Wednesday, September 5, 2007

On virtualization rootkits

Recently I read this (second part) that makes me feel I mainly on Joanna’s side. Moreover some ideas in that interview prove my previous thoughts about virtualization after Amiran’s post explained in comment. In this post I’ll try to explain my point of view.

I think that the main thing is that hosted OS can just figure out that it’s running in virtual environment, but even this guess can be cheated. As far as all other applications (and of course all kind of detectors) executed on the top of OS, use it as interface to hardware, they blindly believe OS as trusted instance and as it’s so there is no means for them to investigate the fraud. In my comment I stated that software malicious agents can be detected by software detectors but the success depends on who have started first. That’s why such software-software (software badness – software detectors) methods are like Red Queen’s race. Also it’s obvious that software evil can be easily detected on hardware level. Now let’s look at virtualization rootkits – they sit right between hardware and system software (OS). How can OS detect this cheat if to deceive OS is the main idea of virtualization. I completely agree with Joanna that these rootkit detectors can just understand that they are in virtual environment and only implicitly (side channel, etc), not more. This rather more philosophical issue – let’s try to think as OS do – yes, we’ve figured out that something wrong, that we are on virtual machine, but how can we understand that our virtual environment is malicious? What does it mean malicious? How to detect this? The only technology we have to struggle malicious code is pattern matching. It doesn’t matter whether patterns are behavioral or code. How can we realize that our virtual environment is malicious whereas our eyes, ears, nose etc are not able to see more then OS?

I have an analogy. Suppose you’re in the plane on the flight. Is it possible to understand whether you’re above Moscow or above London? You can realize that you on the flight only because see sky through window, hear noise, feel G-forces. But all this are evidences provided by plane. What if noise-cancelling techniques and no windows – you will even have no opportunity to realize whether you’re in the air or on the ground.

Thomas Ptacek mentioned here that there are methods to detect unexpected virtualization. Actually I have no ideas what is unexpected virtualization. Unexpected for whom? OS? Is there expected virtualization? How to decide if virtualization is expected or not? Too many questions.

Thomas also enumerated these methods (in the interview there are three approaches explained). But there are two things against:

- These detect virtualization, not virtualization rootkit, - this is exactly what Joanna stated: “Unfortunately authors failed to prove their claims and all they presented was just a bunch of hacks of how to detect virtualization, but not virtualization based malware”.

- It’s not good idea in general to try to find malware hoping that it has bugs and that, may be, will provide you with evidence. What if malware will not have bugs?

Nate Lawson added: “…Our key finding is that it will always be easier to detect a (hypervisor) rootkit than it is to write perfect cloaking code for one. When you have a choice, it's always better to be on the side where software bugs benefit your goals. Our code is minimal and is less than 1000 LoC while New Blue Pill is about 7000 LoC. Adding support for hiding from our particular set of checks would increase the size of NBP even more.” It sounds rather strange to me, because AFAK nobody compares cost of producing malware with cost of detection/prevention means. It seems that it’s wrong to state that if it’s more difficult to write virus then antivirus nobody will write viruses any more :-). Cost of virus is better to compare with revenue of its actions (Unfortunately nobody writes viruses for fun nowadays) – something like ROI for virus (malware, rootkit, worm, trojan, whatever).

I agree with statement: “Five years from now, everyone's desktop operating system will be virtualized by default; rootkits won't have any opportunity to load themselves into hypervisors directly, because there will already be a hypervisor present, and it won't want to share” and it supports my idea that the winner is who starts first in software fight against software malware.

To conclude this bizarre post I’d like to repeat thought that it’s more reliable to struggle software badness from hardware level and it’s what Joanna said: “… It passed a year and we still don't have any good method for virtualization malware detection and I don't believe we could have any without the help from hardware.

No comments: