tag:blogger.com,1999:blog-24586388.post115089716989100803..comments2023-11-24T09:52:43.963+01:00Comments on The Invisible Things Lab's blog: Introducing Blue PillJoanna Rutkowskahttp://www.blogger.com/profile/07657268181166351141noreply@blogger.comBlogger97125tag:blogger.com,1999:blog-24586388.post-70052010890026737302008-12-11T07:04:00.000+01:002008-12-11T07:04:00.000+01:00Would your redpill program be able to detect runni...Would your redpill program be able to detect running in a simulator rather than a virtual machine? I haven't thought deeply about it, but at first glance it seems like no.Staffhttps://www.blogger.com/profile/15386914080060491430noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-30861159129639313362008-09-19T18:48:00.000+02:002008-09-19T18:48:00.000+02:00How likely is it that we find an "off-by-one" or o...How likely is it that we find an "off-by-one" or other exploitable bugs in HW? In the end the chipdesigners aren't putting together millions of single transistors, but they write "c=b+a" and a,b,c are described by datatypes.<BR/>It is very likely.<BR/><BR/>please answerAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-27080535689308981162007-11-29T07:36:00.000+01:002007-11-29T07:36:00.000+01:00I went to see you speak at Sector and what you pre...I went to see you speak at Sector and what you presented really opened my mind. As a student in IT security you are very inspiring.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-5101159476649583692007-10-24T18:59:00.000+02:002007-10-24T18:59:00.000+02:00The Blue Pill - counterpart of Red Pill...undetect...The Blue Pill - counterpart of Red Pill...undetectableAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-35374373235898899072007-10-24T00:52:00.000+02:002007-10-24T00:52:00.000+02:00I was very disturbed by your presentation at the N...I was very disturbed by your presentation at the Nordic virtualisation forum, even though as a technician rather than a academic I didn't really understand a large part of what you were saying.. I'd never thought of the concept of hostile vitualisation as an attack vector.<BR/><BR/>Thanks for ruining my day! (and being very thought provoking) :)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-20163683168801505292007-09-02T01:25:00.000+02:002007-09-02T01:25:00.000+02:00Great post! Thank you.Great post! Thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-85140534776952062062007-08-28T14:22:00.000+02:002007-08-28T14:22:00.000+02:00I agree with ANCIENT´s comment:"The point is, is i...I agree with ANCIENT´s comment:<BR/><BR/>"The point is, is it feasable or prohibitive to routinely check for such infections."<BR/><BR/>That has been the goal of some virus writers for some time, i.e. ValleZ from 29A. <BR/><BR/>Coding the undetectable malware is probably impossible (Z0MBie, former member of 29A was probably the person who was more near to that whis his ZMist), but if you make detection a really time consuming task, then, you won.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-74850910260953226472007-07-05T23:28:00.000+02:002007-07-05T23:28:00.000+02:00Undetectable...Userland code can be undetectable t...Undetectable...<BR/><BR/>Userland code can be undetectable too (Not undetectED, but undetectABLE) if the code is agressively polymorphic.<BR/><BR/>Unfortunately, the term polymorphic is a poor choice since we HAVE had poly code for a long time and usually the changes are minimal and easily countered with opcode equivalency and heuristic detection. NDAs (Non-Deterministic Automatons) can pick them off quite easily.<BR/><BR/>What do you need for 'detection'? Well, you either need identifiable code (soft signatures) or identifiable behaviour (heuristics) or some other characteristic such as extra delays on certain sensitive handlers.<BR/><BR/>It is possible to avoid both of these in a userland entity which parses its own structure into a data vector paradigm and then recursively rebuilds that paradigm using a table of mnemonic vectors that stack to produce black-boxes that exhibit the vector under reconstruction.<BR/><BR/>The result is code that is entirely different from one generation to the next. The only stable elements (the actual vector tables and any data required) are encrypted and accessed through an executable decryptor which is in the reconstructed space... this leaves nothing for AV engines to get a handle on other than the overal heuristic detection of behaviours.<BR/><BR/>This too can be easily dealt with.<BR/><BR/>Once you take these techniques to the kernel level there is very little that can be done provided that you don't do the obvious. For example, you don't want to patch interrupt tables because this can be checked - but patching the handlers themselves can be fair game if done correctly.