Malicious hypervisor and hidden virtualization of operation systems

Today virtualization technology is the focus of many new potential threats and introduces new security challenges that we must meet. The key problem is that malware can utilize the virtualization techniques of modern CPUs for “hidden virtualization” (invisible for user): to execute as a hypervisor and transform the working operation system (OS) into a “guest” state. In this work we analyzed and compared the functionality of several research virtual machine monitors (VMMs: BluePill, SubVirt, BitVisor) which can be used for hidden virtualization attack. A typical life circle of the hardware-accelerated VMM and mechanisms of hidden virtualization were also described. We also implemented the proof-of-concept prototype of research VMM and used it for tests with hidden virtualization of Linux operation systems. Our measurements demonstrated that malicious VMMs could efficiently hide their presence using hardware-accelerating technologies.