Re: Microsoft Makes Concessions to Security Software Makers

["Dude VanWinkle" <dudevanwinkle () gmail com>]

On 10/14/06, Blue Boar <BlueBoar () thievco com> wrote:
> Nick FitzGerald wrote:
> > My understanding of "blue pill" is that it is far from a given that it
> > is actually meaningfully doable.  Theoretically, yes, but in a
> > practically workable, distributed/remote attack scenario???
>
> Not sure what you're getting at.  Joanna claims to have done it, she
> just isn't going to share.  And keep in mind that it's a retention
> mechanism, not an attack vector.
>
> You can see how this sort or thing works now, get a copy of VMware
> Server, and load up a virtual machine.  You just loaded a hypervisor
> behind Windows' back.  I believe this is the case, because when I went
> to do this intentionally recently, VMware complained at me that I had VT
> disabled in the BIOS, and that it couldn't load the hypervisor.  Sure
> enough, I had to reboot and flip a setting in the BIOS.
>
> And I may just have mentioned two ways to keep Blue Pill from loading in
> the first place...

correct you are,

from the article I quoted:

One way to defend against Blue Pill is to disable the virtualization
capability in the processors, but that makes no sense. "People spent
years developing those new processors with virtualization, and now you
buy those new processors just to disable the virtualization, right?
Where's the logic?" she asked.
-----------
also, further down in the article is the way to defeat blue pill:
----------
A more practical defense is for Microsoft to disable the paging of
kernel memory in Vista, which means loading the kernel code and
drivers, approximately 80MB of data, into main memory. This would
prevent Blue Bill from accessing the kernel and executing code. "Who
cares about 80MB? That's why I'm so surprised that even though I
showed this attack at the end of July at the SysCan conference, it
still hasn't been fixed in RC1," Rutkowska said, referring to the
latest preproduction version of Vista.
------------

disabling the paging of kernel memory doesnt seem like too much to ask
for. Maybe MS has removed that in the latest build. I guess an admin
could also turn off the paging file altogether and mitigate this issue
for machines with processors that support virtualization, so at least
there is a workaround

-JP



-JP
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.