What was the response of Microsoft to your pagefile attack against Windows Vista? Did anyone from Redmond contact you? Did you talk to them before going public? We decided to disclose the details of the attack for the first time at the SyScan conference in Singapore (organized by COSEINC) at the end of July. We felt that there was no need to contact the software vendor (who is not our client) before that, as the problem applied to beta software and also the attack itself required that the attacker gained administrative rights already.To my surprise, in the recent Vista RC2 released a few weeks ago, I noticed that Microsoft actually implemented this very solution that I didnt recommend, which, in my opinion, only solves the problem temporarily. Have you had any discussions with AMD about Blue Pill? How would you recommend securing a system from that type of attack? AMD has never contacted me to discuss Blue Pill, and, as far as I know, they have also never contacted anyone from COSEINC. Regarding prevention, one obvious way is to be able to disable virtualization, in BIOS for example, but unfortunately in the hardware we have today, there is no such option. I heard, though, that the possibility exists on Intel-based platforms. Another approach, as I mentioned above, is to have a hypervisor built into the operating system. Such a hypervisor would be able to prevent installation of another one (e.g. Blue Pill). However, there are several problems with implementing this. Would it be possible for a third-party application like VMWare to make use of the hardware virtualization for its own purposes? If yes, then what would be the policy to distinguish between a legal application wanting to install its hypervisor versus a malicious program, like Blue Pill? If not, would that mean that all future hardware-based VMMs, like VMWare, would have to ship with their own custom operating system and that we will not be able to use them as an application? Also, we would have to be careful when protecting such OS-provided hypervisors, and this is impossible without several technologies, like TPM or DMA protection (DEV on AMD). So, it seems to me that to implement a foolproof protection against hardware virtualization-based malware, we need at least two to three years. Next Page: Scanners and tools.
During my presentation about the (Vista) pagefile attack, I discussed three possible solutions. And I actually pointed out that one of those solutionsblocking usermode applications from accessing raw disk sectorsis actually not a good move, and I explained why I thought so. I only gave that as a possible solution in the interest of completeness.