Blue Pill counter argument

December 30, 2006

This is old news, but I wanted to remind you that there is a counter argument to the blue pill “100% undetectable malware” prototype that generated a lot of press this year:

http://www.virtualization.info/2006/08/debunking-blue-pill-myth.html

http://x86vmm.blogspot.com/2006/08/blue-pill-is-quasi-illiterate.html

Also, since malware requires an attack vector in the first place: if you don’t have extreme performance requirements, consider putting all network facing services in VMs (my websites are, save one SSH port on a dedicated IP). This should eliminate the ability for a blue pill/subvirt style attack to take hold in the first place (unless there’s an egregious networking stack issue in the VMM (if the VMM is even involved in networking which is not always the case)).

I hope that network facing VMs for the desktop become commonplace which will happen en masse when Microsoft likes the idea I guess (and makes it transparent to the user). Boot from a saved, clean slate every session; perhaps with versioned, non-executable storage shared between host and guest VM for user data updates.

Here is a ready to go web browsing virtual appliance from VMware and another one from rPath.