The Association of Digital Forensics, Security and Law (ADFSL)
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
Absolute Software (2014). Theft Recovery Software for Laptops, Mac, Smartphones and Tablets–Absolute Lojack. Retrieved on October 12, 2014, from http://lojack.absolute.com/en/products/ab solute-lojack
Accord. (2010). Trusted Startup Hardware Module. Retrieved on October 12, 2014, from http://www.okbsapr.ru/akk_amdz_en.ht ml
AMD. (2011). Revision Guide for AMD NPT Family 0Fh Processors. Technical Report, Publication Number 33610, Revision 3.48.
AMD. (2013). AMD64 Architecture Programmer’s Manual Volume 2: System Programming. Technical Report, Publication Number 24593, Revision 3.23.
Athreya, B. (2010, August). Subverting Linux On-The-Fly Using Hardware Virtualization Technology (Master’s thesis). Georgia Institute of Technology. Atlanta, GA, USA. Retrieved on October 12, 2014, from https://smartech.gatech.edu/handle/1853/ 34844
Barbosa, E. (2007). Detecting of Hardware Virtualization Rootkits. Paper presented at the Symposium on Security for Asia Network (SyScan), Singapore.
Barrett, D., & Kipper, G. (2010). Virtualization and Forensics: A Digital Forensic Investigator’s Guide to Virtual Environments. Amsterdam, Netherlands: Syngress/Elsevier.
Berger, S., Caceres, R., Goldman, K., Perez, R., Sailer, R., & Doorn, L. (2006, July 31 - August 4). vTPM: Virtualizing the Trusted Platform Module. Proceedings of the 15th conference on USENIX Security Symposium (USENIX-SS), 305- 320, Vancouver, BC, Canada.
Ben-Yehuda, M., Day, M., Dubitzky, Z., Factor, M., HarEl, N., Gordon, A., Liguori, A., Wasserman, O., & Yassour, B. (2010, October 4-6). The Turtles Project: Design and Implementation of Nested Virtualization. Proceedings of the 9th USENIX conference on Operating Systems Design and Implementation (OSDI), 423- 436, Vancouver, BC, Canada.
Ben-Yehuda, M. (2013). Machine Virtualization: Efficient Hypervisors, Stealthy Malware. Muli Ben-Yehuda Homepage. Retrieved on October 12, 2014, from http://www.mulix.org/lectures/vmsecurity /vmsec-cyberday13.pdf
Blunden, B. (2012). The Rootkit arsenal: Escape and evasion in the dark corners of the system. (2nd ed.). Burlington, MA: Jones & Bartlett Publishers.
BluePillStudy. (2010). Learn the Open Source of Blue Pill Project. Project Hosting on Google Code. Retrieved on October 12, 2014, from https://code.google.com/p/bluepillstudy
Brossard, J., & Demetrescu, F. (2012, April). Hardware Backdooring is Practical, Proceedings of the Hackito Ergo Sum (HES), Paris, France.
Bulygin, Y. (2008, April). CPU Side-channels vs. Virtualization Malware: The Good, the Bad, or the Ugly. Proceedings of the ToorCon. Seattle, WA, USA.
Bulygin, Y., & Samyde, D. (2008, August). Chipset Based Approach to Detect Virtualization Malware a.k.a. DeepWatch. Proceedings of the Black Hat Security Conference, Las Vegas, NV, USA.
Bulygin, Y., Loucaides, J., Furtak, A., Bazhaniuk, O., & Matrosov, A. (2014, August). Summary of Attacks against BIOS and Secure Boot. Proceedings of the DefCon, Las Vegas, NV, USA.
Coreboot. (2014). Retrieved on October 12, 2014, from www.coreboot.org
Dai Zovi, D. (2006). Hardware Virtualization- Based Rootkits. Proceedings of the Black Hat Security Conference, Las Vegas, NV, USA.
Derock, A. (2009, October 28-30). HVM Virtual Machine Monitor, a Powerful Concept for Forensic and Anti-Forensic. Paper presented at the Hack.lu conference, Luxembourg.
