LAS VEGAS—There's a lot of chest-thumping at Black Hat.

A week after, there's a lot of this kind of tourniquet application: "What I really meant by "10 F*cking Days" (scribbled on a card by Mike Shaver, Mozilla director of ecosystem development, in regards to patch turnaround time and why that makes what Mozilla considers irresponsible vulnerability disclosure by the likes of Robert "RSnake" Hansen unjustified), and my personal favorite, since I was in the middle of it, the drama over whether a virtualized rootkit (a la Joanna Rutkowska's Blue Pill) leaves tracks that can be detected in any practical manner whatsoever.

The challengers' response to Rutkowska's newly architected Blue Pill virtualized rootkit and its new Blue Chicken feature of running away when it detects timing determination attacks trying to track it down: "We agree, good strategy," said Matasano Principal Tom Ptacek after reading a story I did along the lines of saying that Rutkowska had, well, gotten the last laugh. "Get out of the virtualization space [because] we will find you. And once you're out, stay out, stay in the kernel."

The trash-talking went into a Ptacek-Nate Lawson-Rutkowska debate at Caesar's food court, the purpose of which was to come to some conclusions regarding what, exactly, had been established during the researchers' Black Hat presentations (to wit: "Don't Tell Joanna: The Virtualized Rootkit is Dead," presented by independent security researcher Nate Lawson and Ptacek, and "IsGameOver, anyone?" presented by Rutkowska and her colleague at Invisible Things Lab, Alexander Tereshkin).

Whether this argument matters to anybody outside of this elite level of kernel researchers is debatable—or as security researcher Halvar Flake put it, "Enough high-level blah blah." One thing everyone agrees about regarding virtualized rootkits: There are none in the wild, and we don't have to worry about them right now.

Of course, we should be glad that there are researchers out there who are worrying about them now, given that a successful attack could mean a system takeover without the victim even being aware and with scant evidence of exploit... more or less... but that really does get to the heart of the debate.

Here are the CliffsNotes to what went down:

Me: Here, let's write the headline for this article. How's this: "Challengers Say 'We Can Detect the New Blue Pill.'"

Rutkowska: [Dictating] "Oh no, you can't. All you can do is detect virtualization."

Dino Dai Zovi: OK, you're right, make that "We Can Detect Virtualization but if the User Isn't Using it on Purpose it Might Indicate a Rootkit."

Rutkowska has two points she wants people to take away from the Black Hat goings-on: first, that detecting virtualization, which her challengers said they can inevitably do, is not the same as detecting virtualization-based malware.

"As hardware virtualization technology gets more and more widespread, many machines will be running with virtualization mode enabled, no matter whether blue pilled or not," she wrote in her blog. "In that case blue pill-like malware doesn't need to cheat that virtualization is not enabled, as it's actually expected that virtualization is being used for some legitimate purposes. In that case using a 'blue pill detector,' that in fact is just a generic virtualization detector is completely pointless."

To translate: Just because you can detect that virtualization is being run on a machine doesn't mean you can detect that it's a virtualized rootkit you're detecting. Virtualization is becoming too common for us to assume that when we find it running we've found evidence of somebody who's up to no good.

Her second point: The methods described as a means to detect virtualization aren't even very good. "We took a closer look e.g. at the TLB [translation look-aside buffer] profiling methods that were suggested by several researchers as a reliable method for virtualization detection. However all the papers that were describing this method missed the fact that some of the caches are not fully associative and one needs to use special effort (which means additional complexity) to make sure to e.g. fill the whole TLB L2 buffer. Obviously we provided all the necessary details of how to write those detectors properly (we even posted one such detector)."

In other words, Rutkowska says, she believes that "it will always be possible to detect virtualization mode using various tricks and hacks, but that: 1) those hacks could be forced to be very complex and 2) in case virtualization is being used on the target computer for some legitimate purposes all those methods fail anyway (see point 1)."

The basis of one of Rutkowska's rebuttals is that she has tested detection schemes—if not the exact ones used by Ptacek et al. then ones at least based on research papers—and found that they just plain don't work.

That's the problem, Ptacek said. The challenging researchers didn't give Rutkowska their detection tools—which, incidentally, they're racing to release "sometime between yesterday and tomorrow" as a tool called Samsara, according to Ptacek and Lawson.

"What seems to have happened," Ptacek said, "is she looked at blog posts" to find the detection code. "She went and looked at everyone's blog posts about how to do detection stuff," Ptacek said. "[But] if you're writing code in a blog post you're not expecting people to run it and test it" as if it were the final working version of a tool, he said.

