research-article

Who watches the watcher? Detecting hypervisor introspection from unprivileged guests

Authors:

Tamas K. Lengyel,

K.J. TemkinAuthors Info & Claims

Volume 26, Issue S

Pages S98 - S106

https://doi.org/10.1016/j.diin.2018.04.015

Published: 01 July 2018 Publication History

Abstract

We present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain. Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush + Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses are also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in manner that deviates from normal hypervisor behavior.

References

[1]

M. Brengel, M. Backes, C. Rossow, Detecting Hardware-assisted Virtualization, in: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2016, pp. 207–227.

[2]

A. Dinaburg, P. Royal, M. Sharif, W. Lee, Ether: malware analysis via hardware virtualization extensions, in: Proceedings of the 15th ACM Conference on Computer and Communications Security, ACM, 2008, pp. 51–62.

[3]

C. Disselkoen, D. Kohlbrenner, L. Porter, D. Tullsen, Prime+abort: a timer-free high-precision l3 cache attack using intel tsx, in: 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC), 2017, pp. 51–67.

[4]

P. Ferrie, Attacks on More Virtual Machine Emulators, Symantec Technology Exchange, 2007, p. 55.

[5]

H. Fritsch, Analysis and Detection of Virtualization-based Rootkits, Munchen: Technische Universitat, 2008.

[6]

Q. Ge, Y. Yarom, D. Cock, G. Heiser, A survey of microarchitectural timing attacks and counter measures on contemporary hardware, J. Cryptographic Eng. (2016) 1–27.

[7]

D. Gruss, C. Maurice, K. Wagner, S. Mangard, Flush+flush: a fast and stealthy cache attack, in: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Springer, 2016, pp. 279–299.

[8]

Intel, Architecture Instruction Set Extensions and Future Features Programming Reference, 2018, https://software.intel.com/sites/default/files/managed/c5/15/architecture-instruction-set-extensions-programming-reference.pdf.

[9]

Intel, Ia-pc Hpet (High Precision Event Timers) Specification, 2018, https://www.intel.com/content/dam/www/public/us/en/documents/technical-specifications/software-developers-hpet-spec-1-0a.pdf.

[10]

T.K. Lengyel, S. Maresca, B.D. Payne, G.D. Webster, S. Vogl, A. Kiayias, Scalability, fidelity and stealth in the drakvuf dynamic malware analysis system, in: Proceedings of the 30th Annual Computer Security Applications Conference, ACM, 2014, pp. 386–395.

[11]

LibVMI (2018) : https://github.com/libvmi/libvmi.

[12]

D. Ott, Virtualization and Performance: Understanding Vm Exits, 2018, https://software.intel.com/en-us/blogs/2009/06/25/virtualization-and-performance-understanding-vm-exits.

[13]

Paranoid Fish, 2018, https://github.com/a0rtega/pafish.

[14]

G. Pék, B. Bencsáth, L. Buttyán, Nether: In-guest detection of out-of-the-guest malware analyzers, in: Proceedings of the Fourth European Workshop on System Security, ACM, 2011, p. 3.

[15]

R. Quinn, Detection of Malware via Side Channel Information, State University of New York at Binghamton, 2012.

[16]

J. Rutkowska, Red Pill: Detect Vmm Using (Almost) One Cpu Instruction, 2004, http://invisiblethings.org/papers/redpillhtml.

[17]

J. Rutkowska, Introducing Blue Pill’, the Official Blog of the Invisiblethings Org, vol. 22, 2006, p. 23.

[18]

J. Rutkowska, R. Wojtczuk, Preventing and Detecting Xen Hypervisor Subversions, Blackhat Briefings, USA, 2008.

[19]

Thompson, C., Huntley, M. and Link, C. [n.d.], ‘Virtualization detection: New strategies and their effectiveness’. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.302.7877&rep=rep1&type=pdf

[20]

D.A.D. Zovi, Hardware Virtualization Rootkits, Black Hat 2006, 2006, August.

Cited By

Cosseron LRilling LSimonin MQuinson M(2024)Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection PausesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652280(1-7)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652280
Franzen FWilhelmer AGrossklags J(2023)RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its AnalysisProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627197(677-690)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627197
Dangl TSentanoe SReiser H(2023)Retrofitting AMD x86 Processors with Active Virtual Machine Introspection CapabilitiesArchitecture of Computing Systems10.1007/978-3-031-42785-5_12(168-182)Online publication date: 13-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-42785-5_12
Show More Cited By

Index Terms

Who watches the watcher? Detecting hypervisor introspection from unprivileged guests

Index terms have been assigned to the content through auto-classification.

Recommendations

Who Is Your Neighbor: Net I/O Performance Interference in Virtualized Clouds

User-perceived performance continues to be the most important QoS indicator in cloud-based data centers today. Effective allocation of virtual machines (VMs) to handle both CPU intensive and I/O intensive workloads is a crucial performance management ...
Xen and the art of virtualization
SOSP '03

Numerous systems have been designed which use virtualization to subdivide the ample resources of a modern computer. Some require specialized hardware, or cannot support commodity operating systems. Some target 100% binary compatibility at the expense of ...
Bringing Virtualization to the x86 Architecture with the Original VMware Workstation

This article describes the historical context, technical challenges, and main implementation techniques used by VMware Workstation to bring virtualization to the x86 architecture in 1999. Although virtual machine monitors (VMMs) had been around for ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Digital Investigation: The International Journal of Digital Forensics & Incident Response

Digital Investigation: The International Journal of Digital Forensics & Incident Response Volume 26, Issue S

Jul 2018

141 pages

ISSN:1742-2876

Issue’s Table of Contents

The Author(s).

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 01 July 2018

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 02 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Cosseron LRilling LSimonin MQuinson M(2024)Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection PausesProceedings of the 17th European Workshop on Systems Security10.1145/3642974.3652280(1-7)Online publication date: 22-Apr-2024
https://dl.acm.org/doi/10.1145/3642974.3652280
Franzen FWilhelmer AGrossklags J(2023)RandCompile: Removing Forensic Gadgets from the Linux Kernel to Combat its AnalysisProceedings of the 39th Annual Computer Security Applications Conference10.1145/3627106.3627197(677-690)Online publication date: 4-Dec-2023
https://dl.acm.org/doi/10.1145/3627106.3627197
Dangl TSentanoe SReiser H(2023)Retrofitting AMD x86 Processors with Active Virtual Machine Introspection CapabilitiesArchitecture of Computing Systems10.1007/978-3-031-42785-5_12(168-182)Online publication date: 13-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-42785-5_12
Dangl TTaubmann BReiser H(2021)RapidVMI: Fast and multi-core aware active virtual machine introspectionProceedings of the 16th International Conference on Availability, Reliability and Security10.1145/3465481.3465752(1-10)Online publication date: 17-Aug-2021
https://dl.acm.org/doi/10.1145/3465481.3465752

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents