X
Tech

Microsoft refutes hypervisor attack claim

Senior Microsoft security strategist Steve Riley has used the vendor's Tech.Ed conference in Sydney this week to rebut claims by a Polish researcher that Microsoft's hypervisor software could be maliciously replaced on PCs without administrators knowing.
Written by Liam Tung, Contributing Writer

Senior Microsoft security strategist Steve Riley has used the vendor's Tech.Ed conference in Sydney this week to rebut claims by a Polish researcher that Microsoft's hypervisor software could be maliciously replaced on PCs without administrators knowing.

steveriley.jpg

Microsoft's Steve Riley
(Credit: Microsoft)

The hypervisor is the portion of Microsoft's operating system that controls virtual operating system instances. Researcher, Joanna Rutkowska, has caused a debate over the past several years about developing a hypervisor rootkit that could go undetected on a PC.

"Her insistence is that you can replace the hypervisor without anybody knowing... Our assertion is that this is incorrect," Riley told the audience. "First of all, to do these attacks you need to become administrator at the root. So, that's going to be, on an appropriately configured machine, an exceedingly difficult thing to happen."

Even if an attacker's malware did gain root access, therefore allowing them to replace the hypervisor, the replacement itself would be an imperfect copy, according to Riley.

"Because you (the attacker) didn't subject your own replacement hypervisor through the thorough design review that ours did, I'll bet your hypervisor is probably not going to implement 100 per cent of the functionality as the original one," he said. "There will be a gap or two and we will be able to detect that."

An attacker's malware would also behave differently to the original hypervisor, resulting in changes to network, processing and disk activity, which should cause alarm bells for security professionals.

"I mean, the whole reason for doing this is so you can take over the machine," he explained. "It is entirely possible to detect if the root operating system has been compromised and if the hypervisor has been replaced."

So where does that leave the security professional who manages these systems? According to Riley, exactly where they were before the rise of virtual machines.

"You have to ask: is there malware on my system? You can be 100 per cent certain there is no malware that you can detect, but less than 100 per cent certain that there is no malware at all. Now, ladies and gentlemen, isn't this true of every computer we already have? There is no difference just because it's virtualisation.

"Don't let the hype machines cloud your understanding of what you need to do. Apply your knowledge to the next evolutionary step, but don't expect that everything you have learned is something you have to throw away."

Editorial standards