Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests

DerbyCon 8.0 - Evolution

Presented by: Tomasz Tuzel
Date: Sunday October 07, 2018
Time: 12:00 - 12:50
Location: Kentucky F & G
Track: Track 4

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. In the earlier days, using virtualization for such "introspection" has only been thought of as a technique to develop stealthy rootkits. Today, there are a wide variety of security products using these techniques for services that include, for example, intrusion detection or malware analysis. With such rapid advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. These advances thus beg the question: how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms guaranteeing data privacy even in the presence of such an introspecting hypervisor, there are no tools that can check whether the hypervisor is introspecting when it shouldn't - until now! We have developed Environmental Characterization and Response (ECR), a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor. The package leverages a variety of metrics to determine the potential presence (or lack) of introspection. These techniques are developed to look at micro-architectural properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. As hypervisors are notoriously known to manipulate time-stamps of virtualized clock-sources when standard instructions are used, we have developed timing methods that are difficult to manipulate by the hypervisor. ECR requires no special software, as the package is built to require the minimum possible amount of dependencies and relies only on standard administrator rights in the VM it runs in.

Tomasz Tuzel

Tomasz has been a security researcher for over six years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats