The Trusted Platform Module (ISO/IEC 11889) is an international standard and specification for a secure cryptoprocessor. The TPM is a dedicated microcontroller designed with hardware obfuscation to prevent tampering. The TPM provides cryptographic operations and can measure the CPU and running software for platform attestation.
Published in Chapter:
Modern Blue Pills and Red Pills
Asaf Algawi (University of Jyväskylä, Finland), Michael Kiperberg (Holon Institute of Technology, Israel), Roee Shimon Leon (University of Jyväskylä, Finland), Amit Resh (Shenkar College, Israel), and Nezer Jacob Zaidenberg (College of Management, Israel)
Copyright: © 2020
|Pages: 14
DOI: 10.4018/978-1-5225-9715-5.ch078
Abstract
This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology and hardware-assisted virtualization enables more stealth and detection methods. This article presents all the recent innovation in stealth blue pills and forensics red pills.