Show simple item record

dc.contributor.advisorDinolt, George
dc.contributor.authorFannon, Robert C.
dc.dateJune 2014
dc.date.accessioned2014-08-13T20:17:39Z
dc.date.available2014-08-13T20:17:39Z
dc.date.issued2014-06
dc.identifier.urihttp://hdl.handle.net/10945/42621
dc.descriptionApproved for public release; distribution is unlimiteden_US
dc.description.abstractThe use of virtual machine (VM) technology has expanded rapidly since AMD and Intel implemented hardware-assisted virtualization in their respective x86 architectures. These new capabilities have resulted in a corresponding expansion of security challenges. Hardware-Assisted VM (HVM) rootkits have become a credible threat because of these new virtualization technologies and have provided an added vector with which root access can be exploited by malicious actors. An HVM rootkit covertly subverts an Operating System (OS) running on a general purpose x86 based processor and migrates that OS into a VM under the control of a malicious hypervisor. This results in the hypervisor possessing an effective privilege level of ring -0, a higher privilege level than ring 0, which the target OS possesses in either its non-virtualized or virtualized state. The only known successful HVM rootkits are Blue Pill and Vitriol. This thesis analyzes and compares the source code for both AMD-V and Intel VT-x implementations of Blue Pill to identify commonalities in the respective versions' attack methodologies from both a functional and technical perspective. Findings conclude that their functional implementations are nearly identical; but their technical implementations are very different, primarily because of differences in the AMD-V and Intel VT-x specifications.en_US
dc.description.urihttp://archive.org/details/annalysisofhardw1094542621
dc.publisherMonterey, California: Naval Postgraduate Schoolen_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, may not be copyrighted.en_US
dc.titleAn analysis of hardware-assisted virtual machine based rootkitsen_US
dc.typeThesisen_US
dc.contributor.secondreaderEagle, Chris
dc.contributor.departmentComputer Science
dc.subject.authorvirtual machineen_US
dc.subject.authorhypervisoren_US
dc.subject.authorvirtual machine monitoren_US
dc.subject.authorhardware-assisted virtual machineen_US
dc.subject.authorvirtual machine based rootkiten_US
dc.subject.authorrootkiten_US
dc.subject.authorAMD-Ven_US
dc.subject.authorIntel VT-xen_US
dc.subject.authorvirtual machine control blocken_US
dc.subject.authorvirtual machine control structureen_US
dc.subject.authoroperating systemen_US
dc.subject.authorBlue Pillen_US
dc.subject.authorVitriolen_US
dc.subject.authoruser modeen_US
dc.subject.authorkernel modeen_US
dc.subject.authorVMen_US
dc.subject.authorVMMen_US
dc.subject.authorVMBRen_US
dc.subject.authorHVMen_US
dc.subject.authorVMCBen_US
dc.subject.authorVMCSen_US
dc.description.serviceCommander, United States Navyen_US
etd.thesisdegree.nameMaster of Science in Computer Scienceen_US
etd.thesisdegree.levelMastersen_US
etd.thesisdegree.disciplineComputer Scienceen_US
etd.thesisdegree.grantorNaval Postgraduate Schoolen_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record