Senior Microsoft security strategist Steve Riley has used the vendor's Tech.Ed conference in Sydney this week to rebut claims by a Polish researcher that Microsoft's hypervisor software could be maliciously replaced on PCs without administrators knowing.

Microsoft's Steve Riley
(Credit: Microsoft)

The hypervisor is the portion of Microsoft's operating system that controls virtual operating system instances. Researcher, Joanna Rutkowska, has caused a debate over the past several years about developing a hypervisor rootkit that could go undetected on a PC.

"Her insistence is that you can replace the hypervisor without anybody knowing... Our assertion is that this is incorrect," Riley told the audience. "First of all, to do these attacks you need to become administrator at the root. So, that's going to be, on an appropriately configured machine, an exceedingly difficult thing to happen."

Even if an attacker's malware did gain root access, therefore allowing them to replace the hypervisor, the replacement itself would be an imperfect copy, according to Riley.

"Because you (the attacker) didn't subject your own replacement hypervisor through the thorough design review that ours did, I'll bet your hypervisor is probably not going to implement 100 per cent of the functionality as the original one," he said. "There will be a gap or two and we will be able to detect that."

An attacker's malware would also behave differently to the original hypervisor, resulting in changes to network, processing and disk activity, which should cause alarm bells for security professionals.

"I mean, the whole reason for doing this is so you can take over the machine," he explained. "It is entirely possible to detect if the root operating system has been compromised and if the hypervisor has been replaced."

So where does that leave the security professional who manages these systems? According to Riley, exactly where they were before the rise of virtual machines.

"You have to ask: is there malware on my system? You can be 100 per cent certain there is no malware that you can detect, but less than 100 per cent certain that there is no malware at all. Now, ladies and gentlemen, isn't this true of every computer we already have? There is no difference just because it's virtualisation.

"Don't let the hype machines cloud your understanding of what you need to do. Apply your knowledge to the next evolutionary step, but don't expect that everything you have learned is something you have to throw away."

Related links

Leave a comment

You must read and type the 6 chars within 0..9 and A..F

* indicates mandatory fields.

Log in


Sign up | Forgot your password?

Blogs

RSS feed

  • Staff Aussies to pay more for Win 7

    If you are looking to make some money in these troubled times, perhaps importing copies of Windows 7 could be for you. Read more »

    -- posted by Staff

  • Staff Firefox: Greens want it, 3.5rc2 not up to par

    This week's roundup looks at the situation surrounding a campaign to change Outlook HTML renderer, a Greens MP wants to install Firefox but is restricted and all the photos from the iPhone 3GS launch. Read more »

    -- posted by Staff

  • Chris Duckett Microsoft misses the Outlook point

    Ask designers which mail program is the bane of their existence, and you'll find that Outlook tops the list. The reason why the most popular email reader is also the most painful is simple: it uses Word to render HTML emails. Read more »

    -- posted by Chris Duckett

What's on?