Detection of Hardware Virtualization Based Rootkits by Performance Benchmarking

This paper describes an enhanced side-channel analysis method to detect hardware virtualization based rootkits, by detecting performance degradation caused by the hardware virtualization itself. The method proposed is, (like a network intrusion detection system), both passive and remote, so it is not easily detected by the rookit. The method does not rely on an internal and therefore untrustable timing source, and does not rely on the rootkit's potentially imperfect representation of the actual physical characteristics of the computing platform. For these reasons, it is believed that this method is not subject to criticisms normally levelled against the currently proposed methods of detecting hardware virtualization or hardware virtualization rootkits . Measuring performance degradation requires a baseline, and compared with that baseline, the degradation must be sufficiently great to be judged anomalous with reasonable confidence. That degradation must also be accurately measurable by a trusted and therefore external timing source. Accordingly the benchmarking experiment that has been devised was performed using commodity hardware and freely available software, to determine which resources virtualization seems to degrade performance most significantly, and of these resources, which are most accurately timed externally. Although the results are preliminary, and strictly speaking, apply only to the actual hardware used in the experiment, they nonetheless show that there is potential to use passive network analysis to detect hardware based virtualization rootkits and associated malware. It is possible that the experimental method itself is of considerable value in guiding readers to develop baselines for their own computer systems, and therefore assist them to detect the performance degradation expected after the installation of a hardware virtualization based rootkit.