In this section

• Home
• Security
• SophosLabs blog
• 2007
• 08

• Analyses
• SophosLabs
• SophosLabs blog
• Spyware and adware
• Top 10 malware
• Hoaxes
• Technical papers
• Email notification
• Best practice
• White papers
• Web seminars
• Podcasts
• Hot topics

8 August 2007 00:05 GMT

Black Hat conference: Hardware virtualization rootkits

Hardware-assisted virtualization rootkits have been a much debated computer security subject since details of two proof of concept hardware virtualization rootkits were presented last year at the Black Hat conference by Joanna Rutkowska and Dino Dai Zovi.

In essence, modern Intel and AMD 64-bit processors contain support for virtualization that allows virtualised operating systems to use all processor features, including standard privilege rings and run in the same way as they would if running on bare-bone hardware with no virtualization support. The CPU supports a set of virtualization instructions that allow a thin layer of software known as hypervisor to be installed and to control transitions between several guest operating systems running in parallel on the host computer.

In an ideally virtualized environment, the guest operating system would have no way to reliably detect that the machine is being virtualized. This is where hardware virtualization rootkits come into play. If a piece of malicious code installs itself as a hypervisor, it would not be detectable using documented methods by a guest operating system nor a security product running inside it.

Since last year, a set of detection methods has been devised by several security researchers. An interesting presentation by Nate Lawson, Thomas Ptacek and Peter Ferrie documents several techniques that can be used to detect that the OS is running under the hypervisor control. One method relies on the timing of certain instructions. Instruction such as WRMSR cause an exit from the guest operating system to the hypervisor. If the operating system is being run under a hypervisor control the time required to execute the trapped instruction will be much higher than on a non-virtualised system. Other approaches include observing side-effects of execution on side channels such as translation look-aside buffers (TLBs) and processor-specific behaviour (using processor errata). All the documented techniques detect that the system is running under a hypervisor, but do not detect that the hypervisor may be malicious.

Nevertheless, the published detection methods have not prevented Joanna Rutkowska and Alexander Tereshkin from publishing the source code of New Blue Pill hardware virtualization rootkit. Unfortunately, this will allow less skilled members of the malware writing community to recompile the code and create new rootkits. Despite the hype and the opportunity I reckon that the hardware virtualization rootkits will stay outside the malware writer's arsenal for the foreseeable future for at least couple of reasons:

• complexity - malware writers can achieve their goals using much less sophisticated techniques.
• portability - Blue Pill is designed to work on 64-bit AMD processors which limits the coverage often required by malware.

Oh, I forgot to mention one more thing. Any malware, including hardware-assisted virtualization rootkits has to arrive to a computer before it is activated. If your endpoint security software is installed, it will have a chance of detecting it as it arrives to the system. With the recent advances in proactive protection you may already be protected against hardware-assisted virtualization rootkits.

Vanja Svajcer, SophosLabs, UK

• Bookmark with del.icio.us
• Submit this story to digg
• Submit this story to slashdot