Page 1 of 1
Attacking VMs
Posted: Fri May 30, 2014 10:36 am
by lopidas
Hello,
I am reading about
http://en.wikipedia.org/wiki/Blue_Pill_(software)
So I was thinking about what will happen, if anybody will blue-pill VM with own virtualized mapping of BIOS and SMM.
Can I run my own SMM code in virtual machine?
Was the VM escape fixed?
Re: Attacking VMs
Posted: Fri May 30, 2014 11:35 am
by sortie
What are you up to, lopidas? Your interesting in SMM is worrying.
You seem to have misunderstood what Blue Pill is. It's not a way to escape a virtual machine, it's a method for rootkitting an existing installation of an operating system by running it inside a virtual machine, in an effort to be as reliable and undetectable as possible. If you are able to control what a computer boots, you might as well just boot your own operating system, which would give you just as much control. The purpose of a rootkit is to hide its presence for from the user, they can't do more than a normal custom operating system can. This is not a bug, as such, the bug is whatever allowed the installation of the rootkit.
Re: Attacking VMs
Posted: Fri May 30, 2014 11:42 am
by lopidas
But the attack relies at being able to escape the virtual machine, if I understand it right.
Re: Attacking VMs
Posted: Fri May 30, 2014 11:53 am
by Brendan
Hi,
lopidas wrote:But the attack relies at being able to escape the virtual machine, if I understand it right.
If I remember right; it was a 2 part thing. First part is to exploit massive security holes in an OS to get CPL=0 access, then use that to install the VM (to prevent rootkit detection).
As a way to prevent this, most firmware has an "enable/disable hardware virtualisation" setting now (so it can be disabled if/when you're not using virtualisation). Sadly, very few systems have an "enable/disable massive security holes in the OS" setting, which would've been preferable.
Cheers,
Brendan
Re: Attacking VMs
Posted: Fri May 30, 2014 1:09 pm
by lopidas
I can control my kernel to get to ring 0
