this is for holding javascript data
Igor.Korkin renamed 2.2.2. VMX-root Mode Code.tex to VMX-root Mode Code.tex
over 9 years ago
Commit id: 7e4f87a00ea1b7ea00cb3d62c50dae30a0e8bca4
deletions | additions
diff --git a/VMX-root Mode Code.tex b/VMX-root Mode Code.tex
new file mode 100644
index 0000000..56a6e45
--- /dev/null
+++ b/VMX-root Mode Code.tex
...
\subsubsection{VMX-root Mode Code}
Let’s focus on low-level approaches for memory dump acquisition. With the help of hardware virtualization technology it becomes possible to execute a code (hypervisor) on a more privileged level (VMX-root mode) than operation system’s level. Hypervisors can be used to acquire memory dump. This process is described in the following projects [27, 28, 29].
Unlike the previously mentioned approaches this one is resilient to the most popular malware tricks which prevent memory dump acquisition. At the same time this method only works on systems, which support hardware virtualization and only in case when a previously loaded hypervisor supports nested virtualization [30].
One disadvantage of this method is its vulnerability to the “Man-In-The-Middle” attack, because malware hypervisor can load itself sooner than a trusted one. With the help of Shadow Page Tables (AMD) and Extended Page Tables (Intel) malware hypervisor can hide memory areas [31]. As a result the trusted hypervisor cannot read certain memory pages [32].
Trusted Execution Technology (TXT) by Intel and Secure Extension Mode (SEM) by AMD provides mechanism for a trusted hypervisor loading by means of Trusted Platform Module (TPM) [33, 34]. Unfortunately these technologies are also vulnerable [35, 36, 37].
This approach can be resilient to “Man-In-The-Middle” attack if a legitimate hypervisor is loaded from BIOS. However this case is only possible in laboratory conditions, because the BIOS hypervisor is highly platform dependent and its adaptation requires additional research that involves difficulties.
