A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:


Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests - Tomasz Tuzel Derbycon 2018 (Hacking Illustrated Series InfoSec Tutorial Videos)

Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests
Tomasz Tuzel
Derbycon 2018

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. In the earlier days, using virtualization for such "introspection" has only been thought of as a technique to develop stealthy rootkits. Today, there are a wide variety of security products using these techniques for services that include, for example, intrusion detection or malware analysis. With such rapid advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. These advances thus beg the question: how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms guaranteeing data privacy even in the presence of such an introspecting hypervisor, there are no tools that can check whether the hypervisor is introspecting when it shouldn't - until now! We have developed Environmental Characterization and Response (ECR), a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor. The package leverages a variety of metrics to determine the potential presence (or lack) of introspection. These techniques are developed to look at micro-architectural properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. As hypervisors are notoriously known to manipulate time-stamps of virtualized clock-sources when standard instructions are used, we have developed timing methods that are difficult to manipulate by the hypervisor. ECR requires no special software, as the package is built to require the minimum possible amount of dependencies and relies only on standard administrator rights in the VM it runs in.

Tomasz has been a security researcher for over six years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.


Back to Derbycon 2018 video list

Printable version of this article

15 most recent posts on Irongeek.com:

If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2020, IronGeek
Louisville / Kentuckiana Information Security Enthusiast