"Blue Pill" [Do not read if Paranoid]

Hi, Jason R0

Will the new AppDefend be able to deal with the 'Blue Pill'.

Posted more in jest, then from being paranoid.


Take Care,
TheQuest

 

You know that if you tell paranoid people not to read something then they absolutly have to.

 

It will be able to be "intercepted" from occuring (not that AD supports this exact interception atm, but AppDefend x64 would be better than nothing for intercepting parts of the attack) and should still be able to be detected in various ways. That's not to say it will be easy, it is obvious that the new technology they are putting into PC hardware (for Digital Rights Management and other uses) will also likely be misused. This isn't "new", as new technology is always fertile ground for fancy new attacks. The biggest problem comes from the hardware limiting what other software (in this case security software) can do.

 

Hi, Jason R0

Thank you for your reply.

I knew you will be able to keep abreast [or in front] and stop them.

Take Care,
TheQuest

 

Joanna mentions there being 3 countermeasures to Blue Pill in her blog (I'd guess they would include opcode filtering to catch the special instructions used, installing a hypervisor beforehand and disabling the IOMMU which handles the address translation necessary for Pacifica) so this is unlikely to be an "undefeatable" technique for long. However it is another interesting case of how processor architecture can be exploited for nefarious ends.

 

Hi, Paranoid2000


Thank you for your reply and input, as ever you understood what you was reading in the blog.

Where I was not sure what it was saying.

Take Care,
TheQuest

 

I'm afraid you're being over-generous there! Joanna is being a bit of a tease (ladies, eh?) in not providing more details on the counters and the AMD documentation is, um, a little less than approachable. Hopefully things will be clarified soon and we won't have to guess further.

 

One possible alternative to block this is to be there first. The security software would do exactly what this "Blue Pill" software aims to do, so that the user (through the security software) will ultimately have more control over the system. So I consider this discovery a good thing. By the way, I thought you were told not to read this, Paranoid.