Saturday, July 01, 2006

The Blue Pill Hype

All cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hype started from this article in eWeek by Ryan Naraine... The article is mostly accurate, despite one detail - cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 tile, which is a little misleading... It suggests that I already implemented "a prototype of Blue Pill which creates 100% undetectable malware", which is not true. Should this be true, I would not call my implementation "a prototype", which suggests some early stage of product.

That being said, I sincerely believe that Blue Pill technology will (very soon) allow for creating 100% undetectable malware, which is not based on obscurity of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 concept. And I already stressed this in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 description of my talk here and here. The working prototype I have (and which I will be demonstrating at SyScan and Black Hat) implements cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important step towards creating such malware, namely it allows to move cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 underlying operating system, on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly, into a secure virtual machine.

The phrase "on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly" is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most important thing about Blue Pill - it makes it possible to install a blue pill based malware without restarting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system and without any BIOS or boot sector modifications. I wish all those people who were posting about how easy it would be to detect Blue Pill by booting a system from a clean CD, spent more time on reading my original blog article, instead creating useless posts... (just a little wish).

The Blue Pill prototype I currently have is not yet complete, but this is not that important, because having successfully moved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS into a virtual machine, implementing all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r features is just a matter of following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Pacifica specification. And I will repeat my statement again: I believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware based on a fully implemented Blue Pill will be 100% undetectable, provided that Pacifica is not "buggy". 100% undetectable in practice - I should add - as I'm aware of some cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical brute force attacks, which I however do not consider as being practical and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y could be used in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future anywhere outside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 lab. It should be undetectable, even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware code was made available to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opponent (e.g. AV company).

There are number of ways of how Blue Pill could be exploited to create cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 actual malware (Blue Pill itself is just a "hijacking technology", not a malware) and I will be showing a simple example of how it could be used to create a network backdoor on Vista x64.

What happens when you install Blue Pill on a machine which is already Blue Pilled? Should future OS come with own, preinstalled hypervisor to prevent Blue Pill installation? What about timing analysis? All those questions will be answered during my presentation - please do not send or post cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same questions again and again...

That all being said, I don't think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 title in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 eWeek article was too much exaggerated, but I just wanted to clarify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 things. After all, it was very positive, IMO, that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 article attracted lots of attention, because I believe that hardware virtualization technology could become one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest threat in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 coming years (i.e. when more people will use processors with hardware virtualization support) and if we do not do anything about it. Can we do anything? I believe we can, but first we need to understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat.

One more thing should be commented. Some people suggested that my work is sponsored by Intel as I focused on AMD virtualization technolgy only. They should know cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n, that my work was sponsored exclusively by COSEINC Research and not by Intel. I implemented Blue Pill on AMD64 just because my previous research (also done for COSEINC) were focusing on Vista x64 and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 natural choice of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor for this was AMD64. And, although I wish I had more time to also try implementing Blue Pill on Intel VT, unfortunately I don't :( Accusing myslef of doing this on one processor only, instead on both AMD and Intel, is like saying that all vulnerability researches who find holes inside open source programs are paid by Microsoft ;) This is just ridicules!

25 comments:

Anonymous said...

you wrote "What happens when you install Blue Pill on a machine which is already Blue Pilled? Should future OS come with own, preinstalled hypervisor to prevent Blue Pill installation? What about timing analysis?"
but.. what happens if I buy a PC with an OS preinstalled and already blue pilled by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor? you certainly know about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Sony/rootkit matter... I'm so scared.. what do you think about it? cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's a way to solve this problem?

ps. compliments for your studies :)

Anonymous said...

This entry quite much clarifies your previous post and answer some (usless ;]) questions. Both were nice for reading, I'd really like to see your presentation, but I probably won't be able to. Will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r be any video available?

Anonymous said...

I haven't messed with any processors that support virtualization, but it seems that I should be able to go into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bios, disable virtualization, and problem solved.

