tag:blogger.com,1999:blog-24586388.post208658744926357906..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Towards Verifiable Operating SystemsJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-24586388.post-35057578739007369982008-12-24T13:40:00.000+01:002008-12-24T13:40:00.000+01:00@war59...: no, since there is no physical distinct...@war59...: no, since there is no physical distinction between code and data memory, so that the same physical page of memory can be used as a code page by one application and as a data page by another (just not simultaneously). Esp. the requirement that all pages can be read by a kernel driver pretty much disqualifies a harward architecture.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-12793980628755079572007-09-05T08:11:00.000+02:002007-09-05T08:11:00.000+02:00Very interesting and COOL presentation! Thanks for...Very interesting and COOL presentation! Thanks for sharing...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5857289827919873342007-03-21T16:38:00.000+01:002007-03-21T16:38:00.000+01:00Sounds to me like you're suggesting that PCs use a...Sounds to me like you're suggesting that PCs use a Harvard architecture, no?RixiMhttps://www.blogger.com/profile/14621991007781627497noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-74297521876250589762007-02-11T05:46:00.000+01:002007-02-11T05:46:00.000+01:00Sadly I don't ever seeing the spyware, virus, root...Sadly I don't ever seeing the spyware, virus, rootkit, etc. problem every being fixed.<BR/><BR/>There is way too much money to be made in making darn sure they never are. In fact I bet Microsoft would be sued like crazy (copyright, anti-trust, etc.) if they did try to "really" fix the problems.<BR/><BR/>At least thats how I see it... Sadly!war59312https://www.blogger.com/profile/03764678165451214432noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-17843891323715176362007-01-20T11:21:00.000+01:002007-01-20T11:21:00.000+01:00Krugger, it seems like you got all my points backw...Krugger, it seems like you got all my points backwards. The purpose of the presentation I gave at CCC was to show that we (i.e. the good guys) <i>can</i> win this battle, provided some changes will be introduced into OS design (and I even discussed what changes are needed). And also I made it clear many times during this talk, that using <i>side effects</i> for malware detection is just not the proper way for doing that – we need a systematic way and not a bunch of hack…Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-84460793635585764122007-01-20T08:31:00.000+01:002007-01-20T08:31:00.000+01:00I listened to your presentation at CCC and it seem...I listened to your presentation at CCC and it seems to me it is like a race to reach as low as possible into the depths of the machine. Which will eventually reach a limit and both virus and detector will be at the same level. Although you clearly pointed out that it is not possible to accurately establish if the system has been compromised by observing it. (Hope to have something like Nushu someday, if the throughput isn't too low)<br /><br />Would you not agree that there will be some side effects if an attacker is using the machine? Surely he will not be able to fix all traces.<br /><br />For example, FU was possible to detected through PID bruteforcing, although they corrected that in FUTo. But you can still use something similar to detect it. :)<br /><br />Just a final side note: Microsoft has classified stuff like JS.Feebs in its Security Intelligence Report as a rootkit. (When the first virtualizing virus appears the threat level will be off the charts, even Futo wasn't in the Report)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-47029666081012674332007-01-17T01:24:00.000+01:002007-01-17T01:24:00.000+01:00To anelkaos: please do not confuse IDTR and IDT an...To anelkaos: please do not confuse IDTR and IDT and also please do not confuse software based virtualization, where tricks like redpill are possible, with hardware based virtualization which is exploited by Blue Pill.<br /><br />Regarding your last sentence: how you gonna find those other IDTs?Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-22827335743493299192007-01-14T11:54:00.000+01:002007-01-14T11:54:00.000+01:00Hi Johanna. The final title is better ;)
A very i...Hi Johanna. The final title is better ;)<br /><br />A very interesting presentation but I miss you in rootkit.com :(<br /><br />I continue playing in user mode but I have a question (possibly basic for you) about yours VMs. If only one IDTR is True I don't understand why I don't know when execute in RM. "If no more IDTRs are in memory I know thath I execute in the RM" <- False, OK<br /><br />But (in VM1) if I find anothers IDTs in memory (IDT of VM2) I know thath another VM be able execute <- I detect your "pill"?<br /><br /><br />void lidt(void *base, unsigned int limit) {<br /> unsigned int i[2];<br /><br /> i[0] = limit << 16;<br /> i[1] = (unsigned int) base;<br /> asm ("lidt (%0)": :"p" (((char *) i)+2));<br />}<br /><br />void *sidt(void) {<br /> unsigned int ptr[2];<br /> asm ("sidt (%0)": :"p" (((char *) ptr)+2));<br /> return (void *) ptr[1];<br />}<br /><br />It is not certain?<br /><br />PD: I will see you in BH Europe :)ANELKAOShttps://www.blogger.com/profile/05763260448218903487noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-39373465606911603442007-01-05T22:53:00.000+01:002007-01-05T22:53:00.000+01:00A very good, interesting and, of course, funny pre...A very good, interesting and, of course, funny presentation. I like it very much. :)Adminhttps://www.blogger.com/profile/03458703017257051442noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-31857166854019514642007-01-05T01:05:00.000+01:002007-01-05T01:05:00.000+01:00To oddscurity:
Sure that SVMCHECK should be non-tr...To oddscurity:<br />Sure that SVMCHECK should be non-trappable. Even more, it should be a non-privileged instruction, so that it would be possible to execute it from usermode. Of course, it is theoretically possible to do a full code emulation (or binary translation), but then you end up having an <b>emulator</b> instead of a virtual machine. Even today's software based hypervisors, like e.g. VMWare, do the binary translation of only the kernel mode code, while executing the usermode code natively. So, I don't see any problems with implementing such an instruction. <br /><br />To felipe:<br />Please distinguish between <b>prevention</b> and <b>detection</b> (in this case verification). OS’s hypervisor is needed for prevention, not detection of type III malware.Joanna Rutkowskahttps://www.blogger.com/profile/07657268181166351141noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-54521113402564525272007-01-05T00:33:00.000+01:002007-01-05T00:33:00.000+01:00I really enjoy reading your articles, essays and p...I really enjoy reading your articles, essays and posts.<br /><br />A quick comment: While reading the list of requirements, I was expecting this to be includedt "The operating system should install itself as an hypervisor (ring -1) in order to stop Type III malware (or other hypervisors) from installing into the system and taking control of it".felipe-alfaro.orghttps://www.blogger.com/profile/07461292384051781983noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-7265534533305967722007-01-04T12:59:00.000+01:002007-01-04T12:59:00.000+01:00Having read your presentation, I came across the h...Having read your presentation, I came across the hardware red pill idea:<br /><br /><i>"How about creating a new instruction – SVMCHECK:<br />mov rax, [password]<br />svmcheck <br />cmp rax, 0<br />jnz inside_vm"</i><br /><br />I see two possible problems with implementation of this:<br /><br />1) the SVMCHECK instruction must be non-trappable even by the hypervisor (blue pill), or it could negate it directly.<br /><br />2) Even if the instruction can't be trapped directly, the OS's scheduler could be trapped? If you alter code containing the SVMCHECK by means of dynamic translation by the Blue Pill, the instruction would never take place (always returning a 0 for 'no VM running'. Any reads of that particular page of code would also be intercepted, ostensibly showing the SVMCHECK instruction still in place.Anonymoushttps://www.blogger.com/profile/11133507566774748859noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-78293446702881547772007-01-03T23:20:00.000+01:002007-01-03T23:20:00.000+01:00This comment has been removed by the author.AShttps://www.blogger.com/profile/12218013009688768023noreply@blogger.com