Matasano Chargen - Latest Comments in You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

jgunnoe — Tue, 25 Sep 2007 18:32:40 -0000

Maybe I'm missing something here... Can we not independently calculate the fingerprint of a given hypervisor in a "known good state" then check for a change in that value?

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Nate — Wed, 05 Sep 2007 03:08:07 -0000

Peter's right. One thing I think I figured out from talking to Joanna is that she expects things to be different this time around. (I'm unsure why she has that viewpoint, given her own talk on how Vista's approach fails to keep out bugs in third-party drivers or signing an intentionally buggy driver.)

Remember how NT was a microkernel and everything was external services? Look at it today. Microsoft is trying to push back with Kernel Patch Protection (i.e. PatchGuard) but fundamentally, third-party code will always be able to run in ring 0.

So why will the hypervisor be any different? Hypervisors have to implement at least a mini-OS, and nearly all of those are based on Linux or Windows. So your kernel rootkit will work just fine in the hypervisor, once you've found a way to load it. And if that becomes common, scanning for malware in the hypervisor will also appear, as Rich is suggesting.

And so it goes...

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Mitch Ashley — Tue, 04 Sep 2007 17:19:20 -0000

Why not just use safeaccess to detect the presence of a rootkit?

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Peter Ferrie — Tue, 04 Sep 2007 12:36:05 -0000

A compromised hypervisor - not BluePill - is the future. Future hyervisors will support third-party plug-ins, and they will become the targets, just as third-party kernel-mode drivers are now.
Once a hypervisor is compromised, we have the same limitations there that we have for kernel-mode rootkits now - if we don't know where to look, we won't be able to find them, but there will always be anomalies then, just as there are now.
So it's really the same problem, just one level removed. As Thomas said, it hasn't gotten any harder.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Wed, 29 Aug 2007 16:16:29 -0000

Sure, to the same extent that loading into the kernel to detect viruses and kernel malware pretty much breaks the kernel. We didn't make malware detection easier than it was before; we're just making sure it doesn't get harder. =)

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

dragonfrog — Wed, 29 Aug 2007 14:59:29 -0000

Correct me if I'm wrong, but wouldn't that pretty much mean breaking the hypervisor?

Would it be possible for a hypervisor to give its guests unimpeded access to the hardware, to such an extent that they can scan for rootkits, but still keep enough control that one compromised guest can't attack other guests or the hypervisor itself?

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Wed, 29 Aug 2007 13:43:32 -0000

If the "illegal" VM runs underneath a legitimate hypervisor, it does not have control of the hardware. The legitimate hypervisor can trivially detect it (for definitions of "trivial" equating to "as easily as Norton AV detects viruses").

The point of hypervisor malware is to get the hardware to intercept detection attempts for you. If you don't control the hardware, you don't get to do that.

You could *infect* a hypervisor (nobody has published such an attack yet). But there's little semantic difference between infecting VMWare and loading your own hypervisor above it. The point of Samsara is, even if your rootkit is resident in someone else's hypervisor, we can still (a) prove that we have unimpeded access to the actual hardware and then (b) use that hardware to scan for a rootkit.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Matt — Wed, 29 Aug 2007 11:36:27 -0000

How do you deal with the case where the "illegal" VM runs inside of the "legitimate" VM, i.e., between VMWare and your software? Obviously you can't run Samsara in your program, since it's already virtualized. You can ask VMWare to run Samsara, but it won't tell you anything. Seems you need a way for VMWare & your program to detect the intervening virtualization layer. Is this easily done?

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Mon, 27 Aug 2007 21:35:43 -0000

(And IF the hypervisor doesn't cooperate, BUT SHOULD BE EXPECTED TO, the Samsara techniques work too.)

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Mon, 27 Aug 2007 21:35:04 -0000

It can't, but it could. More generally (and accurately), Samsara describes techniques that could be used by malware detection tools working jointly with legitimately hypervisors. IF the hypervisor cooperates with the detector, THEN unauthorized virtualization can be detected, EVEN IF the malicious hypervisor tries to cheat.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

rmogull — Mon, 27 Aug 2007 21:28:08 -0000

Got it, think I misunderstood.

Samsara doesn't just look to see if there's virtualization- it can also scan the hypervisor to make sure it's unmodified.

'nuff said, if I have it right.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Mon, 27 Aug 2007 18:40:35 -0000

A corrupted hypervisor can't pretend to allow Samsara to run. The hypervisor is "stepping aside" to prove that it is in control of the hardware. Samsara's job is to verify that, and then allow the system to be scanned, knowing that the scan can't be foiled by a hypervisor.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

rmogull — Mon, 27 Aug 2007 17:43:47 -0000

What about a corrupted hypervisor? Neither case seems to help with that.

I'll just assume you can have your hypervisor check it's virtualization status, of course that probably relies on the hypervisor either have that capability programmed in, or you have a way to extend it.

As you said, and I fully agree, hypervisor rootkits aren't something to worry about. The only ones I worry about is if the trusted hypervisor is compromised directly.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

Thomas Ptacek — Mon, 27 Aug 2007 16:20:54 -0000

If you're supposed to be virtualized, ask your hypervisor to check to see if it's being virtualized.

If you're not supposed to be virtualized, check to see if you're being virtualized.

Repeat until the chain is exhausted, or you get an unexpected result.

Re: You Can Detect Hypervisor Rootkits Even If You’re Virtualized

rmogull — Mon, 27 Aug 2007 15:01:09 -0000

Tom, are we talking around each other?

I was referring to detecting an unauthorized hypervisor that either replaces the expected one, layers on top of it (probably not possible, but I never assume anything's impossible), or corrupts it. This isn't about Blue Pill, think of it being more about a hijacked hypervisor.

If I'm in the guest OS I can detect I'm running on a hypervisor, but that's the "easy" part. How do I know there isn't a malicious hypervisor running vs. the authorized one?