Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations

TL;DR

This paper introduces new statistical methods for detecting stealthy hypervisors that evade existing detection techniques through time cheating and data fluctuations, effective on Intel and AMD CPUs.

Contribution

The paper proposes novel detection techniques based on statistical analysis of instruction timing discrepancies that can identify hypervisors under various countermeasures and nested levels.

Findings

Effective detection of hypervisors under time cheating countermeasures

Ability to detect multiple nested hypervisors

Validated methods on Intel and AMD CPUs

Abstract

Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.