"We looked at the [detection code Rutkowska said she tested] this morning. We compared it to our test code, which we're releasing, [called] Samsara, sometime between yesterday and tomorrow we're releasing, we cross-referenced the two [code sets], and every check will work against Blue Pill," Lawson said.

While on stage, Rutkowska got a laugh out of the audience by putting up some TLB sizing code and saying she tested it and it didn't work. TLB sizing code refers to an aspect of the CPU: basically, it's a cache that makes your CPU run fast.

"The audience laughed, ah ha ha, those silly researchers," Lawson said. "But the code she found was pseudo code. She had no access to our code before her talk. She had access only to blog posts."

Thing is, Lawson said, security researcher Peter Ferrie—he's with Symantec—cooked the code she had on screen. "It's a devastating attack against Blue Pill," he said. "[It has to do with a] fundamental problem with undetectable hypervisors. [They're] not in some special processor somewhere else in the machine. They're using normal x86 instructions, and it leaves trails to all the caches on a machine; [it leaves] footprints. One cache is TLB. There's no way to hide the footprints. You change state of caches.

"As she takes over control [of a system] and yields control back [when disengaging via Blue Chicken], her code changes the state of the machine. On stage she acknowledged there's no answer to beat that. She said 'I'm thinking about it.'"

More to the point, Rutkowska has published Blue Pill. The challengers have checked it out. The challengers say their detection methods will take it down.

"We've looked at her code," Ptacek said. "She published it as it exists today. If we did the [undetectable rootkit challenge the challengers proposed on June 27] as we [initially proposed it] she said we would have won."

OK. But then, Rutkowska never claimed Blue Pill was 100 percent undetectable. What she claimed is that the technology could be used as a basis for a pretty undetectable rootkit, at some point, by nefarious people.

And the challengers certainly can roast Blue Chicken, Ptacek said. Blue Chicken is a defensive technique Rutkowska has included in the latest iteration of Blue Pill. It involves running away when timing determination occurs. Because the hypervisor sits in the middle, emulating a system, it has the ability to determine if somebody's trying to do a timing attack to try to ferret out the rootkit. In that case, she removes the hypervisor.

Rutkowska conceded that even though she can determine when a timing attack against the rootkit is happening, it's not always possible to tell when the timing attack has stopped. But she can always just wait it out, she said during her presentation. After all, timing attacks have one fatal flaw: They suck up CPU like mad—up to 50 percent of CPU time. That means that while you can sometimes run detection, you sure can't run it all the time. It's just too processor-intensive.

Roasted Blue Chicken recipe:

"If we can force her to unload her code we can jump in the hypervisor space ourselves," Ptacek said. "From that vantage we own the entire system, [including] all hardware, and from there can scan and hash true memory. And from there we can do what anti-virus does now: We can detect [Blue Pill] by scanning the kernel for her code."

They can do that, Ptacek said, because their detection mechanisms are in fact not CPU-intensive. "In reality, our detection code runs in microseconds. In non-user-visible time."

At any rate, it's all good. Rutkowska has released her source code, making the challenging researchers happy. "We're actually very happy with the work she's been doing," Ptacek said. "She's excellent, very excellent. ... [We're just] happy [the debate is taking place] between competing research teams instead of the Russian mafia," he said.

Besides, Lawson said, the Blue Pill challengers contend that kernel malware is harder to detect than virtualized malware. Kernel malware is the traditional kind that involves companies like Symantec finding researchers to reverse-engineer what the most recent malware authors have done and then releasing updates to catch the new malware. Attackers then do the same thing from their perspective, using reverse-engineering virus scanners to figure out how to evade them once again.

Ultimately, Lawson said, this virtualized rootkit issue is going to end up like anti-virus today: "Nobody will make claims about [something being] 100 percent undetectable," he predicted. "It's just going to be where the last mover has advantage," he said, with the cat-and-mouse game of anti-virus detection turning into the cat-and-mouse game of virtualized rootkit detection.

Lord, let's hope you're right, Nate.

Anyway, by the end of this conversation the challengers and Rutkowska had agreed, in essence, that nothing is "dead"—really, only the person who chose Ptacek/Lawson/Ferrie's talk was considered partly dead (As in, you are dead to me!) because it was a title that was very readily misinterpreted. The need to research virtualized malware is still quite alive, Lawson said in an e-mail.

And yes, Rutkowska granted, her challengers' work at proving the detectability of unexpected virtualization is indeed interesting, even if it doesn't appear to her, at any rate, to be commercially viable.