AIS employees present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain.
Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush + Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses are also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in manner that deviates from normal hypervisor behavior.
Reach out to talk to one of our experts and learn more about our research initiatives.