WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-devel

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-devel] Re: Regarding Xen security....

from [Anthony Liguori] [Permanent Link][Original]
To: Mark Williamson <mark.williamson@xxxxxxxxxxxx>
Subject: [Xen-devel] Re: Regarding Xen security....
From: Anthony Liguori <aliguori@xxxxxxxxxxxxxxxxxx>
Date: Tue, 16 Jan 2007 23:38:24 -0600
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>, David Pilger <pilger.david@xxxxxxxxx>
Delivery-date: Wed, 17 Jan 2007 02:44:35 -0800
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <200701170307.02721.mark.williamson@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <0A8CFEC45B7F4C419F7543867C47442366E4F3@xxxxxxxxxxxxxxxxxxxxxx> <45ABE13F.7070806@xxxxxxxxxxxxxxxxxx> <280848580701152356w7da153cek99953c66dcdb1dc@xxxxxxxxxxxxxx> <200701170307.02721.mark.williamson@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.9 (X11/20070103) 
Mark Williamson wrote:

The vast majority of this is, as Keith Adams put its, "quasi-illiterate
gibberish."

http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html

Having VT/SVM doesn't really change anything wrt rootkits.  Most of what
is floating around is FUD.  There's nothing you can do today that you
couldn't do before VT/SVM.

This is true in some manner, it's just that VT/SVM let a rootkit hide
itself pretty well from the operating system that it is already
attacking. But no doubt it's FUD. At the other end though, Intel
invests a lot of efforts in marketing VT as a synonym for security.
I always thought the principle behind blue pill was quite sensible. It's not demonstrating a fundamental flaw / bug in the hardware design (I'm not sure it was originally presented that way, although I've certainly seem it treated as if it did).
I'm a bit bias on the subject but the author did announce her work with a paper claiming "100% undetectable malware". That simply isn't true.
Discussing the practicality of hiding malware is certainly an interesting and research worthy topic. However, IMHO, VT/SVM really doesn't make it any easier than it was in the past.
You could always hook the IDT. That is considerably easier than setting up a full VT/SVM environment. 

Regards,

Anthony Liguori
I see it as just a (rather neat and clever) proof of concept to show that the VMX/SVM extensions add a new class of attack and a new stealth mechanism for rootkits; no more no less. A heads-up to the security community. And worth pointing out, since existing rootkit detection mechanisms may not be able to detect it once the VMX stealthing is enabled...
I have a feeling that this research has both been reported to be much more, and much less than it really is. The important thing is that it doesn't open a new loophole, but does provide a new tool for attackers (and for defenders!). 

Cheers,
Mark




_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Xen-devel] How to read/modify interrupt descriptor table in Xen, Prema Koti
Next by Date:  [Xen-devel] Re: [PATCH] qemu-dm monitor doesn't support the quit command, Anthony Liguori
Previous by Thread:  Re: [Xen-devel] Re: Regarding Xen security...., Mark Williamson
Next by Thread:  [Xen-devel] [PATCH] Support newer microcode, Kurt Garloff
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy