From owner-freebsd-security@FreeBSD.ORG  Fri Nov  3 19:50:20 2006
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 93CA816A407
	for <freebsd-security@freebsd.org>;
	Fri,  3 Nov 2006 19:50:20 +0000 (UTC)
	(envelope-from wxs@atarininja.org)
Received: from syn.atarininja.org (syn.csh.rit.edu [129.21.60.158])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4F69F43D45
	for <freebsd-security@freebsd.org>;
	Fri,  3 Nov 2006 19:50:20 +0000 (GMT)
	(envelope-from wxs@atarininja.org)
Received: by syn.atarininja.org (Postfix, from userid 1001)
	id E5E435C57; Fri,  3 Nov 2006 14:58:01 -0500 (EST)
Date: Fri, 3 Nov 2006 14:58:01 -0500
From: Wesley Shields <wxs@atarininja.org>
To: "Ricardo A. Reis" <ricardo_bsd@yahoo.com.br>
Message-ID: <20061103195801.GA23725@atarininja.org>
References: <20061103155459.97181.qmail@web56404.mail.re3.yahoo.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20061103155459.97181.qmail@web56404.mail.re3.yahoo.com>
User-Agent: Mutt/1.5.13 (2006-08-11)
Cc: freebsd-security@freebsd.org
Subject: Re: Enc: FreeBSD and the new virtual machine-based rootkits
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2006 19:50:20 -0000

On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote:
[...]
> In the II COLARIS  - Joanna Rutkowska alert the possible 
> new technology of Malware's using hardware virtualization, present
> in AMD and INTEL new processor.
> 
> I've two questions ...
> 
> 1) How is possible detect if my system is moved inside a VM on the fly ?

She has discussed various solutions for this problem, and why she
believes they may or may not work.  The one most people suggest is to
time how long it takes for various instructions to run, but this can be
tricked by the VMM-rootkit.  I'd suggest reading:

http://theinvisiblethings.blogspot.com/2006/08/blue-pill-detection.html

> 2) Exist a project for merge veriexec from NetBSD on FreeBSD 
>     and add SPKI feature  ?

Not that I'm aware of but something which is somewhat similar has been
posted to trustedbsd-discuss.

I'd check out the following links:

http://lists.freebsd.org/pipermail/trustedbsd-discuss/2006-August/000865.html
http://people.freebsd.org/~csjp/mac/
http://people.freebsd.org/~csjp/mac_chkexec.txt

AFAIK this is still in perforce, but will hopefully make it's way into
-CURRENT and eventually a release.  I'm sure someone will speak up if
I'm wrong here.

-- WXS