Date: Thu, 12 Jun 2008 02:05:55 +0000 (UTC) From: dfeustel@mindspring.com To: Jeffrey Goldberg <jeffrey@goldmark.org> Cc: cpghost <cpghost@cordula.ws>, FreeBSD List <freebsd-questions@freebsd.org> Subject: Re: FreeBSD and User Security Message-ID: <20080612020555.56DD08FC14@mx1.freebsd.org> In-Reply-To: <81EBB0C0-AC7A-42EE-A128-BA70ADCC336B@goldmark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 11, 2008 at 08:51:16PM -0500, Jeffrey Goldberg wrote: > On Jun 11, 2008, at 8:08 PM, cpghost wrote: > >> On Wed, 11 Jun 2008 19:45:51 -0500 >> Jeffrey Goldberg <jeffrey@goldmark.org> wrote: > >>> First it should consume memory. A very complete test of memory >>> through a modified memtest should be able to detect whether system >>> reported memory is accurate. > >> What if memtest already runs within the virtualization box? How can it >> determine what the "right" amount of memory is supposed to be? > > I was assuming that that would be known by the operator. > >> And if >> the virtualizer hot-patched memtest instructions, either on loading it >> or dynamically while it runs, it could make it report whatever it >> liked. > > Of course. > >>> Secondly, a blue pill would need to be reinserted after a hard >>> reboot. Therefore a look at the boot process (of a non-live system) >>> should be able to see whether there is something that reinserts the >>> blue pill. > >> Yes, but you've got to have a very close look at it, as it won't >> necessarily appear on the screen -- being caught as well by the >> virtualizer. And Joanna also has a paper about fooling hardware >> capture cards into reporting bogus data on her site, so you won't >> even be able to detect that RAM contains something else upon boot >> than those hardware capture cards are supposedly reporting. > > Yes. I've now read through some of Rutowska's slides (following the link > provided by dfeustel in another post in this thread). > >> If all this is as she's described, it is truly brilliant from a >> technical POV... and a very worrying thought as well. > > Yes it is worrying. The next time I reboot the one server I've got with an > SVM capable processor I'm going to disconnect the power (to make sure that > I'm getting a real reboot instead of a spoofed one) and then on reboot I > will disable SVM in the BIOS. How do you know that the bios has not been reflashed by a virus, trojan, or rootkit?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080612020555.56DD08FC14>