Viability and Exploitability of the Threat
Contrary to the presentations that describe this type of attack, a rogue hypervisor can be detected using standard rootkit detection mechanisms because the rootkit cannot protect itself from the operating system running on top of it. The claim that the hypervisor-based rootkit could be made "undetectable" would make implementing the rootkit significantly more complex for developers.
Rootkit developers have traditionally shown a strong desire to write code that runs in user mode rather than in kernel mode. Given the additional complexity of properly exploiting the processor virtualization extensions, a successful attack based on the processor virtualization extensions would challenge rootkit developers in ways that a traditional rootkit attack does not.
In addition, this attack vector is somewhat less appealing to developers than a traditional rootkit attack for these reasons:
- A hypervisor-based rootkit cannot be run unless the attacker is already executing kernel-mode code.
- A hypervisor-based rootkit gives an attacker no new access to user data that the attacker would not already have through a traditional kernel-mode rootkit.
- A hypervisor-based rootkit must implement complex mechanisms and utilize secure hardware in order to protect itself from the operating system, and it must also do so in ways that avoid detection.
Although these challenges make it less likely that a rootkit developer would choose to implement a hypervisor-based rootkit, security experts agree that the most effective threat mitigations involve multiple layers of defense. We must therefore consider whether an additional protection mechanism is called for.
0 comment:
Yorum Gönder