Re: Undetectable Rootkits using Virtualization

[Neal McBurnett <neal@xxxxxxxxxxxxxxxxx>]

On Fri, Jun 30, 2006 at 10:07:15AM -0600, Paul E Condon wrote:
> Root kit can be very hard to detect if one assumes that one must also
> keep the computer running while doing the investigation, or that there
> are limits imposed by owner privacy, or software vendor proprietary
> rights. But if one can physically remove the disk drive and
> investigate it on a proper forensic test bed, and if the design
> documentation of the manufacturer of the disk drive is available,
> there no way malware can go undetected.

Unfortunately, this is not true given that the BIOS itself can be
reflashed on all or most of the systems out there.  And control of
bios can lead to control of the higher-level functions of the
computer.  This was the central finding of the "Hursti II" report that
I forwarded a few weeks ago.

 http://www.nytimes.com/2006/05/12/us/12vote.html
 http://www.bbvforums.org/cgi-bin/forums/board-auth.cgi?file=/1954/27675.html
 http://www.blackboxvoting.org/BBVtsxstudy.pdf

And even in the absence of a BIOS takeover, novel rootkits or other
attacks on the operating system or application software might excape
detection by existing forensic test beds.  Especially when the people
doing the forensic analysis have as little experience as the typical
county clerk....

> I think that there is a real problem with software security on
> computers that are used in elections, but these problems would largely
> be resolved if the official record were the paper ballot as marked by
> the voter, and the computer use were confined to processing steps that
> could easily be repeated on different computers using different
> operating systems, and if this repeating were frequently done as a
> matter of course, not something confined to a court ordered recount.

I once again note that an actual, comprehensive, random audit is
imperative, as mandated by Colorado law.  This is also the conclusion of the recent Brennan report.
But even they miss the importance and difficulty of a proper audit of
the optical scan and final tally processes.

Unfortunately, the SoS rules only require a recount, which will miss
many forms of error or hacking.  We need to hold the clerks office to
their pledge to do a real audit, not just a recount.  Time for another
meeting, I think.

-Neal

> But most of all, we should really 'sweat the details' of how the use
> of computers should be regulated and the regulations enforced. I see
> little room for proprietary, secret software in a realistic system.
> 
> 
> On Thu, Jun 29, 2006 at 11:19:09PM -0600, Joe Pezzillo wrote:
> > 
> > If you thought the security problems in existing systems were bad,  
> > check this out:
> > 
> > http://theinvisiblethings.blogspot.com/2006/06/introducing-blue- 
> > pill.html
> > 
> > 
> > "Now, imagine a malware (e.g. a network backdoor, keylogger, etc...)  
> > whose capabilities to remain undetectable do not rely on obscurity of  
> > the concept. Malware, which could not be detected even though its  
> > algorithm (concept) is publicly known. Let's go further and imagine  
> > that even its code could be made public, but still there would be no  
> > way for detecting that this creature is running on our machines...
> > 
> > Over the past few months I have been working on a technology code- 
> > named Blue Pill, which is just about that - creating 100%  
> > undetectable malware, which is not based on an obscure concept."
> > 
> > 
> > [Note: this is not a script kiddie writing this, it's a world-class  
> > security researcher who will be presenting her work at the Black Hat  
> > conference at the end of July, comments on the blog indicate that a  
> > similar exploit for Intel's virtualization technology is also going  
> > to be presented]
> > 
> > 
> 
> -- 
> Paul E Condon           
> pecondon@xxxxxxxxxxxxxxxx