AIS RESEARCH

Who Watches the Watcher? Detecting Hypervisor Introspection From Unprivileged Guests

Overview

AIS employees present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain.

Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush + Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses are also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in manner that deviates from normal hypervisor behavior.

Key Insights:

In-depth overview of the effects of virtualization on shared hardware resources from a micro-architectural perspective
Evaluation of the efficacy of several timing techniques to supply a robust baseline to build detection systems
Extensive experiments on the capability and limitations of detecting a variety of introspection techniques, including hypervisor accesses to particular in-guest memory ranges, instruction trapping and memory access tracing

Read the Published Paper

Ready to Get Started?

Reach out to talk to one of our experts and learn more about our research initiatives.