This paper was selected as one of the best papers of the 10th ADFSL Conference 2015 conference.adfsl.org and it will be published in the Journal of Digital Forensics, Security and Law (JDFSL)!
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations from Igor Korkin
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self-uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
- Authors version - paper.pdf
- Proceeding version - proceedings.adfsl.org
- Journal version - ojs.jdfsl.org
- slides.pptx with comments
- slides.pdf & speech.pdf
- source code on GitHub
- Demo on YouTube
|Korkin, I. (2015, May 18-21). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Paper presented at the Proceedings of the 10th Annual Conference on Digital Forensics, Security and Law (CDFSL), 33-57, Embry-Riddle Aeronautical University, Daytona Beach, Florida, USA. Retrieved from proceedings.adfsl.org/index.php/CDFSL/article/view/128/125|
|Korkin, I. (2015, September). Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations. Journal of Digital Forensics, Security and Law, Vol 10, No 2, pp 7-38. Retrieved from ojs.jdfsl.org/index.php/jdfsl/article/view/337|