Shostack + Friends Blog Archive

 

Virtual Machine Rootkits

subvert-calvin.jpgEweek covers a paper (“SubVirt: Implementing malware with virtual machines“ [link to http://www.eecs.umich.edu/Rio/papers/king06.pdf no longer works] ) coming out of Microsoft and UMichigan in “VM Rootkits: The Next Big Threat? [link to http://www.eweek.com/article2/0,1895,1936672,00.asp no longer works] . Joanna Rutkowska gives some thoughts in a post to Daily Dave, “redpill vs. Microsoft rootkit….” [link to http://archives.neohapsis.com/archives/dailydave/2006-q1/0220.html no longer works]

My take is its good to see Microsoft working on this sort of research, and thinking about future issues. The ideal is that we see a lot of these sorts of papers, and the threats never turn large scale, because the threat research has enabled defensive research.

It’s even better to see Microsoft talking about this work in public. The “keep it secret” crowd took twenty years to not fix the buffer overflow problem before Aleph published “Smashing the Stack for Fun and Profit.” Since then, we’ve gotten StackGuard (and derivatives), RATS (and derivatives), address randomization, and probably other techniques.

So let’s talk about the problems. It helps.

2 comments on "Virtual Machine Rootkits"

Comments are closed.