"Blue Pill" [Do not read if Paranoid]

TheQuest · #1 July 26th, 2006, 08:46 PM

Hi, Jason R0

Will the new AppDefend be able to deal with the 'Blue Pill'.

Posted more in jest, then from being paranoid.

Take Care,
TheQuest

The Hammer · #2 July 26th, 2006, 09:04 PM

You know that if you tell paranoid people not to read something then they absolutly have to.

Jason_R0 · #3 July 26th, 2006, 09:25 PM

It will be able to be "intercepted" from occuring (not that AD supports this exact interception atm, but AppDefend x64 would be better than nothing for intercepting parts of the attack) and should still be able to be detected in various ways. That's not to say it will be easy, it is obvious that the new technology they are putting into PC hardware (for Digital Rights Management and other uses) will also likely be misused. This isn't "new", as new technology is always fertile ground for fancy new attacks. The biggest problem comes from the hardware limiting what other software (in this case security software) can do.

TheQuest · #4 July 26th, 2006, 11:09 PM

Hi, Jason R0

Thank you for your reply.

I knew you will be able to keep abreast [or in front] and stop them.

Take Care,
TheQuest

Paranoid2000 · #5 July 27th, 2006, 12:24 AM

Quote:

Originally Posted by TheQuest

Posted more in jest, then from being paranoid.

Joanna mentions there being 3 countermeasures to Blue Pill in her blog (I'd guess they would include opcode filtering to catch the special instructions used, installing a hypervisor beforehand and disabling the IOMMU which handles the address translation necessary for Pacifica) so this is unlikely to be an "undefeatable" technique for long. However it is another interesting case of how processor architecture can be exploited for nefarious ends.

TheQuest · #6 July 27th, 2006, 12:35 AM

Hi, Paranoid2000

Thank you for your reply and input, as ever you understood what you was reading in the blog.

Where I was not sure what it was saying.

Take Care,
TheQuest

Paranoid2000 · #7 July 27th, 2006, 05:39 AM

Quote:

Originally Posted by TheQuest

...as ever you understood what you was reading in the blog.

I'm afraid you're being over-generous there! Joanna is being a bit of a tease (ladies, eh?) in not providing more details on the counters and the AMD documentation is, um, a little less than approachable. Hopefully things will be clarified soon and we won't have to guess further.

Jito463 · #8 July 28th, 2006, 09:54 PM

One possible alternative to block this is to be there first. The security software would do exactly what this "Blue Pill" software aims to do, so that the user (through the security software) will ultimately have more control over the system. So I consider this discovery a good thing. By the way, I thought you were told not to read this, Paranoid.

Quote:

[Do not read if Paranoid]

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search