freebsd-security Digest, Vol 184, Issue 2
Wes Peters
wes at opensail.org
Wed Nov 8 04:19:45 UTC 2006
On Nov 4, 2006, at 8:30 AM, Wesley Shields <wxs at atarininja.org> wrote:
>
> On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote:
> [...]
>> In the II COLARIS - Joanna Rutkowska alert the possible
>> new technology of Malware's using hardware virtualization, present
>> in AMD and INTEL new processor.
>>
>> I've two questions ...
>>
>> 1) How is possible detect if my system is moved inside a VM on the
>> fly ?
>
> She has discussed various solutions for this problem, and why she
> believes they may or may not work. The one most people suggest is to
> time how long it takes for various instructions to run, but this
> can be
> tricked by the VMM-rootkit. I'd suggest reading:
>
> http://theinvisiblethings.blogspot.com/2006/08/blue-pill-
> detection.html
One thing that leaps immediately to mind is a startup check to see if
this 'dmesg.boot' differs from the previous one. Rather than
overwriting the previous one, move it to a backup, create the new
one, and log something if they differ. I hacked this up in a couple
of minutes:
--- /etc/rc.d/dmesg Sat May 6 21:00:26 2006
+++ dmesg Tue Nov 7 20:17:47 2006
@@ -19,8 +19,10 @@
do_dmesg()
{
- rm -f ${dmesg_file}
+ mv -f ${dmesg_file} ${dmesg_file}.prev
( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} )
+ cmp -s ${dmesg_file} ${dmesg_file}.prev || \
+ logger -p security.warn 'dmesg.boot changed from
previous boot'
}
load_rc_config $name
If you like that, I'm willing to discuss it further, and/or commit it
and let the howling tell if it's a keeper or not. ;^)
--
Where am I, and what am I doing in this handbasket?
Wes Peters
wes at softweyr.com
More information about the freebsd-security
mailing list