The slides I used during my RSA 2008 presentation in San Francisco. These are much updated slides comparing to the previous ones with the same title, e.g. they contain the very technical description of how to implement support for nested virtualization on AMD-v and also some more detailed description of the upcoming Phoenix HyperCore hypervisor for desktop/laptop computers. Also, they were all made from scratch using Apple’s Keynote, which now became my tool of choice for preparing presentations :)

I originally prepared this as a keynote presentation for the Virtualization Forum in Stockholm in October 2007. This presentation is based on the material originally discussed in the 2nd part of our Black Hat 2007 presentation and also during our Understanding Stealth Malware training. It tries to demonstrate different security problems that might arise in virtualized environments. It first talks about virtualization based rootkits (e.g. "Blue Pill") -- what so special about them, clarifies some misunderstandings and also discusses how real this threat is today. It also touches on the subject of virtual machine isolation and why we should aim towards thin hardware-based hypervisors. A related subject of trusted VMMs is also discussed, especially in the context of e.g. the Trusted Execution technology and how this relates to e.g. virtualization based malware. Finally, nested virtualization and its impact on security of virtualized systems is analyzed. Good first read for the not-so-technical people who would like to get some ideas about security issues with virtualization.

This is the presentation I co-presented with Alexander Tereshkin. We talked about two topics: 1) the problem of Vista kernel protection and 2) advances in virtualization based rootkits. In the first part we have presented new vulnerabilities that allow an attacker to easily and reliably bypass Vista Kernel Protection. We concluded that it is impossible to implement effective kernel protection in case of a general purpose OS based on monolithic kernel. In the second part we discussed VMM detection methods and contrasted them with virtualization based malware detection. We also discussed nested virtualization and its impact on system security. Obligatory read!

These are the slides for my keynote speech that I gave several times at various conferences, including Info-Security in Hong Kong in May 2007, Gartner IT Summit in London in October 2007 and also Sector conference in Toronto in November 2007. This more of a "philosophical" presentation, and doesn’t really contain any new technical concepts.

The presentation I gave as a keynote speech at the NLUUG conference in the Netherlands. Presentation discusses various good and bad sides of recent hardware virtualization technology. There is a large overlap with my "Subverting Vista Kernel" presentation I gave last year at Black Hat, but this one focuses only on virtualization (no Vista kernel attacks), discusses a few more issues and tries to be a bit more "philosophical" (after all it’s a keynote). All in all - I hope it will serve as a much better reference to my "Blue Pill" research, then the original presentation...

Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes. This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot. The presented technique has been designed and implement to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

The talk I gave at the 23rd CCC in Berlin. The presentation first debunks The 4 Myths About Stealth Malware Fighting that surprisingly many people believe in. Then my stealth malware classification is briefly described, presenting the malware of type 0, I and II and challenges with their detection (mainly with type II). Finally I talk about what changes into the OS design are needed to make our systems verifiable. If the OS were designed in such a way, then detection of type I and type II malware would be a trivial task...

At the beginning of this year, at Black Hat Federal Conference, I proposed a simple taxonomy that could be used to classify stealth malware according to how it interacts with the operating system. Since that time I have often referred to this classification as I think it is very useful in designing system integrity verification tools and to talk about malware in general. Now I decided to explain this classification a bit more as well as extend it of a new type of malware - the type III malware.

The presentation I gave in Singapore at the SyScan conference (July 2006) and immediately after at Black Hat in Las Vegas (August 2006).

The presentation first presents how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally signed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, is presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

The presentation I gave in Washington DC, at the Black Hat Federal Conference in January 2006 and also at Black Hat Europe 2006. It's about new generation of stealth malware, which I call Stealth by Design (SbD) malware, that does not use any of the classic rootkit technology tricks, but still offers full stealth! The presentation also focuses on limitations of the current anti-rootkit technology and why it’s not useful in fighting this new kind of SbD malware. Consequently, alternative method for compromise detection is advocated in this presentation, Explicit Compromise Detection (ECD), as well as the challenges which Independent Software Vendors encounter when trying to implement ECD for Windows systems.

The presentation I gave in Kuala Lumpur, Malaysia, at the 5th Hack In The Box Security Conference. It describes the idea for System Virginity Verifier 1.0, introduces OMCD project and also discusses a implementation specific attacks and how to address them.

Recently, cross-view based approach to rootkit detection, especially in regards to hidden files and registry keys, became very popular. This is mostly because of the recent release of the tools like Rootkit Revealer and Black Light as well as Microsoft research project, with a friendly name GhostBuster. Many people started to think that it is going to be the ultimate way for detecting all rootkits and system compromises in general...

The presentation which I gave 21th Chaos Communication Congress in Berlin. It describes the idea of passive covert channels (PCC). By passive covert channels, one means a specific kind of CC, which does not generate its own traffic...

Shortly after Dave posted his Trip Report from ITUnderground conference, I started getting emails from people wanted to know "how to detect VMWare using one instruction"... So, although I'm not the first one who discovered this trick, I decided to put a short paper about it accompanied by a simple C code. This trick is able to detect not only VMWare, but any VMM running on Pentium processor.

The presentation I gave at ITUnderground 2004 conference in Warsaw, Poland. It focuses on two techniques for implementing smart kernel backdoors in Linux Kernel Network Stack, using ptype handler and Netfilter hooks and presents original approaches to their detection, which was successfully implemented in one commercial tool written by me.

Also, the idea of passive covert channels implemented using the presented techniques together with very simple POC is presented here.

Yet another presentation from ITUnderground 2004 in Warsaw. Both usermode and kernelmode rootkit detection are discussed here. The first half of the presentation is about using MS Kernel Debugger (together with LiveKD) to detect usermode rootkits. The rest discusses more advanced kernel rootkits and presents some ideas about how to detect them.

The careful reader will find some tips about how to port klister to Windows XP/2003 systems... :)

A draft paper which presents some ideas (and only ideas) of how it could be possible to write a really stealthy windows rootkit (i.e. the one which would not be detected by klister-like tools)

As far as I know this idea has never been implemented. I'm also not going to develop this further, since I think the future rootkits should be implemented without the need for creating additional processes thus not requiring process hiding feature at all.

UPDATE (August 2005): Sherri Sparks and Jamie Butler took Chameleon idea further and created the first VMM cheating rootkit. For details read their Phrack paper.