Authors: Tomasz Tuzel, Mark Bridgman, Joshua Zepf
DFRWS USA 2018
Abstract
We present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain. Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush þ Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses is also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in a manner that deviates from normal hypervisor behavior.