Date: Tue, 7 Nov 2006 20:19:40 -0800 From: Wes Peters <wes@opensail.org> To: freebsd-security@freebsd.org Subject: Re: freebsd-security Digest, Vol 184, Issue 2 Message-ID: <0C344F30-40A1-4B08-A1C7-3F8CD536244D@opensail.org> In-Reply-To: <20061104163000.30D2516A7A6@hub.freebsd.org> References: <20061104163000.30D2516A7A6@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 4, 2006, at 8:30 AM, Wesley Shields <wxs@atarininja.org> wrote: > > On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote: > [...] >> In the II COLARIS - Joanna Rutkowska alert the possible >> new technology of Malware's using hardware virtualization, present >> in AMD and INTEL new processor. >> >> I've two questions ... >> >> 1) How is possible detect if my system is moved inside a VM on the >> fly ? > > She has discussed various solutions for this problem, and why she > believes they may or may not work. The one most people suggest is to > time how long it takes for various instructions to run, but this > can be > tricked by the VMM-rootkit. I'd suggest reading: > > http://theinvisiblethings.blogspot.com/2006/08/blue-pill- > detection.html One thing that leaps immediately to mind is a startup check to see if this 'dmesg.boot' differs from the previous one. Rather than overwriting the previous one, move it to a backup, create the new one, and log something if they differ. I hacked this up in a couple of minutes: --- /etc/rc.d/dmesg Sat May 6 21:00:26 2006 +++ dmesg Tue Nov 7 20:17:47 2006 @@ -19,8 +19,10 @@ do_dmesg() { - rm -f ${dmesg_file} + mv -f ${dmesg_file} ${dmesg_file}.prev ( umask 022 ; /sbin/dmesg $rc_flags > ${dmesg_file} ) + cmp -s ${dmesg_file} ${dmesg_file}.prev || \ + logger -p security.warn 'dmesg.boot changed from previous boot' } load_rc_config $name If you like that, I'm willing to discuss it further, and/or commit it and let the howling tell if it's a keeper or not. ;^) -- Where am I, and what am I doing in this handbasket? Wes Peters wes@softweyr.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?0C344F30-40A1-4B08-A1C7-3F8CD536244D>