No software is perfect, and this rootkit will be detected soon enough. I don't care if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit can be loaded without rebooting. If all else fails, I boot from a CD, verify that each and every Windows file is correct, and double-check everything that starts with Windows. The rootkit would not be running when I boot from a CD unless it is stored in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS. Or unless it is "magical," as you are leading everyone to believe this one is.

If for some strange reason cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can not come up with an easy solution to prevent this kind of rootkit, AMD may have to redesign cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir virtualization a bit. I know some AMD fans are getting offended that you are targeting AMD processors, but I guess we should be thanking you. It's better that this flaw is known so a solution can be made to prevent it. The Intel virtualization users may go along thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're safe, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n one day a really nasty virus will come along and bite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ass.

With cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor I have now, I am safe from this because it doesn't support virtualization. But I'm planning on upgrading to a K8L next year, and I really hope this virtualization can be disabled through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS. It sounds like new technology that needs to be thoroughly tested before it's put into mass use.

Anonymous said...

On AMD64, any attempt to enable hardware virtualization inside a virtualized session will trap out to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 top level hypervisor. The current implementation of Pacifica isn't capable of nesting VMs natively.

One way to deal with blue pill type threats is to virtualize cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire system early in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boot process. This could be facilitated by an antimalware driver 'blue pill'ing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS at boot, by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS itself, by a custom MBR boot loader, or even by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS. Once this is done, any software that attempts to set up anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r virtualized session could be trivially terminated before it could take root.

If blue pill-based malware starts looking likely, it would be very surprising of at least one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se countermeasures were not implemented rapidly.

Joanna Rutkowska said...

Disable virtualization? Prevent all VMMs from loading after system gets its own hypervisor loaded early in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 boot? So, how about asking AMD and Intel politely, that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y stop producing processors with virtualization! ;) That should pretty much solve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Blue Pull threat, just like unplugging your computer from network could solve most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current threats ;)

Anonymous said...

you write that knowing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code won't help detecting it, and you also wrote that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS swallows blue pill.
if you insert code through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS it should be possible to monitor (even though that if you missed your chance you won't get a second one once it's run) so I guess you're talking about inserting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 code somewhere else. and that is quite intriguing. can you elaborate?

viraptor said...

Hello

From cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 art. it's clear that Blue Pill doesn't survive physical reset. But as far as I understand virtualization, it should allow single supervised system to reboot without removing supervisor (Blue Pill)...

In that case, once loaded, Blue Pill, or similar code, will stay forever in a typical server system, that goes for '100% minus update-reboot' uptime and will survive every software reboot. (till next power shortage anyways...)

Is that right?

(sorry - SyScan is so late and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are so many questions.... :)

LocoDelAssembly said...

Joanna, simple but important question, can your Blue Pill be able to install itself on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system when you run it with a non privileged user?

Hope that Microsoft don't do things like switch cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor to "Pacifica mode" to prevent this kinds of rootkits, I'm prefer to get my CPU most optimal as possible and if I need some protection cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I use a "blue pill prevention software" in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same way I use anti viruses and anti spywares when I need active protection against malwares.

Regards,
Hernán

Anonymous said...

Very nice work!
I am interested in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation you must be preparing for August, 3rd. Will it be possible to have a PDF of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides ?

Anonymous said...

Hi,

I could not make it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SyScan conference and I'm afraid I won't be able to see your talk in Las Vegas eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r. Will you publish more information about your work?

Joanna Rutkowska said...

The slides will be posted after cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat conference. Stay tuned.

Anonymous said...

Well /here's/ a question nobody's asked yet, I shall call it "The Dog Whistle Paradox" (not really a paradox)

If it's undetectable once installed, how do you know it worked and didn't just quit? :-p

Seriously tho, some people here seem to be missing some important points. I haven't researched cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spec, but some food for thought for people with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 repeating questions -

1- Detect it through timings. This may work with software virtualisation, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 whole point of hardware virtualisation is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is circuitry within cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor to take care of virtual mappings so a virtual machine can run at native speeds. This also goes for counting op count registers.

