[ACM Press the 17th ACM conference - Chicago, Illinois, USA (2010.10.04-2010.10.08)] Proceedings of the 17th ACM conference on Computer and communications security - CCS '10 - In God we trust all others we monitor

Modern x86 platforms offer stealth capabilities, that are exploited by rootkits to hide malicious code as shown by the rootkit evolution. Recently, security researchers discovered a very powerful execution environment for rootkits that is isolated from the actual x86 host platform. According to the capabilities of the isolated environment the researches called it "ring -3". Security mechanisms, such as antivirus software, cannot reveal "ring -3" rootkits, since they are executed in the operating system which makes them unable to access "ring -3".Agencies could use "ring -3" to host Remote Forensic Investigation Software, that is able to stealthily spy on suspects. This inevitably raises the interesting question if provable stealth government software (GovWare) can exist at all.In this work, we aim to expose the risks that come from that mass technology with regard to privacy concerns. With undetectable GovWare -executed on mass technology like the x86 platform -a government could observe most of their citizens, automatically placing them under general suspicion. We developed a proof-of-concept (PoC) keystroke logger with the aim of identify countermeasures against that threat. Our PoC is able to read the whole host memory from within the "ring -3" environment.