FreeBSD and User Security

Jeffrey Goldberg jeffrey at
Thu Jun 12 00:45:54 UTC 2008

On Jun 11, 2008, at 7:17 PM, dfeustel at wrote:

> A relatively new security threat known as 'The Blue Pill', based upon
> hardware, is a class of virtual rootkits that can silently take over
> Intel and AMD systems. A good site to visit to learn about these  
> virtual
> rootkits is

That is simple (in concept) yet absolutely brilliant!  I'm sure that  
people much smarter that I am have thought about these things more  
carefully than I have, but I'm not convinced that a blue pill would be  
completely undetectable.

First it should consume memory.  A very complete test of memory  
through a modified memtest should be able to detect whether system  
reported memory is accurate.

Secondly, a blue pill would need to be reinserted after a hard  
reboot.  Therefore a look at the boot process (of a non-live system)  
should be able to see whether there is something that reinserts the  
blue pill.

But even if detection is possible these ways, a Blue Pill would be  
extremely difficult to detect once inserted, and so the focus would  
have to be entirely on prevention.

Again, these are just my first thoughts after looking at this very  
briefly.  The people who come up with this stuff and do proper  
analysis are both smarter and more knowledgeable than I am.



Jeffrey Goldberg              

More information about the freebsd-questions mailing list