Abstract
This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology and hardware-assisted virtualization enables more stealth and detection methods. This article presents all the recent innovation in stealth blue pills and forensics red pills.
TopBackground
Blue pill technology relies on hypervisor technology. This chapter reviews recent advances in x86 virtualization. These new instruction families enable blue pill and red pill technologies.
Hypervisors and Thin Hypervisors
A hypervisor is a type of computer software designed to run multiple operating systems on the same hardware.
As its name implies, a hypervisor has more permission than the operating system (i.e., the supervisor).
Just like the operating system supervises memory and hardware resources for the processes it runs, the hypervisor controls the hardware resources for each operating system.
Hypervisor research started with Popek et al. (1974) who classify hypervisors into two main categories:
- 1.
Type I hypervisors, or boot hypervisors, are hypervisors that the machine starts from the hardware boot. The machine then starts the guest operating system. VMWare ESXi is an example of a modern Type I hypervisor.
- 2.
Type II hypervisors, or hosted hypervisors, are hypervisors that start only after the operating system has started. A modern example for a Type II hypervisor is VMWare Desktop or Oracle Virtual Box.
Regular hypervisors are situated between the hardware and the supervisor (OS), catching interrupts and controlling memory addresses. The hypervisor decides which operating system owns each memory address and which operating system should handle each hardware interrupt.
There is a particular case of hypervisors that do not attempt to run multiple operating systems. Instead, these hypervisors, called “thin hypervisors”, supports running only one operating system on the target hardware. Thin hypervisors act as a microkernel that provides specific services. The thin hypervisor passes the handling of all (or almost all) hardware events and interrupts to a single operating system. It also includes very little memory management and relies on the guest OS memory management system and interrupt handling. Microsoft’s Deviceguard, TrulyProtect hypervisor for protection against reverse engineering (Averbuch et al. 2013) and Execution Whitelisting (Kiperberg et al. 2017) are examples of thin hypervisors. Virtually all blue pills are thin hypervisors.
Key Terms in this Chapter
Thin Hypervisor: A hypervisor that is designed to support only one operating system.
Hypervisor: A hypervisor is a type of computer software designed to run multiple operating systems on the same hardware.
Chain of Trust: Group of computer components that starts at a trust nexus. Through a series of operations, each component in the chain adds functionality and verifies the next component. The final component is trusted if all components in the chain complete successful verification and then the nexus can indeed be trusted.
Red Pill: Red pill is a type of software that is used to detect and defeat blue pills. The goal of the red pill is to provide an answer to the question, “Is the computer currently running a blue pill?” in the most reliable possible method.
Privilege Ring: Intel architecture defines several privilege “rings” (protection rings) that refer to the current state of the system. These rings are ring 3 (user mode) where certain operations as not allowed, ring 0 (supervisor mode/operating system mode) where access to hardware devices is allowed, and hypervisor mode (ring -1) where hypervisor operations are allowed. Rings 1 and 2 also exist: these “in-between” privilege levels had historical usage but are mainly unused in modern systems.
Bootkit: A rootkit that boots when the computer boots, usually before the operating system starts. The bootkit installs itself on the hard drive master boot record (MBR) or BIOS and gains control of the system before the operating system ever has control.
Rootkit: Rootkit is malicious software that grants unauthorized user-persistent access to the victim computer resources. The rootkit is also designed to mask its existence such that the administrator will not be able to detect it.
Blue Pill: Blue pill is a type of software that runs as a malicious thin hypervisor-based rootkit.
Trusted Platform Module (TPM): The Trusted Platform Module (ISO/IEC 11889) is an international standard and specification for a secure cryptoprocessor. The TPM is a dedicated microcontroller designed with hardware obfuscation to prevent tampering. The TPM provides cryptographic operations and can measure the CPU and running software for platform attestation.