Saturday, August 12, 2006

Blue Pill Detection!

So, after I presented cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 idea behind Blue Pill at SyScan and Black Hat, some people started talking how *easy* it should be do detect Blue Pill using timing analysis. Interestingly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y must have missed cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 fact that I already discussed this way of detection during my presentations and I also gave cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reasons why I don't think it could be used in practice...

But anyway, let's look at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem again...

Obviously, Blue Pill, like any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hardware based VMM, needs to intercept some events and instructions. One intercept which we need to take care of (in case of SVM technology), is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RDMSR EFER instruction - just because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bit 12th in EFER register signalizes weacá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r processor works in SVM mode or not. So, we need to cheat about it to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guest.

Now, we can measure how many processor 'tics' cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 given instruction took to execute - all we need to do is to use a RDTSC instruction, which returns cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor's time stamp counter. So I did cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 measuring and it turned out that normally it takes around 90 ticks to execute RDMSR, while on a 'bluepilled' system it takes about 2100 tics. What a big difference you will say!

But SVM technology (and Intel VT-x also) offers a nice way to cheat cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guest about those extra tics, by adjusting a special variable in VMCB, called TSC_OFFSET (in that case we would set this value to something around -2010, just before returning to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 guest). As a result, guest can not realize that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RDMSR instruction took extra ticks, by using RDTSC instruction.

So, here's what we need to do: we need to prepare a test piece of code, which would involve calling e.g. RDMSR instruction something like a few millions of times and observer cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timing using *external* clock (yes, VMM can also cheat about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 internal real time clock). This external clock can also be a human being (=user). For example cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 detector could display a message to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user:

"Dear user, I'm going to run a test now; if this test took more cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n 1 minute, that would mean your computer is probably compromised with a VMM based malware. Press OK to continue..."

The first problem with this approach is how to generate a piece of code, which would execute for exactly 1 minute (or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r given amount of time) on a native machine, taking into account that we may have many different processor models, working with many different speeds, etc... One can say, that we can probe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor speed, using some test instructions which we know for sure that are not intercepted (most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instructions). But this is problematic, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypervisor can cheat as to how many tics those instructions took to execute (as RDTSC can be intercepted itself). Of course this is trivial, when we assume that we can run our detector before and after infection, but this is not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case in most practical scenarios. So, I don't know how to solve this problem (which doesn't mean it can't be solved though)... Any suggestions welcomed.

Without solving cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above problem, we're facing a problem of false positives and negatives. Consider that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test above took 5 minutes (instead of one) - now does that mean that we took a too big testing code (because guest were cheated during calibration) and that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very processor just had to spent 5 minutes executing it or was this a sign of an infection - it's just that on a new processor model maybe cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RDMSR interception slowdown would be of a factor of 5 instead of 20 as it's with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor I have right now. And if it was 15 minutes?

Currently this is not a big problem, just because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are only two models of AMD processors supporting SVM on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market and each is available with few different clock speeds. So, we can probably hardcode cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 testing code into our detector (because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slowdown is so big). But how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 situation will change during cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 next two years, when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be much more processors supporting hardware virtualization on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 market? We would have to have a database of processor models and how much test code we need to use on each of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. (oh btw, and how detector could detect on which model it's running? You bet, using a CPUID instruction, which can be intercepted...)

And still, even if we solved this problem, still this kind of detection would be annoying to users (imagine a user being forced to do this kind of "1-minute test", or even 10sec test, every 15 minutes or so) unless we used some kind of infrastructure providing external time measurement (can't be just public NTP, because NTP packets could be easily intercepted by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware). So, we would need to setup encrypted NTP servers in each company... Ah great!

So, I find it quite surprising that some people diminish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat introduced by hardware virtualization based malware. I would like to point out that it's somewhat ridicules situation, when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware can be reliably written using perfectly documented features of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processor, while we need to do some timing based tricks to detect it :) Are we switching roles with malware writers?

What we need is a reliable detector, something which would return 0 or 1 depending whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r we're inside a VM or not. And I really don't see how we can create such a program (i.e. a standalone generic detector).

For completeness, I should also mention, just as I did during my talks, that we're aware of anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r attack against Blue Pill which should be very reliable and that can be implemented as a standalone program, but unfortunately it seems to allow only for crashing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system when it's 'bluepilled'. This nice attack has been independently proposed by Alex Tereshkin and Oded Horowitz, BTW.

