At first glance it should be good news, after all it would appear that Microsoft has plugged a hole that left the claims of Vista being highly secure shot to pieces. Nonetheless, the security researcher who demonstrated the original Blue Pill exploit at both SyScan 06 in Singapore and the Black Hat briefings in Las Vegas earlier in the year, Joanna Rutkowska, has hit back with a warning that the methodology used by Microsoft to block her pagefile exploit is itself fundamentally flawed and insecure.
As originally posted here Rutkowska used AMD's SVM/Pacifica virtualization technology to create a Blue Pill rootkit that not only takes complete control of the underlying operating system but also remains 100% undetectable while doing so on the Vista x64 platform. However, Rutkowska also demonstrated a pagefile attack methodology at those security conferences, which allowed unsigned code to be loaded into the kernel and bypass not Patch Guard, but Vista kernel protection that is an altogether different thing.
But not anymore, according to Rutkowska herself Vista 64 RC2 “now blocks write-access to raw disk sectors for user mode applications, even if they are executed with elevated administrative rights."
Rutkowska is not happy however, because she thinks that Microsoft has chosen the least secure route to secure the OS. In her blog she mentions three options that would have been available to Microsoft, namely:
- Block raw disk access from usermode.
- Encrypt pagefile or use hashing to ensure the integrity of paged out pages.
- Disable kernel mode paging and possibly up to 80Mb of memory.
By choosing option 1, Rutkowska argues, Microsoft “implemented the easiest solution, ignoring the fact that it really doesn’t solve the problem…”
This is because the bad guys will simply borrow a legitimate, signed kernel driver, developed for something like a disk editor for example. If that legit driver is not bugged, and there is no reason for revoking the signature, then the bad guys could use it to perform their own pagefile attack. Indeed, Rutkowska makes it clear that “we could develop a disk editor together with a raw-disk-access kernel driver, then sign it and post it” but because her company are the good guys “I guess somebody else will have to do that instead.”
And let’s not forget that the Blue Pill problem still exists...