From: Anthony Liguori <aliguori@linux.vnet.ibm.com>
To: Mark Williamson <mark.williamson@cl.cam.ac.uk>
Cc: xen-devel <xen-devel@lists.xensource.com>,
David Pilger <pilger.david@gmail.com>
Subject: Re: Regarding Xen security....
Date: Tue, 16 Jan 2007 23:38:24 -0600 [thread overview]
Message-ID: <45ADB650.1000005@linux.vnet.ibm.com> (raw)
In-Reply-To: <200701170307.02721.mark.williamson@cl.cam.ac.uk>
Mark Williamson wrote:
>>> The vast majority of this is, as Keith Adams put its, "quasi-illiterate
>>> gibberish."
>>>
>>> http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html
>>>
>>> Having VT/SVM doesn't really change anything wrt rootkits. Most of what
>>> is floating around is FUD. There's nothing you can do today that you
>>> couldn't do before VT/SVM.
>> This is true in some manner, it's just that VT/SVM let a rootkit hide
>> itself pretty well from the operating system that it is already
>> attacking. But no doubt it's FUD. At the other end though, Intel
>> invests a lot of efforts in marketing VT as a synonym for security.
>
> I always thought the principle behind blue pill was quite sensible. It's not
> demonstrating a fundamental flaw / bug in the hardware design (I'm not sure
> it was originally presented that way, although I've certainly seem it treated
> as if it did).
I'm a bit bias on the subject but the author did announce her work with
a paper claiming "100% undetectable malware". That simply isn't true.
Discussing the practicality of hiding malware is certainly an
interesting and research worthy topic. However, IMHO, VT/SVM really
doesn't make it any easier than it was in the past.
You could always hook the IDT. That is considerably easier than setting
up a full VT/SVM environment.
Regards,
Anthony Liguori
> I see it as just a (rather neat and clever) proof of concept to show that the
> VMX/SVM extensions add a new class of attack and a new stealth mechanism for
> rootkits; no more no less. A heads-up to the security community. And worth
> pointing out, since existing rootkit detection mechanisms may not be able to
> detect it once the VMX stealthing is enabled...
>
> I have a feeling that this research has both been reported to be much more,
> and much less than it really is. The important thing is that it doesn't open
> a new loophole, but does provide a new tool for attackers (and for
> defenders!).
>
> Cheers,
> Mark
>
next prev parent reply other threads:[~2007-01-17 5:38 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-12 10:13 Regarding Xen security Praveen Kushwaha
2007-01-15 11:47 ` Petersson, Mats
2007-01-15 12:18 ` David Pilger
2007-01-15 12:55 ` Petersson, Mats
2007-01-15 17:05 ` David Pilger
2007-01-15 20:17 ` Anthony Liguori
2007-01-16 7:56 ` David Pilger
2007-01-17 3:06 ` Mark Williamson
2007-01-17 5:38 ` Anthony Liguori [this message]
2007-04-24 6:13 ` could netcard be hotplug into a running VM? tgh
2007-04-24 9:03 ` Petersson, Mats
2007-04-24 12:33 ` tgh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45ADB650.1000005@linux.vnet.ibm.com \
--to=aliguori@linux.vnet.ibm.com \
--cc=mark.williamson@cl.cam.ac.uk \
--cc=pilger.david@gmail.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.