The Threat: A Hypervisor-Based Rootkit
The threat, which was the subject of two presentations at Black Hat 2006, is that someone with administrator privileges on a system that has hardware-assisted virtualization enabled and no virtualization software installed can install a hypervisor-based rootkit. This hypervisor-based rootkit would then be running at a higher privilege level than the operating system itself. The advantage that a hypervisor-based rootkit offers to an attacker is the reduced ability of legitimate kernel-mode code to detect the attacker's hypervisor-mode code.
A system that has a legitimate hypervisor installed is not susceptible to this attack, because as soon as a hypervisor has enabled and used the processor virtualization extensions, a second hypervisor cannot use the extensions.
0 comment:
Yorum Gönder