Virtual rootkits not a problem, say researchers

Rootkits that use virtualization techniques should not present detection problems, according to researchers from Carnegie Mellon and Stanford universities.

Working with virtualization technology vendors VMware and XenSource, the researchers produced a study recently called "Compatibility is Not Transparency: VMM Detection Myths and Realities." (PDF) In the study, the researchers said that rootkits could not use hypervisor technology to remain undetected on a system.

"No matter how minimal the hostile VMM (virtual machine monitor) is, it must consume physical resources, perturb timings and take measures to protect itself from the guest, leaving it no less susceptible to detection than other VMMs," said the research paper.

Hostile hypervisors create anomalies in the infected system that enable detection, according to the researchers, who said that hypervisors can be detected through logical discrepancies between the interfaces of real and virtual hardware.

"Most current hypervisor detection methods exploit differences in the virtual CPU interface of VMMs that violate x86 architecture," said the study.

There are also differences between virtual and actual hardware configurations such as chipsets, according to the researchers. And resource discrepancies give the game away, as VMMs consume CPU cycles and physical memory, and have a cache footprint that can be detected.

Malware researcher Joanna Rutkowska claimed last year to have developed a hypervisor rootkit called "Blue Pill" that would remain undetected on a system. Her claims were disputed by researchers from Matasano Security, Root Labs and Symantec.

Tom Espiner of ZDNet UK reported from London.

[reg duvillse]

Well..

In what way would it help detecting that there is a VMM present in a world where VMMs are becoming more and more widely used? Should OS:s stop execute if they suspect they run on a VMM and not on physical HW?