[112169] in cryptography@c2.net mail archive
Re: Death of antivirus software imminent
daemon@ATHENA.MIT.EDU (Angelos D. Keromytis)
Wed Jan 2 17:05:38 2008
Cc: Bill Frantz <frantz@pwpconsult.com>,
Cryptography <cryptography@metzdowd.com>
From: "Angelos D. Keromytis" <angelos@cs.columbia.edu>
To: Anne & Lynn Wheeler <lynn@garlic.com>
In-Reply-To: <477BC55E.5080709@garlic.com>
Date: Wed, 2 Jan 2008 16:53:26 -0400
There was a paper in IEEE Security & Privacy 2006 by Sam King on how
to do this kind of attack (his system was called SubVirt):
http://www.eecs.umich.edu/virtual/papers/king06.pdf
However, in practice it turns out this is a much harder than people
think. See Tal Garfinkel's paper on precisely this topic at HotOS 2007:
http://www.stanford.edu/~talg/papers/HOTOS07/abstract.html
-Angelos
On Jan 2, 2008, at 1:09 PM, Anne & Lynn Wheeler wrote:
> Bill Frantz wrote:
> > My favorite virtual machine use is for the virus to install itself
> > as a virtual machine, and run the OS in the virtual machine. This
> > technique should be really good for hiding from virus scanners.
>
> re:
> http://www.garlic.com/~lynn/aadsm28.htm#2 Death of antivirus
> software imminent
> http://www.garlic.com/~lynn/aadsm28.htm#4 Death of antivirus
> software imminent
>
> i commented on that in reference posts mentioning that there have been
> uses of virtual machines to study virus/trojans ... but that
> some of the new generation virus/trojans are now looking to see if
> they
> are running in virtual machine (studied?).
>
> some of the current trade-off is whether that virtual machine
> technology
> can be used to partition off basically insecure operations (which
> are widely
> recognized as being easy to compromise) and then completely discard
> the environment and rebuild from scratch after every session (sort of
> the automated equivalent of having to manually wipe an infected
> machine
> and re-install from scratch).
>
> the counter argument is that crooks can possibly also use similar
> technology to hide ... once they have infected the machine. the
> current
> issue is that a lot of the antivirus/scanning techniques are
> becoming obsolete
> w/o the attackers even leveraging virtual machine technology.
>
> The attackers can leverage the technology in an otherwise poorly
> defended machine. Some years ago there was a product claiming
> that it could operate even at a public access machine because
> of their completeness of their antivirus countermeasures ... even
> on an infected machine. I raised the issue that it would be trivial
> to defeat all such countermeasures using virtual machine technology.
> Somewhat of a skirmish resulted since they had never considered
> (or heard of) virtual machine technology ... for all i know there
> is still ongoing head-in-the-sand situation.
>
> for little topic drift ... this blog entry:
> https://financialcryptography.com/mt/archives/000991.html
>
> and
> http://www.garlic.com/~lynn/aadsm28.htm#3
> http://www.garlic.com/~lynn/aadsm28.htm#5
>
> there is some assertion that the crooks overwhelming the
> defenders countermeasures because they are operating
> significantly faster and more efficiently.
>
> however, another interpretation is that the defenders
> have chosen extremely poor position to defend ... and are
> therefor at enormous disadvantage. it may be necessary
> to change the paradigm (and/or find the high ground)
> in order to successfully defend.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com