Tuesday, August 5, 2008

DeepWatch -- Insane detection of Insane Rootkits -- or not so insane ??

There’s a real good reason to post this first entry here. I will be giving a talk at Black Hat this year. I dedicate this work to my wife, Natalia.. she’s been thru much this year.

If you are interested in what's going on with virtualization security and attending Black Hat then I invite you to my presentation on Wednesday at 1:45 PM in Roman Ballroom:


I will introduce DeepWatch, one of my night-time “research” works and a proof of concept implementation of chipset based detector of virtualization rootkits.

WTF ?? “Chip” what detector ?? Yeah.. that’s right. DeepWatch is a part of firmware running for a little over a year on embedded core in north-bridge on one of my debug platforms.

Well, it's unfair to call it a "detector" of virtualization rootkits.. simply because it can also remove rootkits from the virtualized system.

This screenshot should briefly summarize my talk:

You'll also see a demo where I’ll detect and more importantly remove Intel VT-x based rootkit.

I rewrote my slides since I submitted DVD-ready version. So there again will be 2 different copies of the presentation floating on the web. Please check this link shortly after Black Hat for demo and updated version of the slides:

I’ll be glad to see you at my presentation. You can grab me any time during Black Hat or DEFCON and destroy my brains with this or any other topic and lots of beer.

This stuff kinda relates to presentations by Joanna Rutkowska, Alex Tereshkin and Rafal Wojtczuk from Invisible Things Lab they give on August 7th. I suggest attending their talks as well:

disclaimer: DeepWatch has nothing to do with deepwatch [dot] com unless you consider virtualization rootkits as a p0rn.