This article presents the concept of blue pill, a stealth hypervisor-based rootkit, that was introduced by Joanna Rutkowska in 2006. The blue pill is a malicious thin hypervisor-based rootkit that takes control of the victim machine. Furthermore, as the blue pill does not run under the operating system context, the blue pill is very difficult to detect easily. The red pill is the competing concept (i.e., a forensics software that runs on the inspected machine and detects the existence of malicious hypervisor or blue pill). The concept of attestation of a host ensuring that no hypervisor is running was first introduced by Kennel and Jamieson in 2002. Modern advances in hypervisor technology and hardware-assisted virtualization enables more stealth and detection methods. This article presents all the recent innovation in stealth blue pills and forensics red pills.
This paper describes an efficient system for ensuring code integrity of an OS, including its own-code and applications. We claim that the proposed system can protect from an attacker that has full control over the OS kernel. An evaluation of the system's performance suggests that the induced overhead is negligible.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.