Enc: FreeBSD and the new virtual machine-based rootkits
Wesley Shields
wxs at atarininja.org
Fri Nov 3 19:50:20 UTC 2006
On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote:
[...]
> In the II COLARIS - Joanna Rutkowska alert the possible
> new technology of Malware's using hardware virtualization, present
> in AMD and INTEL new processor.
>
> I've two questions ...
>
> 1) How is possible detect if my system is moved inside a VM on the fly ?
She has discussed various solutions for this problem, and why she
believes they may or may not work. The one most people suggest is to
time how long it takes for various instructions to run, but this can be
tricked by the VMM-rootkit. I'd suggest reading:
http://theinvisiblethings.blogspot.com/2006/08/blue-pill-detection.html
> 2) Exist a project for merge veriexec from NetBSD on FreeBSD
> and add SPKI feature ?
Not that I'm aware of but something which is somewhat similar has been
posted to trustedbsd-discuss.
I'd check out the following links:
http://lists.freebsd.org/pipermail/trustedbsd-discuss/2006-August/000865.html
http://people.freebsd.org/~csjp/mac/
http://people.freebsd.org/~csjp/mac_chkexec.txt
AFAIK this is still in perforce, but will hopefully make it's way into
-CURRENT and eventually a release. I'm sure someone will speak up if
I'm wrong here.
-- WXS
More information about the freebsd-security
mailing list