Blue Pill: No hoax

Blue Pill: No hoax

Summary: By now you've probably heard of Joanna Rutkowska's "Blue Pill" concept attack using hardware virtualization features of AMD and Intel processors. This technique was demonstrated in front of a live audience at the recent Black Hat conference but some refuse to believe it. Their rhetoric is only encouraging the crackers.

TOPICS: Virtualization

By now you've probably heard of security researcher Joanna Rutkowska's "Blue Pill" concept -- a way take advantage of hardware virtualization features of AMD and Intel processors to surreptitiously log keystrokes or do whatever else an attacker might want. This technique was demonstrated in front of a live audience at the recent Black Hat conference.

Morpheus: Do you believe in fate, Neo?
Neo: No.
Morpheus: Why not?
Neo: 'Cause I don't like the idea that I'm not in control of my life.
-- The Matrix

Despite statements from Austin Wilson, director of the Windows client group at Microsoft that "What she showed was legitimate and a very real threat," many have labeled Blue Pill as some kind of hoax. Tom Yager called it "an attention-whoring non-threat". Anthony Liguori of the Xen project said in an interview that "anti-malware software will always be able to detect this sort of attack". 

This kind of rhetoric reminds me of a certain head of state standing on an aircraft carrier and saying "Bring 'em on". What do you think is the most effective way to make crackers want to exploit this concept? Tell them it's stupid and impossible, and to not dare try anything because they will be detected. Thanks guys.

For more information on Blue Pill see Joanna's blog

Topic: Virtualization

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Such "insightful" analysis

    So let's see you dismiss some actually in-depth analysis by saying it's simply a bunch of people trying to say "there's nothing to see here, move on".

    How about the very real technical critique about timing-based tests? Care to address that any?
    Robert Crocker
    • What surprises me more ....

      ... is that people who are ostensibly clued in security-wise don't understand why the timing arguments don't matter.

      In theory, it's possible to detect any virus, trojan, or worm. But there are practical limitations. Anybody with a practical familiarity with security knows that once the system is compromised, all bets are off w.r.t. detection. To say that something is always technically possible begs the question of whether it's [b]practically feasible[/b]. It seems clear to me that Ligouri's timing-based detection schemes aren't.

      Ergo, yes, there is something there. It's an elephant. And it's in the room with you. Right now.
    • Timing-based tests

      The timing based test doesn't get you very far. It can be defeated by faking out the timing counters, intercepting external timing messages, or simply going into hibernation for the duration of the test. Read Joanna's blog, it addresses these and other questions that have come up.
      Ed Burnette
      • Time tests are possible, just not automatic

        The time tests can be easily be detected even without a stop watch. Some of the commands take 23 times longer to run. So an infected machine would take 23 seconds for example versus 1 second on a clean machine. The problem is that this is not programmatic and requires human intervention.

        You can use an external time source but it has to be encrypted to prevent tampering. Again that's possible but not trivial.

        The scariest thing I mentioned was a Blue Pill rootkit that can go in to a temporary off mode so that it doesn't generate delays.

        More in-depth analysis here.
        "Detecting the Blue Pill Hypervisor rootkit is possible but not trivial"

        So the bottom line is that it there is something to see and no one should be calling Blue Pill a "myth". Yes it's detectable but it isn't trivial.
        • Same can be said of "root-kit"

          Can a "blue pill" be written to detect timing tests and hybernate? Possible, but not trivial.

          The thing is George, that what we have right now is a crude "proof of concept" that doesn't really prove the concept but rather highlight a potential vector of attack.

          So, we've also got a crude "proof of concept" for a detector for this and some deep insight from someone who writes hypervisors for a living. He also points out that any detector-stealth code would in fact slow the hypervisor down further and thus lead to easier detection. (The detector would add x-cycles overhead for each command being executed to check it.)
          Robert Crocker
          • Detection, goading

            You know how this works: as soon as one detection method is created, a way to work around that detection method is created in response. I would argue also that a hypervisor writer has a vested interest in encouraging the use of virtualization technology. Of course security researchers have their own agendas too, so you have to take all that into account when reading what they say. I wasn't at the demonstration but from everything I've read, it seems to me like this new attack vector is real. It's not a 'doomsday' scenario but it should be taken seriously. And goading the black hatters seems like asking for trouble, don't you think?
            Ed Burnette
      • Detection problems

        The problem is that to perform any of those actions you have to add additional overhead in trying to detect any of these timing tests. Every effort to intercept adds additional overhead to the hypervisor which makes the timing skews MORE evident.

        Is there a potential issue in the future of creating hypervisor-based root kits? Probably. Should it be researched? Most definitely.

        Do we need to throw up our hands and shout "the sky is falling"? Not at all.
        Robert Crocker
  • They should be jailed for this sort of thing

    I'm sorry, but so called "researchers" shouldn't be broadcasting this sort of information to the hacker community. They should (behind closed doors) be advising Intel and AMD and whoever else in the legitimate industry, how an exploit like this can be created and getting them to come up with ways of either blocking or flagging this up so that antispyware or virus checkers can block it.

    Have the end users not had enough misery at the hands of the criminals and deviants who write this sort of stuff.

    I am sick of hearing how it is the end user's responsibility to ensure their systems are secure, why can't it be that using the internet is a painless experience that doesn't end in your computer needing someone like me to come round and fix it when it is ground to a halt with spyware and viruses. I would rather be doing more productive work.

    These people are turning the whole benefit of the internet into a constant nightmare trying to avoid having your computer hijacked and either effectively destroyed or used for illicit purposes such as DOS or porn delivery.

