A BlackHat Showdown
An old-fashioned Wild West show down appears to be on the cards at the 2007 Black Hat USA Briefings & Training, due to kick off in Las Vegas on July 28.
Lining up on one side is a team of luminaries who have gathered under the Matasano Chargen banner, seeking to demonstrate that they can arbitrarily detect hardware-level (hypervisor) rootkits (such as Blue Pill).
Opposing this is the Blue Pill team, led by Joanna Rutkowska, who believe that they have a better than fair chance at evading reliable detection by the Matasano Chargen team.
With an armament of:
- Direct Timing Observation;
- Indirect Timing Observation, and
- Functional Observation
the team from Matasano Chargen believe that they have what it takes to identify and knock down Blue Pill. The difficulty will be in applying these capabilities in a manner that does not adversely impact the end user experience (some cryptographic attacks that use timing observation effectively DoS the system while they are running).
Watching the two teams posturing ahead of the challenge, the impression is gained that they are both moving towards the same goals, but there is a little bit of a discrepancy between the aim points. That discrepancy is going to be the key as to whether Blue Pill succeeds or Matasano succeeds.
Even though there are lines being drawn in the sand by the supporters of each side, the outcome (at this stage) is basically a coin flip.
If Blue Pill can reliably counter each of the techniques being used in an attempt to detect it, then the Blue Pill team wins. In a real infection scenario, disabling the detection software is also a valid procedure (though it will serve as a detection in this case).
If the Matasano team can implement even one reliable detection technique, then they win. The real difficulty is making that technique reliable, given all the other processes that might be competing for resources that are under observation.
Drawing on how the arms race for kernel-level rootkits, detection, and counter-detection has developed, there is a slight advantage to the Blue Pill team.
What everyone watching should hope for is that there is no repeat of last year, where lengthy arguments developed after disputed claims were made about being able to hack WiFi connections on OS X machines.
29 June 2007
Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis
Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.
Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.
Comments will soon be available for registered users.