2- Cannot nest VMs. Really? It wouldn't require too much trickery to get round this problem, for example, using a sibling VM which has memory mapped into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first VM, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM can appear nested even though it's created by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 host machine, leaving it to run at full speed.

3- I can reboot from a bootdisk to detect it. Err, how often do people do this, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't already suspect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's something cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re?

4- What if I disable cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vm extensions? Then you're not running on a compatible processor, and this doesn't apply to you.

5- Why? Because knowledge is power!!!

People, get used to technology like this, as people have already spotted uses for it, such as in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 TCM/DRM arena (eg, a hypervisor that pushes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS into a virtual machine and controls what data it can/can't read based on cryptographic keys etc).

Nice work Joanna.

x2A

90210 said...

Hmm. Syscan is over but I still can't find cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 photo gallery on your site ;)

Anonymous said...

It does look you not only know your stuff on internals, but you are quite literally a marketing wizard.
The moment you show that Blue Pill works and is not just hype (as some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security community believe) you can probably write your own ticket (pay, perks, whatever), and should MS not hire you, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are bigger fools that we hold cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m for.
I do have some doubts on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 transportability to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r platforms, but I guess I will have to wait in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 queue...

Anonymous said...

I even don't understand thy hype about all your "Blue", "Red" or "green yagged" pill.

In my oppinion, microcode updates are more - if not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 most - dangerous stuff of all - more than virtualizing.

Yet we even don't know what Intel or AMD can do with a precise update of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 cpu's microcode - (or what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have done in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 last years).

An hacker or upset former employee of those companies can/could put informations about those microcode stuff (gate-arrays, cpu instruction interpreters etc.) onto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 net - isn't it?

And - in my oppinion - more dangerous are secret services which - I'm sure - using already microcode updates to create REALLY hidden malware... Not that debug-registers-malformin stuff (try to set debugging points on reading sdt, int 0e etc.)

(Beside of that I understand cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 source of svv - but it doesn't work with softice - exception in rdmsr. I trust softice + my human intelligence more than an small svv)

Nevercá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365less, regards

Kevin Root-Ane

Anonymous said...

Congratulataions to Joanna !!!

She has just been vindicated @ last in Las Vegas @ cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat conference.

Quote -

" After security researcher Joanna Rutkowska on Thursday demonstrated how it's possible to circumvent security in Microsoft's Vista beta software and install a rootkit called Blue Pill, Microsoft said it intends to find ways to stop both potential threats before Vista ships.

At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Black Hat conference, Rutkowska, security researcher at Singapore-based firm COSEINC, showed that she found a way to bypass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vista integrity-checking process for loading unsigned code into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vista kernel. Then she presented Blue Pill, a rootkit she created based on Advanced Micro Devices' Secure Virtual Machine, Pacifica. "

-

Microsoft's director of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Windows client group, Austin Wilson, said Microsoft considers Rutkowska's findings "legitimate" and is looking at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem.

-

"What she showed was legitimate and a very real threat," Wilson said.

http://www.networkworld.com/news/2006/080406-microsoft-blue-pill.html

Etc -

I wonder what her doubters will have to say now, if Anything ?

Spanner

SpannerITWks

Peter Teoh said...

I am one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 doubter.

And I have a way to detect this "100% undetectable malware".

I attended your presentation at Syscan. And I am referring to your diagram where you corrected cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timing offset, so as to disguise any time delay when executing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions like RDMSR in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypervisor. Yes you can do it once, and twice. But once you do it a billion times, it will become a time skew, WITH RESPECT TO AN EXTERNAL CLOCK. So to detect cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware is racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r easy. And this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same as detecting execution inside a hardware-based VM. Just execute some instructions which will caused transition to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM kernel (like RDMSR etc), and do it many millions times over. Comparing a machine with VM to anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r without a VM, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM will have more instructions to execute, and thus will be slowed down relatively. But because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clock offset is corrected, timing DURATION of execution appear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same in both system. But if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one inside cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 VM has excess to an external clock, outside its own host environment, he can measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SKEW, and will notice that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 skew is growing wider and WIDER. Then he stopped executing this instruction completely, but executing anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r like "INC RAX, PUSH RBP" etc, billions times over. Then he measure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clock timing of internal and external system, and noticed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no timing skew at all.

