Skip Links

Black Hat Conference puts spotlight on NAC, Vista and rootkits

By and , NetworkWorld.com
July 27, 2006 07:37 PM ET
Joanne Rutkowska of Coseinc

NetworkWorld.com - The annual Black Hat Conference, which opens July 29 at Caesar’s Palace in Las Vegas, brings together security researchers and vendors in a freewheeling atmosphere aimed at laying bare the risks and vulnerabilities in IT products.

Like Vegas itself, Black Hat is a gamble where anything can happen, and this year will be no exception, with security specialists taking well-aimed shots at two of the industry’s biggest targets: Microsoft’s Vista software and myriad vendors with network access control (NAC) products.


The Security Standard: first of a four-part series

With Vista still in beta, Microsoft, a key sponsor of Black Hat this year, is inviting Black Hat attendees — 3,000 are expected — to identify any security shortcomings they can in the Vista code. In a novel and candid way, Microsoft product managers and engineers will present six sessions on Windows Vista and its security during the conference, challenging anyone there to rip Vista security apart.

Microsoft will find more than enough takers for that challenge.

Joanna Rutkowska, senior security researcher at Singapore-based security firm COSEINC, will demonstrate a new rootkit for Vista during her presentation “Subverting Vista kernel for fun and profit.” A rootkit is software that hides malicious code or computer processes, making it a danger to users.

Called Blue Pill, Rutkowska’s rootkit is based on Advanced Micro Devices’ Storage Virtualization Manager Pacifica’s virtualization technology. She says Blue Pill is undetectable and easily installed, and doesn’t require the perpetrator to exploit a weakness in the underlying operating system.

In addition to demonstrating Blue Pill, Rutkowska will show how it’s possible to circumvent Vista security by loading only digitally signed code into the kernel. “It’s very impressive,” says Marc Maiffret, founder and chief hacking officer at eEye Digital Security, who saw the Blue Pill rootkit and technique for bypassing Vista’s security in Singapore a week ago at the SyScan Conference, where Rutkowska first made them public.

Her bypass technique might not be a flaw Microsoft can fix easily with a software patch, says Maiffret. “It seems to be an architectural problem with Vista,” he says. Rutkowska agrees it’s a design issue and will propose a few ways Microsoft might consider changing Vista to eliminate the security-bypass problem. Vista’s code-signing protection was devised as a way to stop malware, such as kernel rootkits and back doors, from being loaded into the Vista kernel, says Rutkowska, but her Black Hat presentation will show Vista is as vulnerable to the same kernel malware threats as its predecessors.

Although the first version of Blue Pill she developed is for Vista, there’s no reason a Blue Pill couldn’t be made for other operating systems as well, she says. She adds neither she nor her firm will release the code, which could be used for malicious purposes.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News