DeepSec 2018 Talk: Who Watches the Watcher? Detecting Hypervisor Introspection from Unprivileged Guests – Tomasz Tuzel
Over the last decade we have seen a rapid rise in virtualization-based tools in which a hypervisor is used to gain insight into the runtime execution of a system. With these advances in introspection techniques, it is no longer a question of whether a hypervisor can be used to peek inside or even manipulate the VMs it executes. Thus, how can we trust that a hypervisor deployed by a cloud provider will respect the privacy of their customers? While there are hardware-based protection mechanisms with the goal of guaranteeing data privacy even in the presence of such an “introspecting” hypervisor, there are currently no tools that can check whether the hypervisor is introspecting when it shouldn’t. We have developed a software package that analyzes instructions and memory accesses on an unprivileged guest system which