Some people talked about prevention... Can we disable virtualization in BIOS? I can't do it on my AMD machine - but I heard that vendors are going to release updates to allow for that. But, come on, this is not a good way to address this threat! It's better not to buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processors supporting hardware virtualization!

One more thing - as I'm being continually asked about this - yes, it is possible to create a similar malware to Blue Pill using Intel VT-x, just like it was demonstrated by Dino Dai Zovi at Black Hat a week ago.

15 comments:

Anonymous said...

Don't get disheartened, a lot of people interpret things and this often leads to misinterpretation. Some people though do seem to like to knocking things/people, and new ideas etc. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y spent more time coming up with ideas/solutions/answers cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365mselves, that would be a Lot more productive !

Now please don't shoot cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 messenger lol, but .....

Could some way/s be engineered to introduce a highly accurate clock, RTC ( Real Time Clock ) eg Atomic = into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation somewhere/somehow for timing purposes. This could consist of not one, but say 2 RTC's, in internal cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 external to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PC. Or just cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one RTC, say external to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PC, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timing pulses inputted to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 PC as well. Then possibly a diff comparison could be made against any timing anomalies etc.

Some ideas might not be feasable for all sorts of reasons, but @ least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y get discussed and thought about etc. That's often how progress is made, by working through ideas that maybe won't work, but eicá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r have some merit or potential, and/or give ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r people ideas and spur cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m on in being able to produce something that can/will work.

Regards,

Spanner

SpannerITWks

Joanna Rutkowska said...

Ok, so one thing I forgot about is a nice method which was proposed by Peter Teoh – namely he suggested to chose a set of instructions (based on a latency table published in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 AMD optimization guide) which should have a similar latency (in total) to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RDMSR instruction (around 90 on my processor model). So, we can get rid of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem of calculating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 required number of test loops – we can just use an arbitrary (high enough) number of iterations and compare cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 results of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two tests – one with RDMSR and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 test instructions. This implies that if we relay on a user to do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 timing, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we need to ask him or her to pass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 two tests. Now imagine that you need to spend, let’s say 10 seconds, for each test, every, let’s say one hour (we do want to constantly monitor our system, right)? I guess not too many people would be happy with such a detector… So, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 practical solution would have to rely on some external clock and again we face a problem of creating a custom/encrypted NTP infrastructure…

BTW, I don’t think we could just create two threads executing concurrently (one doing a test loop of RDMSR and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r of no intercepted instructions), just because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 thread scheduler could be fooled (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quantum for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first thread can be made 20 times longer) which would result in both threads finishing at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time.

Anonymous said...

So, what about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 claims that
cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Vista paging stuff is not novel
?

Joanna Rutkowska said...

Well, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y claim cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y came up with a similar idea for an attack against BSD four years ago, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y probably did. Not sure what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y want to achieve by releasing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exploit code to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public, though… BTW, one thing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y got wrong – I haven’t proposed “disabling paging altogecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r” as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y wrote – I only proposed to disable *kernel* code and data paging, which makes a big difference.

Anonymous said...

Furcá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to anons post about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 claims that " Vistas paging stuff is not novel " via cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to elad's Invisible Research thread.

These days, and for quite some time, in PC's with large amounts < 1Gb of RAM installed, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 paging/swap file can in ( most ) cases be dispensed with completely. Thereby eliminating that vector from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 equation, and with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bonus of speeding things up too !

We do know what happens if and when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system runs out of memory, but not using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 P/SF would of course be a personal choice. It wouldn't be difficult to run some overhead App to discover how much you had, or needed.

Spanner

SpannerITWks

Anonymous said...

You mentioned, that you'll publish cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 slides of your talk here. It'd great to read more about your work...

Anonymous said...

Hello,

Say, I can do ring 0 operations -
What about 'hooking' cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMM handler and reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 EFER from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 state-save area. (Maybe you could disallow cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hooking somehow, but what if it has been done before ?).

Will cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CPU store cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ORIGIANL EFER.SMVE (with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bit SET) and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n BluePill is detected?

Anonymous said...

What I would like to hear about is what if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new machine came with a hypervisor with some defensive capabilities. Running at ring 0 it could know or somehow watermark its own hooks in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel and detect any changes. Obviously cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rootkit would be difficult to defend against, but if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypervisor was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re first could it not have an advantage?

Thanks!

adin said...

