funsec mailing list archives
Re: Microsoft Makes Concessions to Security Software Makers
From: "Dude VanWinkle" <dudevanwinkle () gmail com>
Date: Sun, 15 Oct 2006 00:13:41 -0400
On 10/14/06, Blue Boar <BlueBoar () thievco com> wrote:
Nick FitzGerald wrote: > My understanding of "blue pill" is that it is far from a given that it > is actually meaningfully doable. Theoretically, yes, but in a > practically workable, distributed/remote attack scenario??? Not sure what you're getting at. Joanna claims to have done it, she just isn't going to share. And keep in mind that it's a retention mechanism, not an attack vector. You can see how this sort or thing works now, get a copy of VMware Server, and load up a virtual machine. You just loaded a hypervisor behind Windows' back. I believe this is the case, because when I went to do this intentionally recently, VMware complained at me that I had VT disabled in the BIOS, and that it couldn't load the hypervisor. Sure enough, I had to reboot and flip a setting in the BIOS. And I may just have mentioned two ways to keep Blue Pill from loading in the first place...
correct you are, from the article I quoted: One way to defend against Blue Pill is to disable the virtualization capability in the processors, but that makes no sense. "People spent years developing those new processors with virtualization, and now you buy those new processors just to disable the virtualization, right? Where's the logic?" she asked. ----------- also, further down in the article is the way to defeat blue pill: ---------- A more practical defense is for Microsoft to disable the paging of kernel memory in Vista, which means loading the kernel code and drivers, approximately 80MB of data, into main memory. This would prevent Blue Bill from accessing the kernel and executing code. "Who cares about 80MB? That's why I'm so surprised that even though I showed this attack at the end of July at the SysCan conference, it still hasn't been fixed in RC1," Rutkowska said, referring to the latest preproduction version of Vista. ------------ disabling the paging of kernel memory doesnt seem like too much to ask for. Maybe MS has removed that in the latest build. I guess an admin could also turn off the paging file altogether and mitigate this issue for machines with processors that support virtualization, so at least there is a workaround -JP -JP _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Microsoft Makes Concessions to Security Software Makers, (continued)
- Re: Microsoft Makes Concessions to Security Software Makers Rob, grandpa of Ryan, Trevor, Devon & Hannah (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Valdis . Kletnieks (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 15)
- Re: Microsoft Makes Concessions to Security Software Makers Blue Boar (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Nick FitzGerald (Oct 14)
- Re: Microsoft Makes Concessions to Security Software Makers Dude VanWinkle (Oct 14)