Proposal / Submission Type
Peer Reviewed Paper
Location
Daytona Beach, Florida
Start Date
19-5-2015 10:45 AM
Abstract
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
Keywords: hypervisor threat, rootkit hypervisor, nested hypervisors, instruction execution time, statistics and data analysis, Blue Pill.
Scholarly Commons Citation
Korkin, Igor, "Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations" (2015). Annual ADFSL Conference on Digital Forensics, Security and Law. 7.
https://commons.erau.edu/adfsl/2015/tuesday/7
Included in
Aviation Safety and Security Commons, Computer Law Commons, Defense and Security Studies Commons, Forensic Science and Technology Commons, Information Security Commons, National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, Social Control, Law, Crime, and Deviance Commons
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations
Daytona Beach, Florida
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
Keywords: hypervisor threat, rootkit hypervisor, nested hypervisors, instruction execution time, statistics and data analysis, Blue Pill.
Comments
Session Chair: Jigang Liu, Metropolitan State University