Enhanced side-channel analysis method to detect hardware virtualization based rootkits

This paper describes a method of detecting hardware virtualization based rootkits by performance benchmarking by detecting performance degradation caused by the hardware virtualization itself. The method proposed is both passive and remote, so it is not easily detected by the rootkit. The method does not rely on an internal and therefore untrustable timing source, and does not rely on the rootkit´s potentially imperfect representation of the actual physical characteristics of the computing platform. For these reasons, it is believed that this method is not subject to criticisms normally leveled against the currently proposed methods of detecting hardware virtualization or hardware virtualization rootkits. Measuring performance degradation requires a baseline, and compared with that baseline, the degradation must be sufficiently great to be judged anomalous with reasonable confidence. That degradation must also be accurately measurable by a trusted and therefore external timing source. Accordingly, the benchmarking experiment that has been devised was performed using commodity hardware and freely available software, to determine which resources virtualization seems to degrade performance most significantly, and of these resources, which are most accurately timed externally. Although the results are preliminary, and strictly speaking, apply only to the actual hardware used in the experiment, they nonetheless show that there is potential to use passive network analysis to detect hardware based virtualization rootkits and associated malware.