paleshadows writes "A year and a half has passed since
SubVirt, the first VMM (virtual machine monitor) based rootkit, was introduced.
The idea spawned two lively slashdot discussions:
the first, which followed
the initial report about SubVirt,
the second, which was conducted after
recycled the idea (apparently without giving credit to the initial authors).
Conversely, in this year's HotOS workshop,
researchers from Stanford, CMU, VMware, and XenSource have published a paper titled
Compatibility Is Not Transparency: VMM Detection Myths and Realities"
which shows that VMM-based rootkits are actually easily detectable.
The introduction of the paper explains that
"While commodity VMMs conform to the PC architecture, virtual implementations of this architecture differ substantially from physical implementations. These differences are not incidental: performance demands and practical engineering limitations necessitate divergences (sometimes radical ones) from native hardware, both in semantics and performance. Consequently, we believe the potential for preventing VMM detection under close scrutiny is illusory — and fundamentally in conflict with the technical limitations of virtualized platforms."
The paper concludes by saying that
"Perhaps the most concise argument against the utility of VMBRs (VM-based rootkits) is: "Why bother?" VMBRs change the malware defender's problem from a very difficult one (discovering whether the trusted computing base of a system has been compromised), to the much easier problem of detecting a VMM.""
Link to Original Source