Desnos, A., Filiol, E., & Lefou, I. (2011). Detecting (and creating !) a HVM rootkit (aka BluePill-like). Journal in Computer Virology, 7(1), 23-50. http://dx.doi.org/10.1007/s11416-009-0130- 8
Duflot, L., Etiemble, D., & Grumelard, O. (2006, April). Using CPU System Management Mode to Circumvent Operating System Security Functions. Proceedings of the CanSecWest Applied Security Conference, Paris, France.
Embleton, S. (2007). The VMM framework. Hacker Tools. Retrieved on October 12, 2014, from http://www.mobile- download.net/tools/software/vmxcpu.rar
Embleton, S., Sparks, S., & Zou, C. (2008, September 22-25). SMM Rootkits: A New Breed of OS Independent Malware. Proceedings of the 4th International Conference on Security and Privacy in Communication Networks (SecureComm). Istanbul, Turkey.
Fannon, C. (2014, June). An Analysis of Hardware-assisted Virtual Machine based Rootkits. (Master’s thesis) Naval Postgraduate School. Monterey, CA, USA. Retrieved on October 12, 2014, from http://hdl.handle.net/10945/42621
Fisher-Ogden, J. (2006). Hardware Support for Efficient Virtualization. Technical report, University of California. San Diego, CA, USA. Retrieved on October 12, 2014, from http://cseweb.ucsd.edu/~jfisherogden/hard wareVirt.pdf
Fog, A. (2014). Lists of Instruction Latencies, Throughputs and Micro Operation Breakdowns for Intel, AMD and VIA CPUs. Agner Fog Homepage. Retrieved on October 12, 2014, from http://www.agner.org/optimize/instruction _tables.pdf
Fritsch, H. (2008, August). Analysis and Detection of Virtualization-based Rootkits. Master’s thesis, Technical University of Munich, Germany. Retrieved on October 12, 2014, from http://www.nm.ifi.lmu.de/pub/Fopras/frit 08/PDF-Version/frit08.pdf
Gabris, F. (2009, August 22). Turning off Hypervisor and Resuming OS in 100 Instructions, Paper presented at the Fasm Conference (Fasm Con). Myjava, Slovak Republic.
Garfinkel, T., Adams, K., Warfield, A., & Franklin, J. (2007). Compatibility is Not Transparency: VMM Detection Myths and Realities. Paper presented at the 11th USENIX Workshop on Hot Topics in Operating Systems (HotOS). Berkeley, CA, USA.
Graziano, M., Lanzi, A., & Balzarotti, D. (2013, October 23-25). Hypervisor Memory Forensics, Proceedings of the 16th International Symposium Research in Attacks, Intrusions, and Defenses (RAID), 21-40, Rodney Bay, Saint Lucia. http://dx.doi.org/10.1007/978-3-642-41284- 4_2
Intel. (1998). Using the RDTSC Instruction for Performance Monitoring. Carleton Computer Security Lab (CCSL). Retrieved on October 12, 2014, from http://www.ccsl.carleton.ca/~jamuir/rdtsc pm1.pdf
Intel. (2014, September). Intel 64 and IA-32 Architectures Software Developer’s Manual Volume 3C: System Programming Guide, Part 3, Order Number: 326019-052US.
ISO 5725 (2004). Accuracy (Trueness and Precision) of Measurement Methods and Results, Parts 1-6.
Jian, N., Huaimin, W., Shize, G., & Bo, L. (2010). CBD: A Counter-Based Detection Method for VMM in Hardware Virtualization Technology. Proceedings of the First International Conference on Pervasive Computing, Signal Processing and Applications (PCSPA). Harbin, China. http://dx.doi.org/10.1109/pcspa.2010.92
Kovah, X., Kallenberg, C., Butterworth, J., & Cornwell, S. (2014, September 24). Into the Unknown: How to Detect BIOS-level Attackers. Paper presented at the 24th Virus Bulletin International Conference (VB2014), Seattle, WA, USA.
