detection of an hvm rootkit (aka bluepill-like) desnos ... · desnos anthony (esiea si&s)...

Desnos Anthony (ESIEA SI&S)

Filiol Éric (ESIEA (v+c)^o)

Detection of an HVM rootkit (aka BluePill-like)




● Rootkit– Userland

– Kernelland




● Userland– Replace binaries

– Patch on the fly

– Syscall proxy

– Remote Userland Execve




● Kernel land– Hooks in text section

– Hooks in data (structures)

– No Hook !




● HVM (Hardware-based Virtual Machine) Rootkit– Use virtualization

● Rootkit ring -1● All power on the host




● Virtualization– AMD

● SVM

– Intel● VMX




● SVM – Quickly switch from host to guest,

– Interception of instructions or guest's events,

– DMA access protection : EAP (External Access Protection),

– Tagged TLB between the hypervisor and the virtual machines.




● HVM Rootkit– "Switching the operating system in a virtual

machine"● All classic time sources may be intercepted

(RDTSC, I/O, ...)● All users' actions




● BluePill– The first and the only public HVM rootkit

– Released in 2006 (vista 64 bits, AMD) by Joanna Rutkowska

– Latest version 0.32 (AMD + Intel) (~ 10.000 lines)




● Controversy– Security buzz

● Advertisements :– « End of the world » / « undetectable rootkit »

● « Tout va bien madame la marquise »● Detecting a hypervisor is the same way as an HVM

rootkit ?




● Solutions :– Timing attack

– Pattern matching

– TLB

– DMA/Firewire

– Cpu Bugs




● Analysis– No hook (no installation after a reboot)

– Loading of BluePill :● like a driver

– Vista : driver signing● F8 during the boot

● by a memory device● by a kernel bug




● Analysis– Interceptions

● vmrun, vmload, vmsave● msr efer, vm hsave pa, tsc● clgi, stgi● SMM● Debug● cpuid, rdtsc, rdtscp




● Protections– Against rdtsc

– Blue Chicken




● No viral payload ?!– Simple hypervisor

– « hvm rootkit » poc

● Why ?




● Why ?– No hook on the system

– Filtering I/O● Time !




● Detection techniques– Memory fingerprint

● Use the classic memory allocator● Rootkit can bypassed it




● Detection techniques– Timing attack

● Impossible (rootkit is here !)




● Detection techniques– Timing attack

● Impossible (rootkit is here !)● External sources ?

– NTP– Counter




● Counter (original idea from Barbosa)– No information

– 2 threads in kernel land● Calling an intercepted instruction● Incrementing a variable

– Each thread on a cpu

– Drawbacks :● Processor with >= 2 cpu● Variable frequency




● Without BluePill :– Average : 30 incrementations/instruction

● With BluePill :– Average : 330 incrementations/instruction

● « hvm rootkit » poc– x 10 !!

● usefull rootkit !




● Conclusion :– No rootkit is really undetectable

– The opposite is also true




● Conclusion– Stay away from the security buzz

– Protection ?● Desactivation of the virtualization in the bios● A key to activate the virtualization

– Impossible to access !● Hypervisor of protection

detection of an hvm rootkit (aka bluepill-like) desnos ... · desnos anthony (esiea si&s)...

Documents