<BR/><BR/>Virtualising the system, getting in under the existing HAL or using kernel mode or hypervisor techniques is all well and good - but they don't really solve the problem of undetectability except on the infected platform itself.<BR/><BR/>One wouldn't ask an insane man whether he thinks hes sane... and if you did, well, what faith could you ever have in the response. No, to be undetectable you have to be unrecogniseable given a snapshot of the system under EXTERNAL scrutiny.<BR/><BR/>For that, you need a 100% fluid polymorphism based on a vector reassembly paradigm. In effect, providing completely fresh executable code per iteration with no signature potential.<BR/><BR/><BR/>And thats something you won't see on demo at a conference or available for download in a public off-the-shelf rootkit.<BR/><BR/>I suspect that very much like Joannas 'blue pill' we're talking about 'feasable detection' ... since anything can be detected given the required time and resources. The point is, is it feasable or prohibitive to routinely check for such infections.<BR/><BR/>Whats worse, if you don't even know what the code will look like when you see it... well, then things get tricky even when analysing offline snapshots of the heap and filesystem state.<BR/><BR/>Unfortunately (Or fortunately, I'm very dark-hatted), the answer is probably a firm no at present.Ancienthttps://www.blogger.com/profile/01337685950268059189noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-31104820069197538252007-07-05T01:57:00.000+02:002007-07-05T01:57:00.000+02:00Bla bla bla, to all of those good-guy evil-girl sl...Bla bla bla, to all of those good-guy evil-girl slowpokes, there is no spoon, so how can there be something like good and evil ?Anonymoushttps://www.blogger.com/profile/05694649362137574843noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-50113498761750042552007-07-04T00:48:00.000+02:002007-07-04T00:48:00.000+02:00this kind of thing is kind of rediculous. If it i...this kind of thing is kind of rediculous. If it is undetectable then it is not doing anything. If it were doing something we can see what it was doing.<BR/><BR/> So, I ask, what is the point of having software that does nothing?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-84282328159822489352007-06-10T21:22:00.000+02:002007-06-10T21:22:00.000+02:00These comments have been invaluable to me as is th...These comments have been invaluable to me as is this whole site. I thank you for your comment.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-67393434116069575212007-05-23T14:53:00.000+02:002007-05-23T14:53:00.000+02:00I am stunned by the number of people questioning J...I am stunned by the number of people questioning Joanna's motives in investigating this! I think it is fascinating stuff.<BR/><BR/>You can be sure that 'bad' people will already be doing the same. So I am all in favour of it being discussed in the public domain. With enough 'good' people thinking about and investigating something, hopefully any weaknesses in operating systems can be patched up.<BR/><BR/>I am very interested in the idea of running internet servers, firewalls and so on, on virtual machines; of course it is of paramount importance that virtualization is bullet-proof. The worst-case scenario imaginable would be where, by exploiting a design or implementation flaw in the virtualization hard- or software (of the same ilk as the flaws discusssed in this thread) an attacker was able to access a resource in the host machine from within the guest machine.<BR/><BR/>With people proactively investigating the mechanics of virtualization, hypervisors and so on, and bringing any potential vulnerabilities or abuses into the PUBLIC eye, we are more likely to move forward and use virtualization in increasingly important roles.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-7106321885845643222007-05-08T16:42:00.000+02:002007-05-08T16:42:00.000+02:00I can't be but suspicious when I read about people...I can't be but suspicious when I read about people making 'research' on such subjects.<BR/><BR/>Is it really for the sake of knowledge?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-23437629657387567472007-04-30T05:46:00.000+02:002007-04-30T05:46:00.000+02:00This is a wonderful blog I have just stumbled upon...This is a wonderful blog I have just stumbled upon. I must take the time to thank the person who maintains this blog, obviously a security professional. All the technology we develop to make life easier ends up being a possible attack vector, given a clever mind. This is just a fellow IT professional saying keep up the awesome work.