DKSM: Subverting Virtual Machine Introspection for Fun and Profit

Virtual Machine (VM) introspection is a powerful technique for determining the specific aspects of guest VM execution from outside the VM. Unfortunately, existing introspection solutions share a common questionable assumption. This assumption is embodied in the expectation that original kernel data structures are respected by the untrusted guest and thus can be directly used to bridge the well-known semantic gap. In this paper, the authors assume the perspective of the attacker, and exploit this questionable assumption to subvert VM introspection. In particular, they present an attack called DKSM (Direct Kernel Structure Manipulation), and show that it can effectively foil existing VM introspection solutions into providing false information.