Two months after Joaana Rutkowska's
"
Blue Pill" security vulnerability demonstration at the Black
Hat Conference in Las Vegas, security mavens are still debating
whether this vulnerability is indeed legitimate or even if Windows
Vista's code is actually the problem. Let's take a look at the
facts.
- The presentation demonstrated how a user with administrative
privileges over an x64-based machine could attempt to place
unsigned (unverified) code directly into the Windows Vista
kernel.
- The exploit functions by creating an undetectable virtual
machine into which, theoretically, malware—most likely a
rootkit—could be executed. In Rutkowska's example, this "malware"
was unsigned code that eventually made it into the Vista kernel,
without rebooting the machine.
- A crucial part of Rutkowska's demonstration was an alleged
weakness in the AMD Pacifica SVM technology, which is a
virtualization capability offered in 64-bit AMD processors. To
quote Rutkowska on her blog, "I would like to make it clear, that
the Blue Pill technology does not rely on any bug of the underlying
operating system. I have implemented a working prototype for Vista
x64, but I see no reasons why it should not be possible to port it
to other operating systems, like Linux or BSD which can be run on
x64 platform."
- There is discussion and debate about whether Intel's
virtualization technology is vulnerable, and if so, to what degree
as compared with AMD's technology.
- The exploit in the end requires administrative access to the
machine, a privilege threshold that, when achieved, allows all
sorts of activities, both legitimate and illegitimate, that could
potentially weaken or destroy the integrity of a system.
- X64 versions of Windows Vista, by default, require drivers to
be signed before installation. This purpose of this requirement is
to thwart potential attacks as well as improve system reliability.
After all, buggy drivers that are signed basically have a business
card with the developers' information on it, making resolution much
easier.
- Microsoft is investigating this exploit to determine whether
modification to Vista's security mechanisms are necessary. In fact,
Austin Wilson of Microsoft says, "we already have our teams combing
through information to make Windows Vista even better because of
[the Black Hat conference]."
The fact that this exploit even occurred is alarming. But
exactly who should it alarm? Windows system administrators? Those
thinking of running Windows Vista x64? Or all administrators? I
believe it's something we all should be concerned with.
@26850 A fundamental tenet of computer security is that a user
with administrative powers can do a lot to a machine -- including
format an entire hard drive. This tenet is why privilege escalation
attacks are so problematic. But in this particular "blue pill"
exploit, there was no privilege exploit. And the chances of someone
obtaining remote access to a machine, using administrative
privileges, and being able to successfully pull off this exploit
are very slim. In fact, no one has done so yet.
So has Windows Vista security been blown away? Has all the work
the development team put into the product been for naught?
Absolutely not. The response to Windows Vista's security at Black
Hat was actually quite positive, which is saying something
significant when you consider the typical makeup of the audience at
the conference—they're hardly Microsoft apologists.
Good things are happening when it comes to security in Vista.
Don't let this "blue pill" business make you think otherwise.
About the author: Jonathan Hassell is author of
Hardening Windows (Apress LP) and is a
SearchWindowsSecurity.com site expert. Hassell is a systems
administrator and IT consultant residing in Raleigh, N.C., who has
extensive experience in networking technologies and Internet
connectivity. He runs his own Web-hosting business, Enable Hosting.
His previous book, RADIUS (O'Reilly & Associates), is a guide
to implementing the RADIUS authentication protocol and overall
network security.
Ask Hassell a hardening Windows question today.