Let users virtualize Vista because hypervisor rootkits are no threat
* Ryan Naraine is on vacation.
Guest editorial by Thomas Ptacek
Some back story is in order. At last year's Black Hat conference, security researcher Joanna Rutkowska made a splash with "Blue Pill", a prototype rootkit (.pdf) that "invisibly" backdoors Windows Vista by installing a malicious hypervisor. Hypervisors are the kernels of virtualization systems like VMWare, and Joanna's clever attack, called "hyperjacking", uses X86 hardware directly to virtualize a running operating system out from under itself.
Hyperjacking appears devastatingly effective, because it allows the underlying X86 hardware to betray detection tools. If you can't trust the software, and you can't trust the operating system, and you can't trust the hardware, how can you possibly detect something like Blue Pill?
As luck would have it, Dino Dai Zovi, then a teammate of mine at Matasano, also presented a hypervisor rootkit at Black Hat '06, called Vitriol (.pdf). After taking stock of Rutkowska's work, we quickly decided that rather than competing with Blue Pill to weaponize virtualized malware, it'd be more interesting to square off against her and try to defeat hyperjacking altogether. At Black Hat this year, Joanna's team is set to announce advancements in Blue Pill designed to make it even harder to detect. And instead of a new version of Vitriol, I'm working with a team of researchers to counter her.
Hypervisor malware seems hard to defeat, but it isn't. Hardware virtualization offers great power to malware that can harness it. But with great power comes great responsibility. In the case of Blue Pill, that's the responsibility of providing a pitch-perfect replica of the X86 platform it seizes control of. And that's hard, because there's much more to the X86 platform than meets the eye. That includes chipset features, obscure timing sources, and even hardware bugs, or "errata", that sneak into the finished version of any chip. To hide a rootkit in a hypervisor, Blue Pill has to emulate all of that. To detect Blue Pill, our team only has to find one of place she missed.
Next -->
Just before the 4th of July holiday, our team issued a challenge to Joanna: lay down terms, and we'll provide "virgin" hardware to install Blue Pill on. We'll tell her which hardware she's infected, or she keeps the hardware. Joanna responded: it will cost her 12 person-months, or $412,000, to refine Blue Pill to the point where it would survive that challenge. It has taken our team less than a month to develop the detection tools we'll discuss at Black Hat. By our math, that means Rutkowska has conceded that hypervisor rootkit detectors have a 16-to-1 advantage over hypervisor rootkit authors.
Virtualization is without a question the most important thing happening in computing this decade. From protected memory to web-based scripting languages to virtual machines, practically ever major advancement in technology has provided opportunities for attackers and defenders. In the case of virtualization, we think the technology offers far better possibilities to defenders than attackers. Some day, hypervisor malware will be mooted when every mainstream platform runs virtualized by default, with secured, well-tested hypervisors that prevent hyperjacking from ever taking place.
Companies like Microsoft should help make that day come sooner rather than later.
* Thomas Ptacek is a security researcher and software developer with over 10 years of industry experience. He is a principal, founder, and core team member at Matasano Security where his responsibilities include security consulting engagements as well as research and development.