[Code-Crunchers] detecting blue pill and BH challege
Sebastian Krahmer
krahmer at suse.de
Tue Jul 3 02:58:35 CDT 2007
On Mon, 2 Jul 2007, Peter Ferrie wrote:
You dont get me ;-)
A rootkit printing out a message is never ever 100% stealth.
Imagine you are the team to check the laptops;
you have 10 of them and on 2 there is a rootkit. You cant
have it print out messages! If you can't detect it, it doesnt say
its 100% hidden. Maybe you dont know the correct keypresses
to enable it; but its not 100% hidden. Its either *there*
and it has to do something usefull. Then you dont have 100%,
because at least one person (the attacker) knows how to detect it.
The detect-team in the worst case just misses this knowledge;
but they could detect it if they knew.
you never ever get it 100% invisible or its just useless.
Additionally you need to access it in some remote way,
to be really usefull. And you dont have the network nodes under your
control.
Its like the halting problem. you will never solve it.
>From attackers view you cant be 100% sure that there is a software
triggering a 'halt' in your system. And from the detecters view
you cant say with 100% probability that the system is 'halt'-free, e.g.
wont hide a rootkit.
So, this competition is useless and just serves as a nice advertising
campaign for Mrs. Rutkowska ;-)
So lets stop discussing things which are impossible from either side :)
l8er,
S.
> >>The problem is: if she is right and she can make it 100% invisible,
> >>how will she proove that she indeed installed a rootkit?
> >>A 100% invislble rootkit is useless. Its the NULL-rootkit.
> >>Its pure math, you cannot win ;-)
> >
> >Only if you want proof. Then, the rootkit can prove it is there. :)
>
> Right. It can display a message or something, though that proves only that something is running. It might be just a little TSR that displays a message. We would have have to trust her on that.
>
> >The on ething that bugs me through-out all of this: this is never 100%.
>
> Which is exactly our claim - it cannot be done 100% in hardware. Software, of course, is another matter entirely, but no-one is even close to that yet.
>
> _______________________________________________
> Code-Crunchers mailing list
> Code-Crunchers at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>
--
~
~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer at suse.de - SuSE Security Team
~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Code-Crunchers
mailing list