    In my book these activities involve damage and cost to end users and should be treated as a crime no different to the theft or destruction of your car or other property. If the writers of this malware thought they would spend a long time in jail when cought they might think twice about committing this kind of crime.
    • "... so there's no one to tell on the criminal."

      There, I finished your headline for you.

      Be fair to the hackers: They assume (rightly, by my limited [18 years] exerience in computing) that the fact that someone hasn't [b]publickly[/b] thought about this doesn't mean that (a) someone isn't [i]privately[/i] doing it (and remember, you wouldn't know if they were), and (b) it wouldn't occur to someone else.

      In fact, Mark Ligouri's rapid response suggests that he'd already known about this vulnerability. He thought it didn't matter, for some nitpicky technical reasons that amount to saying that because people have eyes they shouldn't fall off cliffs. But he did think of it. If he did, and if Joanna did, then other people have -- and would in teh future.

      And in fact, if you've been following the discussions, apparently the chip vendors and OS vendors (MS, Apple in particular) have been routinely harangued by the security community on this issue for quite some time.

      So, get off your high horse. Information does not "want" to be free, that's true; but it WILL become available, and most likely to the wrong people -- unless we make the "right" people notice it. If this is what it takes, so be it.
      • Very public discussion

        At first it bothered me too, but security by obscurity is no security at all. This is different than some buffer overrun bug in some version of a server that a vendor could write a patch for - it's a fundamental new attack vector that needs a lot of people thinking about how to protect against it.

        Besides, the cracker community has their own private bulletin boards and whatnot to disseminate this kind of information without the public knowing about it, so would you rather it be published there instead?
        Ed Burnette
      • It's the level of publicity that worries me

        It's one thing to quietly circulate it in the known security community, quite another to produce demonstration code in a Black Hat conference for all the World to see.

        I do become suspicious that the reasons for doing this are to keep the security companies in business.

        Perhaps the number of viruses and spyware were getting too easy to beat and the need for security companies to have a new battle to fight was felt necessary. Or perhaps they were getting bored with buffer overflows and needed something more interesting to go after?

        My tongue was stuck in my cheeck slightly there but I'm sure you get my drift.
    • This is legitimate research

      It's the same as studying weakness in crypto algorithms. The good guys find the weaknesses first is better than the bad guys finding them in secret.
      • But don't help them

        I appreciate that the "good guys" should be finding the holes, but they shouldn't be shouting it from the tree tops so that the "Bad guys" get a leg up to creating the next bad thing that's about to happen to your PC.

        From my experience a lot of the worms and viruses are made by people with little real skill who just dwonload a "kit" made by someone who does know what they are doing and then customise that to their own ends. Lately those ends being of a criminal nature, such as stealing credit card numbers or setting up trojan ftp servers to gain access to confidential files.
      • Who are the good guys?

        So who are the good guys now, the White Hats or the Black Hats? I'm so confused... :)
        Ed Burnette
        • Anyone who fights to protect users

          I would say that the operating system vendors who's OSs are being attacked and anyone who is trying to protect the end user population from illegal activity. I.e. having their day-to-day home or work machines rifled for information against the user's will, or who are actively stealing information that can be used for profit. This might be industrial espionage to gain competitive advantage, credit card or bank details and associated passwords that would allow criminals to defraud the legitimate owner of their cash.

          I don't know why we pussyfoot around this stuff just because it is done via computers, it is still stealing. It isn't as serious as being injured or killed by someone but it is still criminal activity and should be fought like any other form of crminal activity.

          If "researchers" are found to have aided and abetted criminals by making them aware of ways to achieve all of the above by knowingly releasing stuff to them then they should be punished accordingly.

          To me, if blue pill is a threat that can be exploited, the research community should raise it with Microsoft or any other operating system manufacturer, away from the spotlight of publicity so that they are forearmed and can do something about it before the criminals can use it for real. They should never publish it in an open forum where (cr/h)ackers can have it up on nasty web sites as kits for script kiddies to hack about and do real paid for criminal work with it.
  • Quality

    Quite ofen I read blogs from all authors in zdnet. I was plesantly surprised at the quality of the feedback with respect to this blog in particular.
    There is one author with who writes fiction and causes a flame war especially when he writes untrue things about Windows and portrays it in a bad light. Many of the replies to that blog are from zealots. Quantity is a lot but quality poor.

    I enjoyed reading the article and also the mature responses.
    • Thanks!

      Ed Burnette
  • ...up the Nile to the source.

    I'm a Sun/Unix Sysadmin by trade for over 10 years.
    I've been running Open/FreeBSD/Unix on my PC for 3 years now. and lately, started using OpenSolaris and with not one single virus, trojans,... or whatever they call them these days-its been so long for me not seeing Nortons' antivirus software on my now defunct Windows PC that i forgot what it look like.
    How can this be.?
    How could the Computer security Industry, which is now practically owned by the big Green Machine's not have fixed all these security/virus issues by now!? IP6 anyone :)
    who do you really think writes most of these network security threats in the 1st place ?
    Internet Security is a kazillion $$$ industry thanks to the likes of MS, IBM, ...
    yes definitely my OpenOffice/Staroffice, BerkelyDB (now sadly owned by Oracle), ... isn't as flashy as the MS Apps.
    Microsoft, at its best, can write beautiful applications, and thats all they should be doing for the "real" Networking Operating Systems out there.
    If that "DOS with a GUI" piece of junk was never allowed on the Internet in the 1st place,... well, we wouldn't be writing about this, nor, would we know what a Computer "Virus" ? is.