Debunking the "Blue Pill" Vulnerability Theory

• The presentation demonstrated how a user with administrative privileges over an x64-based machine could attempt to place unsigned (unverified) code directly into the Windows Vista kernel.
• The exploit functions by creating an undetectable virtual machine into which, theoretically, malware—most likely a rootkit—could be executed. In Rutkowska's example, this "malware" was unsigned code that eventually made it into the Vista kernel, without rebooting the machine.
• A crucial part of Rutkowska's demonstration was an alleged weakness in the AMD Pacifica SVM technology, which is a virtualization capability offered in 64-bit AMD processors. To quote Rutkowska on her blog, "I would like to make it clear, that the Blue Pill technology does not rely on any bug of the underlying operating system. I have implemented a working prototype for Vista x64, but I see no reasons why it should not be possible to port it to other operating systems, like Linux or BSD which can be run on x64 platform."
• There is discussion and debate about whether Intel's virtualization technology is vulnerable, and if so, to what degree as compared with AMD's technology.
• The exploit in the end requires administrative access to the machine, a privilege threshold that, when achieved, allows all sorts of activities, both legitimate and illegitimate, that could potentially weaken or destroy the integrity of a system.
• X64 versions of Windows Vista, by default, require drivers to be signed before installation. This purpose of this requirement is to thwart potential attacks as well as improve system reliability. After all, buggy drivers that are signed basically have a business card with the developers' information on it, making resolution much easier.
• Microsoft is investigating this exploit to determine whether modification to Vista's security mechanisms are necessary. In fact, Austin Wilson of Microsoft says, "we already have our teams combing through information to make Windows Vista even better because of [the Black Hat conference]."

The fact that this exploit even occurred is alarming. But exactly who should it alarm? Windows system administrators? Those thinking of running Windows Vista x64? Or all administrators? I believe it's something we all should be concerned with.

More on the Blue Pill attack Anatomy of the Blue Pill attack What a ruckus there was at the demonstration of the Blue Pill attack on Windows Vista at Black Hat this year. Find out how it works and whether you should care about it.

A fundamental tenet of computer security is that a user with administrative powers can do a lot to a machine -- including format an entire hard drive. This tenet is why privilege escalation attacks are so problematic. But in this particular "blue pill" exploit, there was no privilege exploit. And the chances of someone obtaining remote access to a machine, using administrative privileges, and being able to successfully pull off this exploit are very slim. In fact, no one has done so yet.

So has Windows Vista security been blown away? Has all the work the development team put into the product been for naught? Absolutely not. The response to Windows Vista's security at Black Hat was actually quite positive, which is saying something significant when you consider the typical makeup of the audience at the conference—they're hardly Microsoft apologists.

Good things are happening when it comes to security in Vista. Don't let this "blue pill" business make you think otherwise.

About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security. Ask Hassell a hardening Windows question today.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Windows Vista operating system Windows 7 launches, offers salvation from Vista An intro to Windows 7's Deployment Image Servicing and Management tool Guide to converting from Windows XP to Windows 7 Choosing the best way to install images Has Microsoft corrected Vista annoyances in Windows 7? Microsoft's August patches run the gamut Your questions answered: The Windows 7 upgrade quandary Windows Vista users get little pricing relief on Windows 7 Combining folder redirection with roaming profiles IPv6 protocol, Windows Vista features simplify peer ad-hoc networking Network intrusion detection and prevention and malware removal 20 days to a more secure enterprise Improvements to offline file synchronization in Windows 7 Underlying causes of inconsistent patch management Windows security tools for the busy desktop administrator Check IT List: Five steps for rootkit detection Top Windows client security tools for end users Hacking Exposed Windows: Windows security features and tools Tools for virus removal and detection Windows security testing: Five tips for the summer Buffer overflows can be prevented by GS cookies

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary desktop management  (SearchEnterpriseDesktop.com) Vista  (SearchEnterpriseDesktop.com) Vista glossary  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary