Spend more time reading, less time watching "The Matrix"
I was recently pointed to two different programs that attempt to detect the presence of a VMM and produce an undetectable VMM. These are called "red pill" and "blue pill" respectively and both are by Joanna Rutkowska of invisiblethings.org.
"red pill" claims to detect modern VMM's by checking the results of a sidt. Since most VMM's hide themselves in upper memory, the claim is that if the IDT (which is of course being shadowed) is in the upper 256MB of memory, you're in a VMM.
Most operating systems tend to use the upper portion of memory to map physical pages so this is probably going to work more often than not. However, it's quite easily defeatable since in the VMM you could either 1) move yourself to a lower bit of memory or 2) just use a full emulator and avoid any shadowing. Therefore, the "red pill" is really not that useful.
This doesn't mean that you can't detect a VMM's presence. If you go all the way back to the Popek/Goldberg paper (which is 30 years old), they make it quite clear that any program that depends on timing will no longer function as expected in a virtual machine. One can exploit this fact to detect the presence of a VMM in a generic way.
This is exactly what is done in Pioneer. Pioneer makes use of a checksumming algorithm that also incorporates EFLAGS. Since pushf is not trappable and EFLAGS is really hard to rewrite with a JIT (since you have to keep track of condition flags), one can easily detect (by checking how long the checksum takes to compute) the presence of a VMM.
So what about "blue pill". The author seems to think that SVM is impossible to detect because the VMM no longer has to shadow things like the IDT. Of course, this is naive since the one can still do a timing analysis.
Okay, so I'm being pretty harsh here. This is all very obscure stuff. I'm somewhat amazed though because I've seen references to these things in a number of places now (including major news sites).
<< Home