Search This Blog

January 12, 2012

Strong approach to hardware-VM rootkits detection

Trusted platform module (TPM) application cannot save the situation as the VMM can emulate TPM. The fact that a malware VMM can be loaded from BIOS and survive program updates of the BIOS, aggravates the situation.
This paper is about a new approach to hardware-assisted virtual machine rootkits detection that can calculate nested VMMs. This method is based on the fact that the time of unconditionally captured instructions is a random value which depends on the processor’s model and whether a VMM is present or not. If a VMM is present, the mean value and variability of the time of the unconditionally captured instructions is generally larger than with no VMM. Limitations of the method application are given.
This article is a translation of my dissertation abstract into English and it was published in Hakin9 Extra Magazine, English Edition, Issue 6/2011 (6) ISSN 1733-7186, November 2011.
Download pdf docx