Korkin, I., & Nesterov I., (2014, May 28-29). Applying Memory Forensics to Rootkit Detection. Paper presented at the Proceedings of the 9th annual Conference on Digital Forensics, Security and Law (CDFSL), 115-141, Richmond, VA, USA.
Korkin, I. (2012, July 12). Hypervisor Detection in Symantec Endpoint Protection. Retrieved on October 12, 2014, from http://igorkorkin.blogspot.ru/2012/07/hyp ervisor-detection-in-symantec.html
Korkin, I. (2014). Hypervisor Detection Platform. Retrieved on October 12, 2014, from http://sites.google.com/site/iykorkin/hdp.z ip
Kornfeld, M. (1965, March). Accuracy and Reliability of a Simple Experiment. (in Russian) 85(3), Number UFN 85 533–542, 533-542, Retrieved on October 12, 2014, from http://ufn.ru/ufn65/ufn65_3/Russian/r65 3e.pdf
Kyte, I., Zavarsky, P., Lindskog, D., & Ruhl, R. (2012, June 10-12). Detection of Hardware Virtualization Based Rootkits by Performance Benchmarking. Concordia University College of Alberta. Retrieved on October 12, 2014, from http://infosec.concordia.ab.ca/files/2012/0 4/2011Kyte.pdf
Kyte, I., Zavarsky, P., Lindskog, D., & Ruhl, R. (2012, January). Enhanced side-channel analysis method to detect hardware virtualization based rootkits. Proceedings of the World Congress on Internet Security (WorldCIS), 192-201, Guelph, ON, Canada.
Lakshminarayanan, K., Patel, K., Robinson, D., & Soulami, T. (2012). U.S. Patent No. 8,205,241 B2. Washington, DC: U.S. Patent and Trademark Office.
Li, H., Zhu, J., Zhou T., & Wang, Q. (2011, May 27-29). A new Mechanism for Preventing HVM-Aware Malware. Proceedings of the 3rd International Conference on Communication Software and Networks (ICCSN), 163-167, Shaanxi, China, http://dx.doi.org/10.1109/ICCSN.2011.601 4696
McAfee. (2012). Root out Rootkits: An Inside Look at McAfee Deep Defender. Intel. Retrieved on October 12, 2014, from http://www.intel.com/content/dam/www/ public/us/en/documents/white- papers/mcafee-deep-defender-deepsafe- rootkit-protection-paper.pdf
Microsoft. (2013, August 8) Hypervisor Top- Level Functional Specification: Windows Server 2012 R2. Released Version 4.0a.
Medley, D. (2007, March). Virtualization Technology Applied to Rootkit Defense. Master’s thesis, AFIT/GCE/ENG/07-08, Wright-Patterson Air Force Base, OH, USA, Accession Number ADA469494.
Morabito, D. (2012, June). Detecting Hardware-Assisted Hypervisor Rootkits within Nested Virtualized Environments. Master’s thesis, AFIT/GCO/ENG/12-20, Wright-Patterson Air Force Base, OH, USA, Accession Number ADA563168.
Muchychka, A. (2013). Lenovo IdeaPad B560: How to Flash KBC BIOS. Hardware Today. Retrieved on October 12, 2014, from http://hardware- today.com/articles/notebooks/lenovo_idea pad_b560_how_to_flash_kbc_bios_reas ons_no_power_led_indicators_don_t_w ork
Myers, M., & Youndt, S. (2007 Aug). An Introduction to Hardware-Assisted Virtual Machine (HVM) Rootkits. Mega Security. Retrieved on October 12, 2014, from http://megasecurity.org/papers/hvmrootki ts.pdf
North Security Labs (2011). Blog. Retrieved on October 12, 2014, from http://northsecuritylabs.blogspot.ru/2011/ 11/greetings-to-all-we-have-great-news.html
Nohl, K., & Lell, J. (2014, August 2-7). BadUSB - On Accessories That Turn Evil, Proceedings of the Black Hat Security Conference, Las Vegas, NV, USA.
