Hardware-based rootkit detection proven unreliable

Hardware-based rootkit detection proven unreliable

Summary: For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine. Not so fast, says Joanna Rutkowska, a security researcher at COSEINC Malware Labs.

TOPICS: Hardware
For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine.

Joanna Rutkowska, Jamie ButlerNot so fast, says Joanna Rutkowska, a security researcher at COSEINC Malware Labs.

Rutkowska, an elite hacker who specializes in offensive rootkit research, has found several ways to manipulate the results given to hardware-based solutions (PCI cards or FireWire bus).

At this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.

Rutkowska's research, though purely theoretical, underscores the need for multiple solutions (hardware and software) to work in tandem during forensics. It also highlights just how scary the threat from sophisticated rootkits can be. If, as Rutkowska proved, forensic examiners cannot rely on images collected from RAM, then it's basically game over.

Jamie Butler, a rootkit guru who works with software- and hardware-based anti-rootkit tools, said he was "very impressed" with Rutkowska's presentation. "We already know that software isn't reliable and now we know that you really can't trust the hardware either. You really need to combine both and, even then, you just never know," Butler said.

  Black Hat Gallery:Hackers discuss weaknesses in Wi-Fi drivers, RFID proximity devices and hardware-based forensics. Images in our gallery.  


"I really don't want to meet the attacker who is at that level," he said. "That is scary stuff," Butler said, referring to the techniques used during Rutkowska's presentation.

In three different scenarios, Rutkowska showed how an attacker can crash a machine during memory acquisition. In this case, it would be a denial-of-service against the forensics examiner looking to find traces of malware on a hijacked machine.

She also described a "covering attack" where the malware is programmed to present garbage data to the hardware trying to read physical memory.

A third scenario is what Rutkowska described as a "full replacing attack" where the malware author not only hides malicious code from the memory acquisition tool but actually provides arbitrary/fake content to the examiner.

The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said.

Rutkowska suggests that hardware vendors come up with a special "auditing" interface dedicated only to memory acquisition.

"I'm thinking about motherboard manufacturers adding a special port which would allow for *direct* (this time really "direct") access to RAM and potentially some other critical resources like e.g. CPU system registers and maybe even caches," she said.

Here are the slides from Rutkowska's presentation (PDF). 

Topic: Hardware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Flawed research

    I see she is still only testing one platform. It is reckless and unprofessional to only test one platform when others exist. This woman is a sensationalist and attention seeker. Every time she makes an assertion, someone shoots holes in it soon thereafter. She needs to learn proper testing and validation skills or leave the research to real professionals.
    • She has done her homework.


      Her research seems valid to me. She's demonstrated vulnerabilities on one platform - whats the argument?

    • Preume for a moment

      That the general zdnet audience is clueless. What actual holes have been shot in her claims? And what makes you more of a professional than her? So far, she seems a whole lot more credible that Maynor et al.
    • Yes!, Why Don't You?

      Do a real professional report on all existing platforms, and post it here along with charts and diagrams with legends, diagnostics, and explanations, and show us all (including the author here) the correct way to do it?

      We'd all appreciate it. Thank you.
      Ole Man
  • BitForensics is selling the PCI card monitors


    The author is not kidding.

    You can get PCI card monitors, and laptop based hardware monitors from:


    Both these products are completely passive, and are 100% undetectable by software running on the machine.

  • The technology exists, but...

    The technology to detect this type of malware does exist, but:
    1) It will be very slow
    2) It will be very complex
    3) Thus, it will be very expensive

    Almost any active device with more than a few gates has implemented some type of JTAG i/f, fundamentally to more easily implement functional testing. That i/f can be used to examine registers, caches and I/O levels on any device in the system. It's designed so that system manufacturers can test any device(s) on their system through a simple synchronous serial i/f without aid of any ALU, MMU, state machine or other autonomous "intelligence" being active.

    The problems come in when we take a look at what it will take to implement.
    I don't know of any bus topology whach has fully implemented these signals. So the motherboard, graphics card(s) and rotating storage media will each have to be tested separately.
    The control S/W changes with each device, and often with each Rev of each device. So the configuration management for a comprehensive test program for something like a motherboard which supports multiple CPUs quickly becomes a nightmare, as well as expesive to produce and maintain.

    The bottom line is that I have difficulty envisioning ANY IT Dept. acquiring and maintaining these types of resources as it will be much more cost-effective to simply trash anything that may have a suspected rootkit like the ones discussed.

    I'd also recommend that any data recovery from an HDD be accomplished using an architecture different that that of the host machine. Thus, ARM, M68k/ColdFire, and MIPS based architectures become good candidates for recovering data from HDDs that have been used in either x86 or PowerPC hosts.

  • Hacking hardware or OS

    Back in my working days, I broke into many systems either beating hardware or operating systems to help my customer and so now she's just exposing another hack. Until a system is built that can't be changed once built someone will get to it
    and that's not going to happen soon.