The Blue Pill virtualization attack: Virtual machine malware

Much ado was made of the demonstration of the Blue Pill attack on Windows Vista at Black Hat this year. Security expert Kevin Beaver analyzes the exploit. Find out how the attack worked and whether you should care about it.

A Blue Pill has been stirring up talk lately about the hardening of Windows Vista. No, I'm not talking about Viagra. Rather, security researcher Joanna Rutkowska's Blue Pill attack, a malware exploit introduced recently that has gotten the attention of Microsoft and the security community. So, what exactly is this exploit and what can be done about it? Read on.

It used to be that researchers and attackers were looking at Windows exploits at a much higher level. Null sessions, weak share permissions, Registry hacking and password cracking were the bomb a few years back. Now, with the Blue Pill attack -- and arguably many more to come -- Microsoft is seeing that interested parties in the security community are taking things up a few notches.

The Blue Pill exploit code -- which bypasses Microsoft's digital signature protection for kernel mode drivers -- relies on a set of extensions in the Advanced Micro Devices Inc. (AMD) new 64-bit AMD Athlon processors called Secure Virtual Machine (SVM). With SVM, software developers are able to manipulate processor registers, interrupts, input/output and so on for virtual machine functionality at the hardware level. Ah, the sweet memories of assembly language programming are coming back! The Blue Pill attack itself manipulates kernel mode memory paging and the VMRUN and related SVM instructions that control the interaction between the host (hypervisor) and guest (virtual machine). This permits undetected, on-the-fly placement of the host operating system in its own secure virtual machine allowing for complete control of the system including manipulation by other malware. That's it in a nutshell.

All in all, the Blue Pill discovery is fascinating. Certainly a lot of smart minds are thinking of ways that hardware and software can be manipulated to keep software vendors and processor manufacturers on their toes (Intel included, since this type of attack could affect its virtualization technology, too). Obviously, Microsoft, AMD and the anti-malware vendors still have some work to do, and undoubtedly there will be more virtualization hacks.

End of our virtual worlds?

Should you avoid the 64-bit AMD processors that support SVM? Do you disable SVM in your systems' BIOS? Do you stay away from virtualization technologies altogether? Do you not deploy Vista? Do you wait until your anti-malware vendor comes up with a solution?

The simple answer to all those questions is a resounding no. First of all, the Blue Pill attack is more of a proof of concept that operating systems are never going to be completely bulletproof -- at least not as long as humans are involved. Furthermore, a lot of things have to fall into place in just the right fashion (including administrator-level access) for the Blue Pill exploit to even be possible.

I think we've got much bigger problems to be worried about than a malware weakness affecting a pre-release version of an operating system written for one specific processor architecture that requires administrator access, and won't even survive a reboot! If we can ever get past human laziness and oversight leading to default OS configurations, weak passwords, missing patches, minimal file access controls, Web applications that don't validate input and so on, then (and only then) should we worry about security flaws such as this one making a huge impact in our environments. It's a hard pill to swallow, but we've got to fix the basics first if security's ever going to be improved.

About the author:
Kevin Beaver, an independent information security consultant and expert witness with Atlanta-based Principle Logic, LLC, spent six long years obtaining his degree in computer engineering, which included a lot of Blue Pill-like bit and byte manipulation. He has more than 18 years of experience in IT and specializes in performing information security assessments regarding compliance and IT governance. Kevin has written six books, including Hacking For Dummies (Wiley), Hacking Wireless Networks For Dummies, and The Practical Guide to HIPAA Privacy and Security Compliance (Auerbach). He can be reached at kbeaver@principlelogic.com.

This was first published in October 2006

Dig deeper on Server virtualization risks and monitoring

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close