On Nov 4, 2006, at 8:30 AM, Wesley Shields <[EMAIL PROTECTED]> wrote:
On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote:
[...]
In the II COLARIS - Joanna Rutkowska alert the possible
new technology of Malware's using hardware virtualization, present
in AMD and INTEL new processor.
I've two questions ...
1) How is possible detect if my system is moved inside a VM on the
fly ?
She has discussed various solutions for this problem, and why she
believes they may or may not work. The one most people suggest is to
time how long it takes for various instructions to run, but this
can be
tricked by the VMM-rootkit. I'd suggest reading:
http://theinvisiblethings.blogspot.com/2006/08/blue-pill-
detection.html
One thing that leaps immediately to mind is a startup check to see if
this 'dmesg.boot' differs from the previous one. Rather than
overwriting the previous one, move it to a backup, create the new
one, and log something if they differ. I hacked this up in a couple
of minutes:
--- /etc/rc.d/dmesg Sat May 6 21:00:26 2006
+++ dmesg Tue Nov 7 20:17:47 2006
@@ -19,8 +19,10 @@
do_dmesg()
{
- rm -f ${dmesg_file}
+ mv -f ${dmesg_file} ${dmesg_file}.prev
( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} )
+ cmp -s ${dmesg_file} ${dmesg_file}.prev || \
+ logger -p security.warn 'dmesg.boot changed from
previous boot'
}
load_rc_config $name
If you like that, I'm willing to discuss it further, and/or commit it
and let the howling tell if it's a keeper or not. ;^)
--
Where am I, and what am I doing in this handbasket?
Wes Peters
[EMAIL PROTECTED]
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
