硬件虚拟化rootkit检测方法研究综述

随着虚拟化技术的发展及其在云计算中的广泛应用, 传统的rootkit也开始利用硬件虚拟化技术来隐藏自己。为了对抗这一新型rootkit的攻击, 研究了传统rootkit检测方法在检测硬件虚拟化rootkit（HVMR）上的不足, 分析了现有的HVMR检测方法, 包括基于指令执行时间差异的检测方法、基于内存资源视图差异的检测方法、基于CPU异常和错误的检测方法, 以及基于指令计数的监测方法等。总结了这些检测方法的优缺点, 并在此基础上提出了两种通过扫描内存代码来检测HVMR恶意性的方法, 分别是基于hypervisor的恶意性检测方法和基于硬件的恶意性检测方法, 同时也预测了未来虚拟化检测技术的发展方向。

Summarize of detection methods on hardware-based virtualization machine rootkit

The development of virtualization technology and its widely application in cloud computing promotes the traditional rootkit making use of hardware virtualization to hide itself. To confront this new threat, this paper studied the deficiency of traditional rootkit detection ways in detecting hardware-based virtualization machine rootkit (HVMR), analyzed the merits and demerits of existing methods in detecting HVMR, and concluded in incapable of judging the malicious of HVMR. Based on this, it presented two methods to detect the malicious of HVMR, namely hypervisor-based malicious detection and hardware-based malicious detection. Finally, it predicted the future developments of virtualization detection technology.