First off, you're actually following an old computer science question--how can I (a von neuman computing machine) tell if I've locked up?

You've hit on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same approach that is commonly used for detecting a "hung" process--timing, or some variation of a timing test against an "uncompromised" time source. (Or hardware based timing interrupts, though I'm not sure about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 compromisability of most hardware interrupts)

I guess you could do something similar to a popup test, so that you're not measuring once, but many times and measuring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 pattern---so that drastic divergence is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 give-away. But it's certainly not a macá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365matically provable solution and I doubt that any computer scientist worth his salt will say that he can come up with a "complete"/"provable" method for bluepill detection--if you can queer most methods of timing detection, you've turned this into an AI style problem.

Anonymous said...

More ideas how to detect bluepill:

CACHE ---
fill cache with known pattern
execute WRMSR, VM* or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r emulated instruction.
On normal system it doesn't trash cache (access time to data is as if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were cached)
On bluepilled system some of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 data will be pushed out of cache --- you can measure it with RDTSC, but it will be hard to fake (you don't take any exceptions when accessing cached/uncached data, so you can't do time dilatation for that)

DMA ---
hypervisor is in memory, that is inaccessible to guest OS, but still accessible to DMA devices --- a detector can read memory with DMA to disk, send it to network, play it with soundcard etc.
implementing workaround is very hard and nearly impossible --- you have to emulate all devices' DMA engines
--- your bluepill will have to know about every possible disk controller, network card, sound card, usb controller ... etc, so that it can make sure that it won't let cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se devices to fetch its code

Anonymous said...

What about external timing tests? Given that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presence of a running service can be detected on tor all you need to do is run RDMSR a few times on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local system while checking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clock skew using TCP timestamping. Yes, this requires cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote system to know when RDMSR is going to be run, but without altering any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 software (and removing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 undetectable aspect) you can't stop this. Hmm, except by altering cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 clock, which you're already doing ... but you can check if a machine is losing time by running a ntp client on it and doing icmp and tcp timestamping (see cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above paper).

Anonymous said...

What if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 CPU manufacturers provided a special "Am I Virtualized?" instruction that was guaranteed to return whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 current execution stream is in a VM where this instruction was itself exempt from interrupt or tampering by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypervisor?

Also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous suggestion of shipping cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS with it's own defensive hypervisor seems a viable O/S independent approach to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem.

Anonymous said...

Yep, Intel building LaGrande Technology maybe it's a way.
I talked with Intel guy during MTS 2006 in Warsaw and he said that Intel have and develops some software with lightweight hypervisor with fully supports VT architecture. Soft like this will allow creation of corporate environment where it will be started up hypervisor along with 2 virtual machines. One for security (Firewall, A/V etc.) and remote command line management for corp. support team and second for user system. Then I think blue pill can't run as second hypervisor.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r way,
Even present VT hardware aren’t perfect, so, probably, it will be can build some detector, which will identify work at virtual environment without use VM control bit (which can be fake) but after some prepare functions or processes if ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, which different behave in virtual environment.

P.S.
I apologize for my poor English.
Greetings for Joanna after inspiring SecureCON 2006 in Poland.

Anonymous said...

Some people talked about prevention... Can we disable virtualization in BIOS? I can't do it on my AMD machine - but I heard that vendors are going to release updates to allow for that. But, come on, this is not a good way to address this threat! It's better not to buy cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 processors supporting hardware virtualization!

hardware virtualization will revolutionise cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 way we use computers..

i think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 advantage outweighs cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 disadvantage..what is disadvantage? a rootkit?

cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se problems will be solved, in time, just like everything ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r piece of malware.

Sebastian said...

Hi Joanna,

indeed you're right that it is nearly impossible to find out "if I am virtualized" as long as hardware-counters or flags can be cheated.
IMHO cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 only reliable method for detecting compromised hardware is trusted hardware. As you mentioned in your malware talk, as long as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "malware" has at least cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same privileges as we do, we cant find it.
As long as those registers/flags can be cheated, software doesn't seem to be a solution for finding blue pills and a hardware-based solution would be somewhat anoying but possible.
So, I'm thinking about an USB-Dongle sending crypted (private/public key) timing events.
For large companies, this shouldn't be a problem, because most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 staff has one of those RSA login-key-generators. So, now let's combine this timer with a read-only usb-device... ;-)

kind regards,
Sebastian