Statistical Approach to Detection of Hardware Virtualization Based Rootkits
- 1,359 views
There exist many methods of detection of this malware type, and as many ways to prevent them. In this paper, I chose a detection method based on the time-stamp counter (TSC) and ways to prevent this ...
There exist many methods of detection of this malware type, and as many ways to prevent them. In this paper, I chose a detection method based on the time-stamp counter (TSC) and ways to prevent this detection, such as modification of the TSC and Blue Chicken technology.
To develop the ways to detect hypervisor I did mining and modeling of CPU behavior. I designed the models (two directed multigraphs) of CPU behaviour in cases when hypervisor is present or not. With the help of models of CPU behavior, I discovered hidden relationships between variability of time duration of certain instructions in various CPU states. I suggested that we could use certain statistical values such as variance, fourth moments and others to detect a hypervisor or several nested ones. Experimental verification of the models built with the help of the Kolmogorov Criterion showed that a 5% significance level the model data are consistent with experimental data.
The statistical values grow when we install a hypervisor. The hypervisor can modify only the mean values, but it cannot change these variation values. I took into consideration lack of repeatability and reproducibility of experimental results.
This method was implemented in the as a program and driver for Windows. This tool was successfully tested and implemented on various workstations, laptops and hypervisors.
- Total Views
- Views on SlideShare
- Embed Views