This is the same as the results found > 2 years ago as published by
Joanna Rutkowska as RedPill
(http://invisiblethings.org/papers/redpill.html) (and before that in a
Usenix paper) and therefore everyone who is interested in
emulated/virtualized security already knows that SIDT is a problem
instruction.
John
On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:
Hi all,
Summary:
The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) runs
malicious code samples in an emulated environment while logging their
actions. In practice it is more or less impossible to make an
emulated environment perfectly similar to the real thing. It is
therefore possible to write malicious code that does not behave
maliciously when run in the Sandbox Analyzer. Here I will give one
example of such a technique.
Full text at:
http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
I have notified Norman about the problem but have chosen not to wait
for them to patch it. The reason being that this is not a regular
vulnerability, but rather an example of an inherent weakness in
emulated sandboxes in general. I assume they will patch this
particular case shortly though since it should be very easy to do.
Regards /Arne
http://ntsecurity.nu
http://vidstrom.net