On Jun 11, 2008, at 7:17 PM, [EMAIL PROTECTED] wrote:
A relatively new security threat known as 'The Blue Pill', based upon
hardware, is a class of virtual rootkits that can silently take over
Intel and AMD systems. A good site to visit to learn about these
virtual
rootkits is http://invisiblethings.org/index.html.
That is simple (in concept) yet absolutely brilliant! I'm sure that
people much smarter that I am have thought about these things more
carefully than I have, but I'm not convinced that a blue pill would be
completely undetectable.
First it should consume memory. A very complete test of memory
through a modified memtest should be able to detect whether system
reported memory is accurate.
Secondly, a blue pill would need to be reinserted after a hard
reboot. Therefore a look at the boot process (of a non-live system)
should be able to see whether there is something that reinserts the
blue pill.
But even if detection is possible these ways, a Blue Pill would be
extremely difficult to detect once inserted, and so the focus would
have to be entirely on prevention.
Again, these are just my first thoughts after looking at this very
briefly. The people who come up with this stuff and do proper
analysis are both smarter and more knowledgeable than I am.
Cheers,
-j
--
Jeffrey Goldberg http://www.goldmark.org/jeff/
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
