DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin

The blue/red pill analogy has been used a lot when it comes to hypervisor security and virtualisation. While there are reliable ways to determine if your code runs in a hypervisor or not, the underlying problem still persists. How do you know if the platform your code runs on watches every single move, i.e. instruction or data? Given the discussion of backdoors in hardware, this threat is real. Mikhail Utin discussed his findings at DeepSec 2014. He discovered manipulation of the BIOS in certain server systems. The hardware was probably affected, too. Two years later he presents his research covering the detection of malicious hypervisors in parts of your infrastructure where they should not be.

Utilizing the definition of vulnerability as “inability to resist a threat” we want to update our consideration of three vulnerabilities analyzed in our 2014 DeepSec presentation about “technology inflicted vulnerabilities”. These vulnerabilities are caused by missing security components while designing virtualization technology (VT) support and IPMI. We would like to share our experience while discussing the vulnerabilities and combined threats in question.

We believe that at least one Malicious Hypervisor exits and is possibly in use. And what’s more, we cannot control the underground exploitation of software development. An MH attack may happen any time.The first level of addressing the Malicious Hypervisor threat is its discovery. Various ideas we analyzed did not deliver the quality and speed necessary for its identification. Thus we developed our own methods and software and would like to present to the audience some of our findings and results. We hope that it will encourage the security community to continue our joint efforts to address virtualisation and IPMI threats.

Make no mistake, the threat is real. This is not an academic attack. It has been found in the wild, and it is being used as of now. The research around this attack vector is quite new. You are welcome to contribute and discuss Mikhail’s results. DeepSec is also interested in hearing more about compromised infrastructure, hard-to-explain anomalies, and stealthy methods. We recommend this talk to anyone relying on computing infrastructure for any reasons.


Mikhail A. Utin completed his basic engineering education in 1975 in Computer Science and Electrical Engineering. His career in Russia included working for several research and engineering organizations. Doctorate / PhD in Computer Science (1988) from the then called Academy of Science of the USSR. In 1988 he founded and until 1990 leaded an information technology company and successfully worked in the emerging private sector of Russia. Mikhail held several USSR patents and published numerous articles.

He migrated to the US with his family in 1990 to escape from political turmoil, hoping to continue his professional career. In the US he worked for numerous companies and organizations in information technology and information security fields including contract work for the US government DoN and DoT. Together with colleagues Mikhail formed the private company Rubos, Inc. for IT security consulting and research in 1998 and worked as a (ISC)2 certified professional for 9 years. He published articles on the Internet and in professional journals, and is a reviewer of articles submitted to the (ISC)2 Information Security Journal: A Global Perspective.
His current research focuses on information security governance, regulations and management, and the relationship between regulations, technology, business activities and businesses’ security status. Most of his research is pioneering work and an exploration of complex security problems outside of information securitys mainstream or on problems considered impossible to resolve.

Tags: , , , ,

2 Responses to "DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin"