The hits just keep on coming in the discussion surrounding the rootkit detection challenge session at the Black Hat conference next month. The latest to join the fray is Keith Adams, a VMWare engineer who wrote a blog post Monday in which he describes a technique for detecting a hypervisor rootkit by monitoring resource utilization. The technique would be effective in finding Joanna Rutkowska’s much-hyped Blue Pill rootkit, Adams writes.
I’ve seen zero evidence that Rutkowska has pondered resource-based detection attempts like this, or indeed, any attacks more sophisticated than a “go-slow” loop between reads of the PIT. It is hard for me to imagine a “hypervisor” worthy of the name that doesn’t leave noticeable traces in resource usage. In fact, to the degree that a hypervisor goes to heroic lengths to prevent such a detection technique, e.g., by running a hardware-accurate cache simulator on every guest memory access, it will only open up wider timing discrepancies for the guest’s HV-detector to exploit.
Nate Lawson of Root Labs, one of the members of the team that has said it can detect Blue Pill on a clean Vista machine, says this rootkit detection technique is one that the team is using, but adds that they have others in mind as well. Judging by Rutkowska’s reaction to the challenge from Lawson, Dino Dai Zovi, Tom Ptacek and Peter Ferrie it seems unlikely that the session will actually come off as planned. But the back-and-forth among the principals has fostered a fascinating discussion on the true capabilities of this kind of malware if nothing else. If it does happen, it should be great theater.