<BR/><BR/>KrisKrishttps://www.blogger.com/profile/04196426363811666206noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-7194501358143179702007-04-30T05:39:00.000+02:002007-04-30T05:39:00.000+02:00Wow this is a wonderful blog and the 'blue pill' i...Wow this is a wonderful blog and the 'blue pill' idea is fantastic and...scary at the same time. It seems that no matter what new technology we come up with to make our lives easier, those same implementations can be used against us as a potential attack vector, given someone clever enough. <BR/><BR/>Regards<BR/><BR/>TurelliusKrishttps://www.blogger.com/profile/04196426363811666206noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-50369783507484637652007-04-27T16:48:00.000+02:002007-04-27T16:48:00.000+02:00Let me echo everyone's sentiment and say nice work...Let me echo everyone's sentiment and say nice work. Any word on how it's been received?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-12910490432946116482007-04-03T10:46:00.000+02:002007-04-03T10:46:00.000+02:00hi my name is muhtfe very nice informations and ve...hi my name is muhtfe very nice informations and very nice blog thank you very much...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-9217360936348674042007-03-15T10:40:00.000+01:002007-03-15T10:40:00.000+01:00the olddddd blue pill swollowed by the OS trick!oh...the olddddd blue pill swollowed by the OS trick!<BR/><BR/>oh joanna.. if only you'd have used your powers for Goodness instead Of evilness :)<BR/><BR/>interesting job you have. back in the day we didn't get paid For playing and having fun heheh. great work you've done tho and i'm impressed.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-81347450435352266032007-03-14T21:51:00.000+01:002007-03-14T21:51:00.000+01:00Amazing, just like out of a Vinge's novel!! Great ...Amazing, just like out of a Vinge's novel!! Great work!Kenhttps://www.blogger.com/profile/07343417513591287901noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-77025233133235802452007-03-05T13:48:00.000+01:002007-03-05T13:48:00.000+01:00Oh come on, all you people spinning morality doom ...Oh come on, all you people spinning morality doom and gloom. Its better than concepts/technology like this be made public knowledge sooner rather than later. I'd much rather know what the Black Hats may be using before they start using it :DUnknownhttps://www.blogger.com/profile/07657930121057416352noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-36389082174836631172007-02-06T11:45:00.000+01:002007-02-06T11:45:00.000+01:00It is NOT only interesting, it is also a question ...It is NOT only interesting, it is also a question of moral and responsibility for your doings.<br /><br />I hope you know what your doing.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-67941308548608146252007-01-22T15:31:00.000+01:002007-01-22T15:31:00.000+01:00What I wonder is if the Blue Pill sacrifices no sy...What I wonder is if the Blue Pill sacrifices no system performance, could this technology be used in a similar way to do a "fast OS switch" on a number of different virtual machines with no performance loss?<br /><br />I look forward to reading more.<br />Good work.Unknownhttps://www.blogger.com/profile/15131742638396632626noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-14657453159973769332007-01-01T06:31:00.000+01:002007-01-01T06:31:00.000+01:00I think it could be harder than some people believ...I think it could be harder than some people believe to defeat timing measurements. NTP requests may be easy to identify, but there are plenty of ways that such clock servers could be disguised. If I make two calls to two different external servers from within the Matrix, how do you know that those requests aren't cryptic communications with synchronized clock servers? You don't, that's how.Unknownhttps://www.blogger.com/profile/11237368002329668435noreply@blogger.comtag:blogger.com,1999:blog-24586388.post-1163286322287469542006-11-12T00:05:00.000+01:002006-11-12T00:05:00.000+01:00Joanna,whilst obviously wanting to flatter you ;) ...Joanna,<BR/>whilst obviously wanting to flatter you ;) , i think you <BR/>are right with regards to other people being capable of developing similar approaches to "blue-pill".<BR/>(looking at comments in the blog)<BR/><BR/>therefore i think your research <BR/>is very valid and extremely interesting. for a number of reasons.<BR/>what are the chances of a Super "blue-pill-network"<BR/>being developed of "blue-pill" hosts communicating via covert channels?.<BR/><BR/>karlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-24586388.post-1161020052184065552006-10-16T19:34:00.000+02:002006-10-16T19:34:00.000+02:00The great Taoist master Chuang Tzu once dreamt tha...The great Taoist master Chuang Tzu once dreamt that he was a butterfly fluttering here and there. In the dream he had no awareness of his individuality as a person. He was only a butterfly. Suddenly, he awoke and found himself laying there, a person once again. But then he thought to himself, "Was I before a man who dreamt about being a butterfly, or am I now a butterfly who dreams about being a man?" <BR/><BR/>Have anyone checked their own system environment :)Anonymousnoreply@blogger.com