Bluepilling The Xen Hypervisor presented at HITBSecConf Malaysia 2008

by Alexander Tereshkin,

Tags: Security Firewall Exploitation Malware

Summary : Presentation Title:Presentation Abstract:This talk will discuss how to insert Bluepill on top of the running Xen hypervisor (x64). Methods to do that both with and without restart (i.e. on the fly) will be shown. To make this possible, Bluepill needs to support full nested virtualization, so that Xen can still function properly. The presentation will also discuss how the “Bluepill detection” methods proposed over the last 2 years, as well as the hypervisor integrity scanning methods, fit into this new scenario and how far we are from the stealth malware`s Holy Grail.About AlexanderAlexander Tereshkin, principal researcher of Invisible Things Lab, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology, kernel exploitation and hardware virtualization security. He has presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. He has done significant work in the field of virtualization based malware and kernel protection bypassing. He is a co-author of “Understanding Stealth Malware” course taught with Joanna Rutkowska.