Article ID | Journal | Published Year | Pages | File Type |
---|---|---|---|---|
6884387 | Digital Investigation | 2018 | 9 Pages |
Abstract
We present research on the limitations of detecting atypical activity by a hypervisor from the perspective of a guest domain. Individual instructions which have virtual machine exiting capability were evaluated, using wall timing and kernel thread racing as metrics. Cache-based memory access timing is performed with the Flush + Reload technique. Analysis of the potential methods for detecting non-temporal memory accesses are also discussed. It is found that a guest domain can use these techniques to reliably determine whether instructions or memory regions are being accessed in manner that deviates from normal hypervisor behavior.
Related Topics
Physical Sciences and Engineering
Computer Science
Computer Networks and Communications
Authors
Tomasz Tuzel, Mark Bridgman, Joshua Zepf, Tamas K. Lengyel, K.J. Temkin,