[Code-Crunchers] detecting blue pill and BH challege

Tue Jul 3 03:01:56 CDT 2007

On 2007-07-03 09:58+0200, Sebastian Krahmer wrote:
>On Mon, 2 Jul 2007, Peter Ferrie wrote:
>
>You dont get me ;-)
>A rootkit printing out a message is never ever 100% stealth.
>Imagine you are the team to check the laptops;
>you have 10 of them and on 2 there is a rootkit. You cant
>have it print out messages! If you can't detect it, it doesnt say
>its 100% hidden. Maybe you dont know the correct keypresses
>to enable it; but its not 100% hidden. Its either *there*
>and it has to do something usefull. Then you dont have 100%,
>because at least one person (the attacker) knows how to detect it.
>The detect-team in the worst case just misses this knowledge;
>but they could detect it if they knew.
>you never ever get it 100% invisible or its just useless.
>Additionally you need to access it in some remote way,
>to be really usefull. And you dont have the network nodes under your 
>control.
>
>Its like the halting problem. you will never solve it.
>>From attackers view you cant be 100% sure that there is a software
>triggering a 'halt' in your system. And from the detecters view
>you cant say with 100% probability that the system is 'halt'-free, e.g.
>wont hide a rootkit.
>So, this competition is useless and just serves as a nice advertising
>campaign for Mrs. Rutkowska ;-)
>
>So lets stop discussing things which are impossible from either side :)

Whether you are right, or wrong - you just claimed impossibility. Are
you any better than claims of 100% ?  :)

>
>l8er,
>S.
>
>> >>The problem is: if she is right and she can make it 100% invisible,
>> >>how will she proove that she indeed installed a rootkit?
>> >>A 100% invislble rootkit is useless. Its the NULL-rootkit.
>> >>Its pure math, you cannot win ;-)
>> >
>> >Only if you want proof. Then, the rootkit can prove it is there. :)
>> 
>> Right.  It can display a message or something, though that proves only that something is running.  It might be just a little TSR that displays a message.  We would have have to trust her on that.
>> 
>> >The on ething that bugs me through-out all of this: this is never 100%.
>>  
>> Which is exactly our claim - it cannot be done 100% in hardware.  Software, of course, is another matter entirely, but no-one is even close to that yet.
>>  
>> _______________________________________________
>> Code-Crunchers mailing list
>> Code-Crunchers at whitestar.linuxbox.org
>> http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
>> 
>
>-- 
>~
>~ perl self.pl
>~ $_='print"\$_=\47$_\47;eval"';eval
>~ krahmer at suse.de - SuSE Security Team
>~ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
>
>_______________________________________________
>Code-Crunchers mailing list
>Code-Crunchers at whitestar.linuxbox.org
>http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers

-- 
--
"beepbeep it, i leave work, stop reading sec lists and im still hearing
gadi"
- HD Moore to Gadi Evron on IM, on Gadi's interview on npr, March 2007.