Sunday, September 07, 2008

Microsoft executive "rebuts" our research!

Ah, there is no feeling like seeing your name in the news when drinking your morning coffee... In this piece some Steve Riley, a senior security strategist at Microsoft, decided to "rebute" our recent Black Hat presentations research results.

Mr. Riley had been quoted by ZDnet as saying:

"Her [Joanna Rutkowska] insistence is that you can replace the hypervisor without anybody knowing... Our assertion is that this is incorrect," Riley told the audience. "First of all, to do these attacks you need to become administrator at the root. So that's going to be, on an appropriately configured machine, an exceedingly difficult thing to happen."

Apparently, Mr. Riley has never seen our Black Hat presentations (or slides at least) that he is referring to (oh, wait, that is the typical case with all our "refuters", how come?)...

First, we never said anything about replacing the hypervisor. I really have no idea how this idea was born in Mr. Riley's head? Replacing the hypervisor - that would indeed be insane for us to do!

Second, it is not true that the attacker needs to become an administrator "at the root" (he mean the root partition or administrative domain here I assume). The attack we presented in our second speech, that exploited a heap overflow in the Xen hypervisor FLASK module, could have been conducted from the unprivileged domain, as we demonstrated during the presentation.

Mr. Riley continues with his vision:

"Because you [the attacker] didn't subject your own replacement hypervisor through the thorough design review that ours did, I'll bet your hypervisor is probably not going to implement 100 percent of the functionality as the original one," Riley said. "There will be a gap or two and we will be able to detect that."

Well, if he only took the effort of looking into our slides, he would realize that, in case of XenBluePill, we were slipping it beneath (not replacing!) the original hypervisor, and then run the original one as nested. So, all the functionality of the original hypervisor was preserved.

Mr. Riley also shares some other ground breaking thoughts in this article, but I think we can leave them uncommented ;)

This situation is pretty funny actually - we have here the words and feelings of some Microsoft executive vs. our three technical presentations, all the code that we released for those presentations, and also a few of our demos. Yet, it's apparently still worth getting into the news and reporting what the feeling of Mr. Riley are...

Let me, however, write one more time, that I'm (still) not a Microsoft hater. There are many people at Microsoft that I respect: Brandon Baker, Neil Clift, the LSD guys, Mark Russinovich, and probably a few more that I just haven't had occasion to meet in person or maybe forgot about at the moment. It's thus even more sad that people like Mr. Riley are also associated with Microsoft, even more they are the face of Microsoft for the majority of people. Throwing a party in Vegas and Amsterdam once a year certainly is not enough to change the Microsoft's image in this case...

Interestingly, if Mr. Riley only attended our Xen 0wning Trilogy at Black Hat, then he would notice that we were actually very positive about Hyper-V. Of course, I pointed out that Xen 3.3 certainly has a more secure architecture right now, but I also said that I knew (from talking to some MS engineers from the virtualization group) that Hyper-V is going to implement similar features in the next version(s) and that this is very good. I also prized the fact it has only about 100k LOC (vs. about 300k LOC in Xen 3.3).

So, Mr. Senior Security Strategist, I suggest you do your homework more carefully next time before throwing mud at others and trying to negate the value of their work (and all the efforts of Microsoft's PR people).

On a separate note, I found it quite unprofessional that ZDNet's Liam Tung and Tom Espiner, the authors of the news, didn't ask me for a commentary before publishing this. Not to mention that they also misspelled Rafal's name and forgot to mention about Alex, the third co-author of the presentations.


Anonymous said...

it is just unbelievable funny and sad... just yesterday i was listening to several different podcast where different IT and security "professionals" ware making just one after another wrong... not wrong, totally wrong :) comments on different topics. i mean ok, not everything they said was wrong, some was ok, and some was personal opinions...

it looks like everyone likes to call itself this days an professional and it is so sad to see this people in the general public media "preaching" totally wrong informations to the public.

i mean ok, i understand that no one is able to know everything, but it would be so much better to simple say "i am sorry but i really did not research in to this topic deep enough to be able to say something about it, i can guess or say something based on my past experience but that is all i can do at the moment", but no they talk there as some smart public figure and saying nothing but pure lies.

this are people that might very well be "professionals" on some topics or somewhere in the past and are picked up by reporters for a quick chat on some latest interesting topic and most probably this people don't even know what they will be talking about on the interview before the interview starts or they are only up for the money or the kick from being in the public media, because it is more then clear that they are caught with their pants down and totally unprepared on some subjects (childish, not professional!).

and one more thing that gets totally on my nerves is when they start to play the decade old records (read, start to speak about old old security topics or practices that are by now totally or at least almost totally irrelevant) and feel for them self like they are the smartest people on the earth...

pity they probably earn quite some money and leave well from spreading this lies while some people that are on the real edge of the topic have to earn their money by selling the exploits and malware code.

sorry if this was a bit to impulsive or a bit off topic but some times i just feel like throwing something in to my speakers when i hear such things on podcasts (or scratch my monitor when i read it in the news). and since i don't have allot of money and have to take care of my old computer it is better to let off some steam by writing this :))

Michael Dundas said...

