Resources  >  Research  >  Article


Who Watches the Watcher? Detecting Hypervisor Introspection From Unprivileged Guests


AIS employees present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain.

Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush + Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses are also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in manner that deviates from normal hypervisor behavior.

Key Insights:

  • In-depth overview of the effects of virtualization on shared hardware resources from a micro-architectural perspective
  • Evaluation of the efficacy of several timing techniques to supply a robust baseline to build detection systems
  • Extensive experiments on the capability and limitations of detecting a variety of introspection techniques, including hypervisor accesses to particular in-guest memory ranges, instruction trapping and memory access tracing

Ready to Get Started?

Reach out to talk to one of our experts and learn more about our research initiatives.

Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from - Youtube
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound