Ricardo A. Reis
2006-Nov-03 15:55 UTC
Enc: FreeBSD and the new virtual machine-based rootkits
----- Mensagem encaminhada ----
De: Ricardo A. Reis <ricardo_bsd@yahoo.com.br>
Para: security@freebsd.org
Enviadas: Sexta-feira, 3 de Novembro de 2006 10:54:14
Assunto: FreeBSD and the new virtual machine-based rootkits
Hi All,
Recently i participated in Brazil on October 2006 The FIRST/TRANSITS and
II Latin American Incident Response Conference (COLARIS).
In the II COLARIS - Joanna Rutkowska alert the possible
new technology of Malware's using hardware virtualization, present
in AMD and INTEL new processor.
I've two questions ...
1) How is possible detect if my system is moved inside a VM on the fly ?
2) Exist a project for merge veriexec from NetBSD on FreeBSD
and add SPKI feature ?
http://www.eweek.com/article2/0,1895,2040760,00.asp
http://www.invisiblething.org
-
Ricardo A. Reis
UNIFESP
Unix and Network Admin
Voc? quer respostas para suas perguntas? Ou voc? sabe muito e quer compartilhar
seu conhecimento? Experimente o Yahoo! Respostas!
_______________________________________________________
Voc? quer respostas para suas perguntas? Ou voc? sabe muito e quer compartilhar
seu conhecimento? Experimente o Yahoo! Respostas !
http://br.answers.yahoo.com/
Wesley Shields
2006-Nov-03 19:50 UTC
Enc: FreeBSD and the new virtual machine-based rootkits
On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote: [...]> In the II COLARIS - Joanna Rutkowska alert the possible > new technology of Malware's using hardware virtualization, present > in AMD and INTEL new processor. > > I've two questions ... > > 1) How is possible detect if my system is moved inside a VM on the fly ?She has discussed various solutions for this problem, and why she believes they may or may not work. The one most people suggest is to time how long it takes for various instructions to run, but this can be tricked by the VMM-rootkit. I'd suggest reading: http://theinvisiblethings.blogspot.com/2006/08/blue-pill-detection.html> 2) Exist a project for merge veriexec from NetBSD on FreeBSD > and add SPKI feature ?Not that I'm aware of but something which is somewhat similar has been posted to trustedbsd-discuss. I'd check out the following links: http://lists.freebsd.org/pipermail/trustedbsd-discuss/2006-August/000865.html http://people.freebsd.org/~csjp/mac/ http://people.freebsd.org/~csjp/mac_chkexec.txt AFAIK this is still in perforce, but will hopefully make it's way into -CURRENT and eventually a release. I'm sure someone will speak up if I'm wrong here. -- WXS