Hello,
I am reading about http://en.wikipedia.org/wiki/Blue_Pill_(software)
So I was thinking about what will happen, if anybody will blue-pill VM with own virtualized mapping of BIOS and SMM.
Can I run my own SMM code in virtual machine?
Was the VM escape fixed?
Attacking VMs
Re: Attacking VMs
What are you up to, lopidas? Your interesting in SMM is worrying.
You seem to have misunderstood what Blue Pill is. It's not a way to escape a virtual machine, it's a method for rootkitting an existing installation of an operating system by running it inside a virtual machine, in an effort to be as reliable and undetectable as possible. If you are able to control what a computer boots, you might as well just boot your own operating system, which would give you just as much control. The purpose of a rootkit is to hide its presence for from the user, they can't do more than a normal custom operating system can. This is not a bug, as such, the bug is whatever allowed the installation of the rootkit.
You seem to have misunderstood what Blue Pill is. It's not a way to escape a virtual machine, it's a method for rootkitting an existing installation of an operating system by running it inside a virtual machine, in an effort to be as reliable and undetectable as possible. If you are able to control what a computer boots, you might as well just boot your own operating system, which would give you just as much control. The purpose of a rootkit is to hide its presence for from the user, they can't do more than a normal custom operating system can. This is not a bug, as such, the bug is whatever allowed the installation of the rootkit.
Re: Attacking VMs
But the attack relies at being able to escape the virtual machine, if I understand it right.
Re: Attacking VMs
Hi,
As a way to prevent this, most firmware has an "enable/disable hardware virtualisation" setting now (so it can be disabled if/when you're not using virtualisation). Sadly, very few systems have an "enable/disable massive security holes in the OS" setting, which would've been preferable.
Cheers,
Brendan
If I remember right; it was a 2 part thing. First part is to exploit massive security holes in an OS to get CPL=0 access, then use that to install the VM (to prevent rootkit detection).lopidas wrote:But the attack relies at being able to escape the virtual machine, if I understand it right.
As a way to prevent this, most firmware has an "enable/disable hardware virtualisation" setting now (so it can be disabled if/when you're not using virtualisation). Sadly, very few systems have an "enable/disable massive security holes in the OS" setting, which would've been preferable.
Cheers,
Brendan
For all things; perfection is, and will always remain, impossible to achieve in practice. However; by striving for perfection we create things that are as perfect as practically possible. Let the pursuit of perfection be our guide.
Re: Attacking VMs
I can control my kernel to get to ring 0 