[EMAIL PROTECTED] (Ivan Krsti) on Thursday, January 3, 2008 wrote: >On Dec 31, 2007, at 4:46 PM, Bill Frantz wrote: >> My favorite virtual machine use is for the virus to install itself >> as a virtual machine, and run the OS in the virtual machine. This >> technique should be really good for hiding from virus scanners. > > >It's not, and despite the press handwaving about hypervisor rootkits >being the death of all security as we know it, this attack is largely >uninteresting in practice. Repeat after me: it's not a real problem, >and it's unlikely to become a real problem.
If, as seems likely, we are moving into a world where virtual machines are a popular security mechanism, the problem isn't detecting if you are on a virtual machine, because all useful OSes will expect to be running on a virtual machine. The problem will be to detect if the virtual machine is hostile. That code will probably have to be part of the virtual machine monitor (VMM) implementation. There may be less use for running VMMs in virtual machines, although we got a lot of use from the ability to run VM/370 in a VM/370 virtual machine back in the 70's and 80's. >A walkthrough with pretty pictures, courtesy of the Matasano folk: ><http://www.matasano.com/log/930/side-channel-detection-attacks-against-unauthorized-hypervisors/> Neat. An interrupt at the wrong time would also upset the TLB/Mapping table mismatch. I wonder if a VMM could be built to simulate the mismatch? Note that on the Intel architecture, there are certain instructions that behave differently in supervisor mode and user mode. These instructions can also be used to leverage VM detection. Cheers - Bill --------------------------------------------------------------------------- Bill Frantz |"We used to quip that "password" is the most common 408-356-8506 | password. Now it's 'password1.' Who said users haven't www.periwinkle.com | learned anything about security?" -- Bruce Schneier --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
