DISQUS

Fionnbharr Davies · 2 years ago

Looks like Joanna has turned the contest around and given you the short straw, haha. Her blog post pretty much says that it's not even half finished so of course you'll be able to detect it with all your fancy timing tricks. Not to mention she'll get the source code to these tricks after the competition and it's not like you don't already have a similar rootkit so you don't get much out of that transaction.

This is interesting indeed!

one.miguel · 2 years ago

Yeah, and she wants you to find sponsors to pay her $384,000 so she can play! Six months, two developers @ $200/hr per developer to develop blue pill = lame.

Nate · 2 years ago

I've posted my response to Joanna here.

Thomas Ptacek · 2 years ago

I don't think having our source code is going to help her make Blue Pill less detectable, even in the medium-short term.

What I do like is, "you can't peg the CPU for more than a second because it will be a drag for users". Like the performance cost of having SVM/VTX enabled isn't?

Technocrat · 2 years ago

Will you agree on an OS to use? XP? Vista?

Thomas Ptacek · 2 years ago

I'm assuming it's Vista, but don't have a strong opinion.

Nicholas Weaver · 2 years ago

Does the rootkit have to be persistent? Can the system BIOS be write protected?

If so, there is always Yi Min Wang's Ghostbuster trick from Microsoft Research.

Persistent stealthy rootkits, in the face of a defender who can reboot the system and has a trusted BIOS and trusted media, are always detectible, unless the rootkit author solves the program-intent-detection problem (aka, the AV version of the Halting problem), gives up on stealth (not a rootkit), or gives up on persistent (reboot clears rootkit)

Thomas Ptacek · 2 years ago

No, Joanna's rootkit doesn't persist itself.

Nathan McFeters · 2 years ago

Is anyone else as excited for blackhat this year as any in recent history? I'm looking forward to this showdown!