Friday, April 27 • 13:00 - 13:45
Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?

While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an "introspecting" hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn't.

We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behavior of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.

avatar for Tomasz Tuzel

Tomasz Tuzel

Security Researcher, Assured Information Security Inc.
Tomasz has been a security researcher for over six years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.

Friday April 27, 2018 13:00 - 13:45
Track 2 - Room A1