Re: [Xen-devel] Re: Regarding Xen security....

[Mark Williamson <mark.williamson@xxxxxxxxxxxx>]

> > The vast majority of this is, as Keith Adams put its, "quasi-illiterate
> > gibberish."
> >
> > http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html
> >
> > Having VT/SVM doesn't really change anything wrt rootkits.  Most of what
> > is floating around is FUD.  There's nothing you can do today that you
> > couldn't do before VT/SVM.
>
> This is true in some manner, it's just that VT/SVM let a rootkit hide
> itself pretty well from the operating system that it is already
> attacking. But no doubt it's FUD. At the other end though, Intel
> invests a lot of efforts in marketing VT as a synonym for security.

I always thought the principle behind blue pill was quite sensible.  It's not 
demonstrating a fundamental flaw / bug in the hardware design (I'm not sure 
it was originally presented that way, although I've certainly seem it treated 
as if it did).

I see it as just a (rather neat and clever) proof of concept to show that the 
VMX/SVM extensions add a new class of attack and a new stealth mechanism for 
rootkits; no more no less.  A heads-up to the security community.  And worth 
pointing out, since existing rootkit detection mechanisms may not be able to 
detect it once the VMX stealthing is enabled...

I have a feeling that this research has both been reported to be much more, 
and much less than it really is.  The important thing is that it doesn't open 
a new loophole, but does provide a new tool for attackers (and for 
defenders!).

Cheers,
Mark

-- 
Dave: Just a question. What use is a unicyle with no seat?  And no pedals!
Mark: To answer a question with a question: What use is a skateboard?
Dave: Skateboards have wheels.
Mark: My wheel has a wheel!

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel