mail.comcast.net with comcast id cftj1Z00S0QuhwU570RT00; Thu, 12 Jun 2008 02:05:54 +0000 Received: from localhost ([69.245.196.200]) by OMTA02.westchester.pa.mail.comcast.net with comcast id cq5t1Z00M4KuD453Nq5tgK; Thu, 12 Jun 2008 02:05:54 +0000 X-Authority-Analysis: v=1.0 c=1 a=LH20ZSsilgtKXbwzrYIA:9 a=V0lz2HFBxEotia8MA4AA:7 a=9zd6Ya_0x4SozwHy1BQrKl3iM9oA:4 a=uzNOzFAVD0cA:10 a=LY0hPdMaydYA:10 From: dfeustel@mindspring.com To: Jeffrey Goldberg In-Reply-To: <81EBB0C0-AC7A-42EE-A128-BA70ADCC336B@goldmark.org> Message-Id: <20080612020555.56DD08FC14@mx1.freebsd.org> Date: Thu, 12 Jun 2008 02:05:55 +0000 (UTC) Cc: cpghost , FreeBSD List Subject: Re: FreeBSD and User Security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jun 2008 02:05:56 -0000 On Wed, Jun 11, 2008 at 08:51:16PM -0500, Jeffrey Goldberg wrote: > On Jun 11, 2008, at 8:08 PM, cpghost wrote: > >> On Wed, 11 Jun 2008 19:45:51 -0500 >> Jeffrey Goldberg wrote: > >>> First it should consume memory. A very complete test of memory >>> through a modified memtest should be able to detect whether system >>> reported memory is accurate. > >> What if memtest already runs within the virtualization box? How can it >> determine what the "right" amount of memory is supposed to be? > > I was assuming that that would be known by the operator. > >> And if >> the virtualizer hot-patched memtest instructions, either on loading it >> or dynamically while it runs, it could make it report whatever it >> liked. > > Of course. > >>> Secondly, a blue pill would need to be reinserted after a hard >>> reboot. Therefore a look at the boot process (of a non-live system) >>> should be able to see whether there is something that reinserts the >>> blue pill. > >> Yes, but you've got to have a very close look at it, as it won't >> necessarily appear on the screen -- being caught as well by the >> virtualizer. And Joanna also has a paper about fooling hardware >> capture cards into reporting bogus data on her site, so you won't >> even be able to detect that RAM contains something else upon boot >> than those hardware capture cards are supposedly reporting. > > Yes. I've now read through some of Rutowska's slides (following the link > provided by dfeustel in another post in this thread). > >> If all this is as she's described, it is truly brilliant from a >> technical POV... and a very worrying thought as well. > > Yes it is worrying. The next time I reboot the one server I've got with an > SVM capable processor I'm going to disconnect the power (to make sure that > I'm getting a real reboot instead of a spoofed one) and then on reboot I > will disable SVM in the BIOS. How do you know that the bios has not been reflashed by a virus, trojan, or rootkit?