From mboxrd@z Thu Jan 1 00:00:00 1970 From: Anthony Liguori Subject: Re: Regarding Xen security.... Date: Tue, 16 Jan 2007 23:38:24 -0600 Message-ID: <45ADB650.1000005@linux.vnet.ibm.com> References: <0A8CFEC45B7F4C419F7543867C47442366E4F3@mailserver.nechclst.in> <45ABE13F.7070806@linux.vnet.ibm.com> <280848580701152356w7da153cek99953c66dcdb1dc@mail.gmail.com> <200701170307.02721.mark.williamson@cl.cam.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200701170307.02721.mark.williamson@cl.cam.ac.uk> List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Sender: xen-devel-bounces@lists.xensource.com Errors-To: xen-devel-bounces@lists.xensource.com To: Mark Williamson Cc: xen-devel , David Pilger List-Id: xen-devel@lists.xenproject.org Mark Williamson wrote: >>> The vast majority of this is, as Keith Adams put its, "quasi-illiterate >>> gibberish." >>> >>> http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html >>> >>> Having VT/SVM doesn't really change anything wrt rootkits. Most of what >>> is floating around is FUD. There's nothing you can do today that you >>> couldn't do before VT/SVM. >> This is true in some manner, it's just that VT/SVM let a rootkit hide >> itself pretty well from the operating system that it is already >> attacking. But no doubt it's FUD. At the other end though, Intel >> invests a lot of efforts in marketing VT as a synonym for security. > > I always thought the principle behind blue pill was quite sensible. It's not > demonstrating a fundamental flaw / bug in the hardware design (I'm not sure > it was originally presented that way, although I've certainly seem it treated > as if it did). I'm a bit bias on the subject but the author did announce her work with a paper claiming "100% undetectable malware". That simply isn't true. Discussing the practicality of hiding malware is certainly an interesting and research worthy topic. However, IMHO, VT/SVM really doesn't make it any easier than it was in the past. You could always hook the IDT. That is considerably easier than setting up a full VT/SVM environment. Regards, Anthony Liguori > I see it as just a (rather neat and clever) proof of concept to show that the > VMX/SVM extensions add a new class of attack and a new stealth mechanism for > rootkits; no more no less. A heads-up to the security community. And worth > pointing out, since existing rootkit detection mechanisms may not be able to > detect it once the VMX stealthing is enabled... > > I have a feeling that this research has both been reported to be much more, > and much less than it really is. The important thing is that it doesn't open > a new loophole, but does provide a new tool for attackers (and for > defenders!). > > Cheers, > Mark >