DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel
Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers?
While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t.
We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which has been deployed onto a hypervisor to determine the potential presence (or lack) of introspection. These techniques are developed to examine properties of modern x86 systems, such as cache-based memory access timing and privileged instruction benchmarking to examine the behaviour of the hypervisor. Moreover, we have developed timing methods such as thread racing to determine whether a hypervisor is monitoring regions of memory or hooking instructions.
Tomasz has been a security researcher for over seven years, having spent the first five at the Department of Defense, followed by Assured Information Security, Inc. He has primarily specialized in low-level security research.