Hypervisor Introspection: A Technique for Evading Passive Virtual Machine Monitoring
Gary Wang, Zachary J. Estrada, Cuong Pham, Zbigniew Kalbarczyk, and Ravishankar K. Iyer, University of Illinois at Urbana-Champaign
Security requirements in the cloud have led to the development of new monitoring techniques that can be broadly categorized as virtual machine introspection (VMI) techniques. VMI monitoring aims to provide high-fidelity monitoring while keeping the monitor secure by leveraging the isolation provided by virtualization. This work shows that not all hypervisor activity is hidden from the guest virtual machine (VM), and the guest VM can detect when the hypervisor performs an action on the guest VM, such as a VMI monitoring check. We call this technique hypervisor introspection and demonstrate how a malicious insider could utilize this technique to evade a passive VMI system.
USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.
BibTeX
@inproceedings {191958,
author = {Gary Wang and Zachary J. Estrada and Cuong Pham and Zbigniew Kalbarczyk and Ravishankar K. Iyer},
title = {Hypervisor Introspection: A Technique for Evading Passive Virtual Machine Monitoring},
booktitle = {9th USENIX Workshop on Offensive Technologies (WOOT 15)},
year = {2015},
address = {Washington, D.C.},
url = {https://www.usenix.org/conference/woot15/workshop-program/presentation/wang},
publisher = {USENIX Association},
month = aug
}
