4.16.2008

Virtualization: Red Pill or Blue?

by Steven McElwee

Virtualization technologies have been compared to the movie, The Matrix. In this, Neo and other humans, are captured in a virtual world. Neo is offered a blue pill or a red pill. The blue pill will return him to his normal unreal world in the matrix. The red will set his mind free by exposing the matrix. When it comes to virtualization technologies, the red pill and blue pill have similar meanings.

Red Pill
The red pill is a small piece of code that, when run on a virtual machine, is able to determine if it is running in a virtual system or a real, physical system. It does this by detecting if the operating system is under the control of a hypervisor, the monitoring process that enables virtualization.

Theoretically, programs operating in a virtual instance should not be able to determine anything outside of the virtual instance. This encapsulation is important to ensure that the operating system operates independently.

The red pill is more than a theory. A few lines of C code are all that are needed to create the red pill code. The following sample was developed by Joanna Rutkowska:

int swallow_redpill () {
unsigned char m[2+4], rpill[] = "\x0f\x01\x0d\x00\x00\x00\x00\xc3";
*((unsigned*)&rpill[3]) = (unsigned)m;
((void(*)())&rpill)();
return (m[5]>0xd0) ? 1 : 0;
}
More details about how Rutkowska's red pill works can be found at: http://invisiblethings.org/papers/redpill.html

Blue Pill
The blue pill takes the concept of the red pill further to create an exploit using virtualization. The most popular example of this was also developed by Joanna Rutkowska. The blue pill uses virtualization capabilities built into some microprocessors to trap the computer's operating system into a virtual machine. The blue pill acts as the hypervisor and has complete control of the regular operating system, now trapped in the virtual machine.

Rutkowska's blue pill is said to be completely undetectable, although some have disputed this claim. Whether detectable or not, it is a demonstration of one type of exploit made possible by virtualization technologies.

Bottom Line
The bottom line in this discussion of the red and blue pills is that virtualization technologies may become exploitable. This may allow an attacker to gain access to virtual servers or create an undetectable root kit. If you are using virtualization, stay on top of vulnerabilities in your software and patch regularly.

Labels:

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home