0309, 2018

DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel

Sanna/ September 3, 2018/ Conference, Development, Security

Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which

Read More

2209, 2016

DeepSec 2016 Talk: Malicious Hypervisor Threat – Phase Two: How to Catch the Hypervisor – Mikhail A. Utin

Sanna/ September 22, 2016/ Conference, Security

The blue/red pill analogy has been used a lot when it comes to hypervisor security and virtualisation. While there are reliable ways to determine if your code runs in a hypervisor or not, the underlying problem still persists. How do you know if the platform your code runs on watches every single move, i.e. instruction or data? Given the discussion of backdoors in hardware, this threat is real. Mikhail Utin discussed his findings at DeepSec 2014. He discovered manipulation of the BIOS in certain server systems. The hardware was probably affected, too. Two years later he presents his research covering the detection of malicious hypervisors in parts of your infrastructure where they should not be. Utilizing the definition of vulnerability as “inability to resist a threat” we want to update our consideration of three

Read More