Blue Pill (software) explained

Blue Pill is the codename for a rootkit based on x86 virtualization. Blue Pill originally required AMD-V (Pacifica) virtualization support, but was later ported to support Intel VT-x (Vanderpool) as well. It was designed by Joanna Rutkowska and originally demonstrated at the Black Hat Briefings on August 3, 2006, with a reference implementation for the Microsoft Windows Vista kernel.

The name is a reference to the red pill and blue pill concept from the 1999 film The Matrix.

Overview

The Blue Pill concept is to trap a running instance of the operating system by starting a thin hypervisor and virtualizing the rest of the machine under it. The previous operating system would still maintain its existing references to all devices and files, but nearly anything, including hardware interrupts, requests for data and even the system time could be intercepted (and a fake response sent) by the hypervisor. The original concept of Blue Pill was published by another researcher at IEEE Oakland in May 2006, under the name VMBR (virtual-machine based rootkit).[1]

Rutkowska claims that, since any detection program could be fooled by the hypervisor, such a system could be "100% undetectable". Since AMD virtualization is seamless by design, a virtualized guest is not supposed to be able to query whether it is a guest or not. Therefore, the only way Blue Pill could be detected is if the virtualization implementation were not functioning as specified.[2]

This assessment, repeated in numerous press articles, is disputed: AMD issued a statement dismissing the claim of full undetectability.[3] Some other security researchers and journalists also dismissed the concept as implausible.[4] Virtualization could be detected by a timing attack relying on external sources of time.[5]

In 2007, a group of researchers challenged Rutkowska to put Blue Pill against their rootkit detector software at that year's Black Hat conference,[6] but the deal was deemed a no-go following Rutkowska's request for $384,000 in funding as a prerequisite for entering the competition.[7] Rutkowska and Alexander Tereshkin countered detractors' claims during a subsequent Black Hat speech, arguing that the proposed detection methods were inaccurate.[8]

The source code for Blue Pill has since been made public,[9] [10] under the following license: Any unauthorized use (including publishing and distribution) of this software requires a valid license from the copyright holder. This software has been provided for the educational use only during the Black Hat training and conference.[11]

Red Pill

Red Pill is a technique to detect the presence of a virtual machine also developed by Joanna Rutkowska.[12]

External links

Notes and References

  1. Book: King . S. T. . Chen . P. M. . 10.1109/SP.2006.38 . SubVirt: implementing malware with virtual machines . 2006 IEEE Symposium on Security and Privacy (S&P'06) . 14 pp . 2006 . 0-7695-2574-1 . 1349303 .
  2. http://www.eweek.com/article2/0,1895,1983037,00.asp 'Blue Pill' Prototype Creates 100% Undetectable Malware
  3. http://securitywatch.eweek.com/rootkits/faceoff_amd_vs_joanna_rutkowsk.html Faceoff: AMD vs. Joanna Rutkowska
  4. http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html Debunking Blue Pill Myth
  5. Web site: - Showdown at the Blue Pill Corral - eWeek Security Watch . https://archive.today/20120206042114/http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html . dead . 2012-02-06 . 2007-08-20 .
  6. https://web.archive.org/web/20070701201627/http://blogs.zdnet.com/security/?p=334 Rutkowska faces ‘100% undetectable malware’ challenge
  7. Web site: Blue Pill hacker challenge update: It's a no-go. Naraine. Ryan. 2007-06-29. ZDNet. ZDNet. https://web.archive.org/web/20091126172635/http://blogs.zdnet.com/security/?p=340. 2009-11-26. dead. 2016-01-24. Rutkowska [...] wants her two-person team to be paid $384,000 ($200/hr each for two people working full-time for six months) [...] Matasano’s Thomas Ptacek, a member of the challenge team, provides this apt response: 'Why would we pay you $384,000 to buy a rootkit we already know we can detect?'.
  8. https://archive.today/20120206042114/http://securitywatch.eweek.com/showdown_at_the_blue_pill_corral.html Showdown at the Blue Pill Corral
  9. http://www.invisiblethingslab.com/resources/bh07/ Blue Pill 2007
  10. http://www.invisiblethingslab.com/resources/bh08/ Blue Pill 2008
  11. Web site: bluepillproject.org. 18 April 2008. 3 September 2017. bot: unknown. https://web.archive.org/web/20080418123748/http://www.bluepillproject.org/. 18 April 2008.
  12. Web site: Blog | the Invisible Things . 2007-09-11 . dead . https://web.archive.org/web/20070911024318/http://invisiblethings.org/papers/redpill.html . 2007-09-11 .