O'Neill, D. (2010) How to Detect Virtualization. Dave O'Neill Homepage. Retrieved on October 12, 2014, from http://www.dmo.ca/blog/detecting- virtualization-on-linux/
Park, J. (2013, October 30). A Study on Detection of Hacking and Malware Codes in Bare Metal Hypervisor for Virtualized Internal Environment of Cloud Service. International Journal of Computer Science and Network Security (IJCSNS), 13(10), 78-82.
Pek, G, & Buttyan, L. (2014, June 10-14). Towards the Automated Detection of Unknown Malware on Live Systems. Proceedings of the IEEE International Conference on Communications (ICC), 847-852, Sydney, NSW, Australia, http://dx.doi.org/10.1109/ICC.2014.688342 5
Ramos, J. (2009, December). Security Challenges with Virtualization. Master’s thesis, University of Lisbon, Portugal. Retrieved on October 12, 2014, from http://core.kmi.open.ac.uk/download/pdf/ 12424378.pdf
Rutkowska, J. (2006). Subverting Vista Kernel for Fun and Profit. Proceedings of the Symposium on Security for Asia Network (SyScan) & Black Hat Briefings, Singapore & Las Vegas, NV, USA.
Rutkowska, J., & Tereshkin, A. (2007). IsGameOver(), Anyone? Proceedings of the Black Hat Security Conference, Las Vegas, NV, USA.
Rutkowska, J., & Tereshkin, A. (2008, August). Bluepilling the Xen Hypervisor. Proceedings of the Black Hat Security Conference, Las Vegas, NV, USA.
Strelen, J. (2004, December 5-8). The Accuracy of a New Confidence Interval Method. Proceedings of the Winter Simulation Conference. Washington, DC, USA, 654-662, http://dx.doi.org/10.1109/WSC.2004.13713 73
TianoCore. (2014). Retrieved on October 12, 2014, from http://tianocore.github.io/
Tichonov, A., & Avetisyan, A. (2011). Development of Taint-analysis Methods to Solve the Problem of Searching of Undeclared Features. Proceedings of the Institute for System Programming of Russian Academy of Sciences (ISPRAS), 20, 9-24, Moscow, Russia.
The SciPy Community. (2009). Calculate the First Order Difference. SciPy developers. Retrieved on October 12, 2014, from http://docs.scipy.org/doc/numpy/reference /generated/numpy.diff.html
The Xen Project. (2014). Retrieved on October 12, 2014, from http://www.xenproject.org/
Utin, M. (2014, November 20-21). A Myth or Reality – BIOS-based Hypervisor Threat. Proceedings of the In-Depth Security Conference (DeepSec), Vienna, Austria.
Vectorization (mathematics). (2014). In Wikipedia. Retrieved on October 12, 2014, from http://en.wikipedia.org/wiki/Vectorization _(mathematics)
Wailly, A. (2013, June 20). Malware vs Virtualization: The Endless Cat and Mouse Play. Proceedings of the Hack in Paris (HIP) Conference. Paris, France. Retrieved on October 12, 2014, from http://aurelien.wail.ly/publications/hip- 2013-slides.html
Wang, Z., & Jiang, X. (2010, May 16-19). HyperSafe: A Lightweight Approach to Provide Lifetime Hypervisor Control-Flow Integrity. Proceedings of the 31st IEEE Symposium on Security and Privacy (SP). Oakland, CA, USA, 380-395. http://dx.doi.org/10.1109/SP.2010.30
Wojtczuk, R., & Rutkowska, J. (2009, February 18-19). Attacking Intel Trusted Execution Technology. Proceedings of the Black Hat Security Conference, Washington DC, USA.
Wojtczuk, R., Rutkowska, J., & Tereshkin, A. (2009, December). Another Way to Circumvent Intel Trusted Execution Technology. Retrieved on October 12, 2014, from http://invisiblethingslab.com/resources/mi sc09/Another TXT Attack.pdf
Zmudzinski, K. (2009). U.S. Patent No. US20090172229 A1. Washington, DC: U.S. Patent and Trademark Office.
"Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations,"
Journal of Digital Forensics, Security and Law: Vol. 10
, Article 2.
Available at: http://commons.erau.edu/jdfsl/vol10/iss2/2