“Undetectable” rootkits
Popek and Goldberg properties for VMM are:
Efficiency
Resource control
Equivalence
Equivalence “implies that any program executing on a virtual machine must behave in a manner identical to the way it would have behaved when running directly on the native hardware”
SVM/VT-x rootkits are only theoretically ‘undetectable’ because the equivalence principle is not fully respected in the hardware virtualization extensions
There are computer resources that hypervisor has not full control:
TLB (partially)
Branch prediction
SMP processing
在有必要的情况下,别人肯定会加上对SVM/VT-x的检测