Not very professional of Steve Riley at all and not very professional of Zdnet. Even if you don't understand this technology, checking with a few people (Steve's own Colleagues for example) that do understand would have quickly determined that Steve is completely incorrect.

I have attended Joanna's course where we used "BluePill" to 'hypervise' Microsoft Vista. We didn't require an administrative password. If this was done to a web server sitting in a bank for example, no reboot would be required and an administrator would have no idea it has happened. Personally, I think it is a great and significant research area from a security perspective. I'd suggest it is probably one of the most significant areas to affect security. Companies and executives should be taking it more seriously and not trying to use 'FUD' and press to minimize it.

Joanna Rutkowska said...

@Michael: Just one small clarification: at our training you actually needed admin access to install BluePill on Vista, although that only required clicking "Yes" on the UAC prompt, as in the standard installation of Vista the default user has admin rights. But, if that was a problem (i.e. obtaining rights) the attacker might have very well used one of the kernel exploits that Alex presented with me at Black Hat 2007 (and that we presented at the beginning of our training). Also, in case of bluepilling a Xen system and e.g. Rafal's FLASK exploit, we didn't have to be on Dom0 (an equivalent to having admin rights on Vista) - the exploit could have been lunched from any unprivileged domains. Plus there have been presented over the past year several bugs in Dom0 components (qemu, libext, pygrub) that allow to get access to Dom0 (equivalent of local priv escalation on Vista).

Joanna Rutkowska said...

@saso: I fully understand your disappointment. The problem we, as an industry, have is that there are very few people that are technically savvy to verify that what others say is anything valuable or just some BS... As a result, the most outspoken and self-confident people (but not necessarily the most smart ones) get most "creditability" in the industry. This can be observed not only at conferences (i.e. popular speakers that can only talk anecdotes) but also looking at the products (i.e. so many poor security products, trivially bypassable, that however gained lots of market share).

cmlh said...


I met Steve Riley just after you presented at SellingOut[Aus]CERT and my opinion of him is similar to his own i.e. "somewhere between marketing and consulting" as quoted from

As far as consulting with his "colleagues" as suggested by @Michael Dundas, the security team in Australia is vastly different from that of North America and they are more focused on marketing with the exception of one person. A case in point was their resistance of having you present in Sydney after SellingOut[Aus]CERT.

This also isn't the first compliant that I have seen about ZDNet AU and Liam either.

Anonymous said...

Just curious - do you need local admin within the VM?

Anonymous said...

Hi Joanna,

thanks for your comments. We did not request a rebuttal as this was breaking news and you are located in another time zone.

However, we would be quite happy to speak with you about a follow up article in which you can represent your views.

Kind regards,

Renai LeMay
News Editor

Joanna Rutkowska said...

Renai, maybe it wasn't a big news for you, but I think this qualifies as a personal attack on myself and my business, and thus the reporters of a responsible news portal should have tried to be objective, by presenting what two sides have two say...

ZDNet's reporters already have my email address (we talked many times before), so feel free to contact me directly if you had more questions besides what I already wrote in the blog post.


Unknown said...

Renai LeMay: "We did not request a rebuttal as this was breaking news"

And breaking news precludes you from checking the facts? From the post it is clear that this was not the first time someone mounted an uninformed attack, so you should have been skeptical from the start.

Joanna Rutkowska said...

A note to an individual calling himself Big Galoot (who tried to post here): this is a technical blog and not a place to analyze the impact of women's sexuality on the IT research community. Please refrain from posting.

Anonymous said...

the impact of women's sexuality??

are you suggesting you're sexy?

how presumptuous of you, joanna !


Big Galoot

Anonymous said...

I think you will find that on DD's Beast or Buddha, he was in his own way defending you. He may have responded to you angrily since then, but that was in defence for you of the male fanboys!

BG is a legend!

Anonymous said...

Dear Joanna

Forget Mr. Riley or other peoples because they try makes us bad and other bad thinks which completely unknown for us.

I think that is better your focus on your idea and your technology.

and prove your self!

Connect Mr. Riley in to the MATRIX ! ,


Joanna Rutkowska said...

Big Gallot wrote:
are you suggesting you're sexy?
how presumptuous of you, joanna !

See, who I need to deal with? ;)
Ok, no more off-topics here!

Anonymous said...

Misunderstand is always exists between security specialists and software developers. Software developers are trying to protect their work.

I wish you good luck in your work and your life.

Anonymous said...

"Not very professional of Steve Riley at all "

The most inprofessional thing maded by Steve is to make excuses to Joanna and meaawhile trying to blame Joanna. Joanna is a good specialist who will not talk about thing unknown things.

Every body understand that security flaw that required in administrative rights is not a security flaw.

Joanna please write us an another post when Steve answer on your comment.