This is obvious someone is hijacking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se special command, right?

Joanna Rutkowska said...

Hi Peter!

We talked about it, and yes, you're right - just as I said during my presentation cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretical ways to detected that system has been bluepilled (using externsal clock is one of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m) - it's just that I don't believe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y might be used in practice for many reasons. So, what should we do about this kind of threats? I don’t have cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 answer yet…

cheers,
joanna.

Anonymous said...

Could AMD modify cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 BIOS to not enable Pacifica technology and block cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blue pill?

Does this also affect Intel VT?

Anonymous said...

Oh, it will be most intresting to create a "protection profile" or "threat model" against this kind of performance.

However, creating counteraction (lets say, a awareness first to be realistic, shall we?) against threats like this is a summary of multiple information pieces, not only an operating system itself. It requires much more.

Basically, creating "infrastructure beyond infrastructure" sounds similar as altering current to computer transformer, and making it perform activities (like enable/shutdown a single harddisk ;)) based on deviations of electric current ;)

Pilling downlevel, very CORE system instead of apps sitting on top of it, including HW that creates presentation layer for operating system ...sounds intelligent approach.

Lets assume something else. Network components. This is much more "trickier" than implementing pill on operating system, which you are able to touch directly.

Enabling pill via remote, using bolts&dimes enabled by network INFRASTRUCTURE itself (See cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 word ? It has pressure!) sounds heavily "ultimate solution" approach.

To be short with summarum; good thoughts Joanna!

Anonymous said...

Hi, Joanna. Congratulations on your malware research results. I'm a guy myself, but it is about time that girls like you who do important research and publish it be properly recognized. It is a pity that your research field is so dominated by guys!
It is also exciting to know you like The Matrix. It is my favorite, too.
I, and I trust a lot of people out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re, are very proud of you. Keep up cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good work, honey!

Anonymous said...

Hey Joanna,

With actual testing of rdtsc timing attacks I feel your claims of 100% non-detection of blue pill,even your 'final' version, is totally debunked. Until chip makers have 0 overhead of rdtsc which just wont happen since virtual mode will never be as fast as native mode, you will have SIGNIFICANT measureable skew. Sure you can call this a 'bug' in AMDV but I really dont beleive it is, its just how it is. Its not supposed to be totally stealth. You secondly claim that your #VMEXIT w/ TSC_OFFSET modification can prevent all timing attacks. Id love for you to prove me wrong by your final bluepill work to bypass my little test app...

Best of luck! =)
Chris

http://rootkit.com/newsread.php?newsid=548

Anonymous said...

Joanna,

this is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way to create a base line.

It´s a great pity, that you work in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong site.

Tyler D.

Anonymous said...

Joanna,
The whole Blue Pill concept and your ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r research topics are quite amazing.
Can you recommend a list of books that could get one started in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 field of system internals/computer hardware in general and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir security issues in specific?
D

jbmoore said...

The practical benefits of Blue Pill may far outweigh any negative impacts. To be able to virtualize an entire OS and disk subsystem on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fly is amazing. The technique could be used to sandbox cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than just hijack it. Unfortunately, I'm not knowledgeable enough in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se matters to see all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 possibilities and permutations that you do. I do know that eventually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 truth will come out in spite of all cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hyperbole and egos. As to whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r your warning will be heeded, that is also for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 future to decide. We live in interesting times where little makes much sense except from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 standpoint of greed. Security seems to be used more to control people ( and ensure fortunes are maintained ) racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r than actually make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir lives safer or better.