FreeBSD and User Security

dfeustel at mindspring.com dfeustel at mindspring.com
Thu Jun 12 02:05:56 UTC 2008 

On Wed, Jun 11, 2008 at 08:51:16PM -0500, Jeffrey Goldberg wrote:
> On Jun 11, 2008, at 8:08 PM, cpghost wrote:
>
>> On Wed, 11 Jun 2008 19:45:51 -0500
>> Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
>
>>> First it should consume memory.  A very complete test of memory
>>> through a modified memtest should be able to detect whether system
>>> reported memory is accurate.
>
>> What if memtest already runs within the virtualization box? How can it
>> determine what the "right" amount of memory is supposed to be?
>
> I was assuming that that would be known by the operator.
>
>> And if
>> the virtualizer hot-patched memtest instructions, either on loading it
>> or dynamically while it runs, it  could make it report whatever it
>> liked.
>
> Of course.
>
>>> Secondly, a blue pill would need to be reinserted after a hard
>>> reboot.  Therefore a look at the boot process (of a non-live system)
>>> should be able to see whether there is something that reinserts the
>>> blue pill.
>
>> Yes, but you've got to have a very close look at it, as it won't
>> necessarily appear on the screen -- being caught as well by the
>> virtualizer. And Joanna also has a paper about fooling hardware
>> capture cards into reporting bogus data on her site, so you won't
>> even be able to detect that RAM contains something else upon boot
>> than those hardware capture cards are supposedly reporting.
>
> Yes.  I've now read through some of Rutowska's slides (following the link 
> provided by dfeustel in another post in this thread).
>
>> If all this is as she's described, it is truly brilliant from a
>> technical POV... and a very worrying thought as well.
>
> Yes it is worrying.  The next time I reboot the one server I've got with an 
> SVM capable processor I'm going to disconnect the power (to make sure that 
> I'm getting a real reboot instead of a spoofed one) and then on reboot I 
> will disable SVM in the BIOS.

How do you know that the bios has not been reflashed by a virus, trojan,
or rootkit?

More information about the freebsd-questions mailing list