On Wed, Jun 11, 2008 at 08:51:16PM -0500, Jeffrey Goldberg wrote: > On Jun 11, 2008, at 8:08 PM, cpghost wrote: > >> On Wed, 11 Jun 2008 19:45:51 -0500 >> Jeffrey Goldberg <[EMAIL PROTECTED]> wrote: > >>> First it should consume memory. A very complete test of memory >>> through a modified memtest should be able to detect whether system >>> reported memory is accurate. > >> What if memtest already runs within the virtualization box? How can it >> determine what the "right" amount of memory is supposed to be? > > I was assuming that that would be known by the operator. > >> And if >> the virtualizer hot-patched memtest instructions, either on loading it >> or dynamically while it runs, it could make it report whatever it >> liked. > > Of course. > >>> Secondly, a blue pill would need to be reinserted after a hard >>> reboot. Therefore a look at the boot process (of a non-live system) >>> should be able to see whether there is something that reinserts the >>> blue pill. > >> Yes, but you've got to have a very close look at it, as it won't >> necessarily appear on the screen -- being caught as well by the >> virtualizer. And Joanna also has a paper about fooling hardware >> capture cards into reporting bogus data on her site, so you won't >> even be able to detect that RAM contains something else upon boot >> than those hardware capture cards are supposedly reporting. > > Yes. I've now read through some of Rutowska's slides (following the link > provided by dfeustel in another post in this thread). > >> If all this is as she's described, it is truly brilliant from a >> technical POV... and a very worrying thought as well. > > Yes it is worrying. The next time I reboot the one server I've got with an > SVM capable processor I'm going to disconnect the power (to make sure that > I'm getting a real reboot instead of a spoofed one) and then on reboot I > will disable SVM in the BIOS.
How do you know that the bios has not been reflashed by a virus, trojan, or rootkit? _______________________________________________ firstname.lastname@example.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"