 | By Ryan Russell Portions of the security community have been abuzz lately with talk of a new rootkit technology dubbed “Blue Pill.” The name is an obvious Matrix reference, especially given that the same researcher named an earlier rootkit detector that she wrote “Red Pill.” The latest buzz started with an eWeek article on her work. |
The new ‘Blue Pill’ rootkit technique
The short description is that Joanna Rutkowska has taken advantage of new hardware virtualization features that appear in the latest AMD and Intel processors. These processors have support for running different operating systems side-by-side and can divvy up resources like CPU time and RAM.
This means some other bit of software must be in charge of the divvying, so there’s still a top-level control. The tricky bit is this: if some software isn’t running at this top layer, one can be loaded on the fly.
For example, from Windows XP, one could load such software (generically called a hypervisor), which XP might no longer have any control over. Microsoft had planned to use this (and other) technologies in the mostly-shelved Next Generation Secure Computing Base (NGSCB), original code-named “Palladium.”
This is also the technology used by some of the newer virtual-machine software. For example, I mentioned Parallels Workstation in my Apr. 13 column. It relies on the Intel VT feature present in all the CPUs used by the new Intel Macs.
Related posts:
