The presentation first debunks The 4 Myths About Stealth Malware Fighting that surprisingly many people believe in. Then my stealth malware classification is briefly described, presenting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 malware of type 0, I and II and challenges with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir detection (mainly with type II). Finally I talk about what changes into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS design are needed to make our systems verifiable. If cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS were designed in such a way, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n detection of type I and type II malware would be a trivial task...
There are only four requirements that an OS must satisfy to become easily verifiable, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are:
- The underlying processors must support non-executable attribute on a per-page level,
- OS design must maintain strong code and data separation on a per-page level (this could be first only in kernel and later might be extended to include sensitive applications),
- All code sections should be verifiable on a per-page level (usually this means some signing or hashing scheme implemented),
- OS must allow to safely read physical memory by a 3rd party application (kernel driver/module) and for each page allow for reliable determination whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it is executable or not.
The first three requirements are becoming more and more popular cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se days in various operating systems, as a side effect of introducing anti-exploitation/anti-malware technologies (which is a good thing, BTW). However, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 4th requirement presents a big challenge and it is not clear now whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r it would be feasible on some architectures.
Still, I think that it's possible to redesign our systems in order to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m verifiable. If we don't do that, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n we will always have to rely on a bunch of "hacks" to check for some known rootktis and we will be taking part in endless arm race with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bad guys. On cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hand, such situation is very convenient for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 security vendors, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can always improve cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir "Advanced Rootkit Detection Technology" and sell some updates... ;)
Happy New Year!
14 comments:
Having read your presentation, I came across cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hardware red pill idea:
"How about creating a new instruction – SVMCHECK:
mov rax, [password]
svmcheck
cmp rax, 0
jnz inside_vm"
I see two possible problems with implementation of this:
1) cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SVMCHECK instruction must be non-trappable even by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hypervisor (blue pill), or it could negate it directly.
2) Even if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instruction can't be trapped directly, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 OS's scheduler could be trapped? If you alter code containing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SVMCHECK by means of dynamic translation by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Blue Pill, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 instruction would never take place (always returning a 0 for 'no VM running'. Any reads of that particular page of code would also be intercepted, ostensibly showing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SVMCHECK instruction still in place.
I really enjoy reading your articles, essays and posts.
A quick comment: While reading cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 list of requirements, I was expecting this to be includedt "The operating system should install itself as an hypervisor (ring -1) in order to stop Type III malware (or ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r hypervisors) from installing into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system and taking control of it".
To oddscurity:
Sure that SVMCHECK should be non-trappable. Even more, it should be a non-privileged instruction, so that it would be possible to execute it from usermode. Of course, it is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365oretically possible to do a full code emulation (or binary translation), but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you end up having an emulator instead of a virtual machine. Even today's software based hypervisors, like e.g. VMWare, do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 binary translation of only cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 kernel mode code, while executing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 usermode code natively. So, I don't see any problems with implementing such an instruction.
To felipe:
Please distinguish between prevention and detection (in this case verification). OS’s hypervisor is needed for prevention, not detection of type III malware.
A very good, interesting and, of course, funny presentation. I like it very much. :)
Wish you a happy and prosperous new year.
Soleilmavis
http://soleilmavis.blogspot.com
Hi Johanna. The final title is better ;)
A very interesting presentation but I miss you in rootkit.com :(
I continue playing in user mode but I have a question (possibly basic for you) about yours VMs. If only one IDTR is True I don't understand why I don't know when execute in RM. "If no more IDTRs are in memory I know thath I execute in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 RM" <- False, OK
But (in VM1) if I find anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rs IDTs in memory (IDT of VM2) I know thath anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r VM be able execute <- I detect your "pill"?
void lidt(void *base, unsigned int limit) {
unsigned int i[2];
i[0] = limit << 16;
i[1] = (unsigned int) base;
asm ("lidt (%0)": :"p" (((char *) i)+2));
}
void *sidt(void) {
unsigned int ptr[2];
asm ("sidt (%0)": :"p" (((char *) ptr)+2));
return (void *) ptr[1];
}
It is not certain?
PD: I will see you in BH Europe :)
To anelkaos: please do not confuse IDTR and IDT and also please do not confuse software based virtualization, where tricks like redpill are possible, with hardware based virtualization which is exploited by Blue Pill.
Regarding your last sentence: how you gonna find those ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r IDTs?
I listened to your presentation at CCC and it seems to me it is like a race to reach as low as possible into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 depths of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine. Which will eventually reach a limit and both virus and detector will be at cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same level. Although you clearly pointed out that it is not possible to accurately establish if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 system has been compromised by observing it. (Hope to have something like Nushu someday, if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 throughput isn't too low)
Would you not agree that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re will be some side effects if an attacker is using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 machine? Surely he will not be able to fix all traces.
For example, FU was possible to detected through PID bruteforcing, although cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y corrected that in FUTo. But you can still use something similar to detect it. :)
Just a final side note: Microsoft has classified stuff like JS.Feebs in its Security Intelligence Report as a rootkit. (When cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 first virtualizing virus appears cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 threat level will be off cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 charts, even Futo wasn't in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Report)
Krugger, it seems like you got all my points backwards. The purpose of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 presentation I gave at CCC was to show that we (i.e. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 good guys) can win this battle, provided some changes will be introduced into OS design (and I even discussed what changes are needed). And also I made it clear many times during this talk, that using side effects for malware detection is just not cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 proper way for doing that – we need a systematic way and not a bunch of hack…
Sadly I don't ever seeing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 spyware, virus, rootkit, etc. problem every being fixed.
There is way too much money to be made in making darn sure cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y never are. In fact I bet Microsoft would be sued like crazy (copyright, anti-trust, etc.) if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did try to "really" fix cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problems.
At least thats how I see it... Sadly!
Sounds to me like you're suggesting that PCs use a Harvard architecture, no?
Very interesting and COOL presentation! Thanks for sharing...
@war59...: no, since cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no physical distinction between code and data memory, so that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same physical page of memory can be used as a code page by one application and as a data page by anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r (just not simultaneously). Esp. cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 requirement that all pages can be read by a kernel driver pretty much disqualifies a harward architecture.
Post a Comment