Black Hat: Microsoft hopes to swallow Blue Pill
Researcher demonstrates end-run around kernel protection
Network World - After security researcher Joanna Rutkowska on Thursday demonstrated how it's possible to circumvent security in Microsoft's Vista beta software and install a rootkit called Blue Pill, Microsoft said it intends to find ways to stop both potential threats before Vista ships.
At the Black Hat conference, Rutkowska, security researcher at Singapore-based firm COSEINC, showed that she found a way to bypass the Vista integrity-checking process for loading unsigned code into the Vista kernel. Then she presented Blue Pill, a rootkit she created based on Advanced Micro Devices' Secure Virtual Machine, Pacifica.
On bypassing the signature-checking mechanism for device drivers that Microsoft is including in Vista to prevent loading of malware or unauthorized software, Rutkowska said, "The fact that this mechanism was bypassed does not mean that Vista is completely insecure. It's just not as secure as advertised." She added, "It's very difficult to implement a 100% efficient kernel protection in any general-purpose operating system."
In the second part of her presentation at Black Hat, Rutkowska, a noted expert on rootkits, detailed Blue Pill, which can hijack a computer and serve as a backdoor for attackers. While developed for Vista, Blue Pill could be adapted to other platforms.
Blue Pill so far has proved impossible to detect, said Rutkowska, although she was continuing research to uncover a means of detecting it. She said software-based detection mechanisms may not be effective, though a hardware-based approach in the computer may provide a means of detecting or preventing a Blue Pill-based attack.
Microsoft's director of the Windows client group, Austin Wilson, said Microsoft considers Rutkowska's findings "legitimate" and is looking at the problem.
Wilson pointed out that Rutkowska's code-signing bypass attack requires the attacker to start as the machine's administrator in Vista. "If you're running as a standard user, this wouldn't work," he noted. "But we're still looking at blocking this type of attack."
In her presentation, Rutkowska suggested a few ways Microsoft might address the code-signing bypass issue, and Microsoft intends to review them. However, Microsoft probably won't hold up shipping Vista if it can't resolve the issue in time.
The problem of the Blue Pill virtual-machine rootkit is also one Microsoft takes seriously. "We're looking at ways to mitigate that on a final version of Vista," Wilson said. Microsoft is not working alone on this, but in partnership with Intel and AMD.
"What she showed was legitimate and a very real threat," Wilson said.
The flip side of virtual-machine rootkits is that the virtual machine and its "hypervisor" providing a layer on top of an underlying operating system is also being eyed as a security mechanism in future versions of Microsoft's operating systems. "On the server side, virtualization would allow running multiple operating systems in a server," said Wilson. But that prospect remains a few years out as far as Microsoft products are concerned.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts