Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.

1. TWO CHALLENGES OF STEALTHY
HYPERVISORS DETECTION:
TIME CHEATING & DATA
FLUCTUATIONS
Igor Korkin
CDFSL 2015

2. Agenda
● Hypervisor (or HYP) as a security threat
● Ways of HYPs detection & their drawbacks
● Time-based detection methods
improvements & its challenges

3. Any PC can be compared with a big ship
*The Russian Nuclear Icebreaker "Yamal“ in the Arctic

4. Any PC can be compared with a big ship
User & kernel modes
Hypervisor
SMM
AMT
Firmware level
*The Russian Nuclear Icebreaker "Yamal“ in the Arctic

5. Plugged device
with infected chip
The existing places to plant the backdoor
User & kernel modes
(VMX non root mode)
Hypervisor
(VMX root mode)
System Management
Mode (SMM)
Active Management
Technology (AMT)
Firmware level
e.g. BADUSB, 2014
Own chip on the
motherboard
ADFSL
2014
ADFSL
2015
AMT keylogger
by Stewin &
Seifert, 2011
SMM keylogger
by Wecherowski,
2009
GPU-based
Keylogger by
Koromilas, 2013

6. What & where is a hypervisor?
Image source: http://pngimg.com/download/5932

7. What & where is a hypervisor?
AV
Image source: http://pngimg.com/download/5932

8. What & where is a hypervisor?
OPERATING
SYSTEM
COMPUTER
HARDWARE
AV
Image source: http://pngimg.com/download/5932

9. 2005-now1990-2005
What & where is a hypervisor?
OPERATING
SYSTEM
COMPUTER
HARDWARE
OPERATING
SYSTEM
HYPERVISOR*
• VT-x
• AMD-V
COMPUTER
HARDWARE
AV
Image source: http://pngimg.com/download/5932

10. 2005-now1990-2005
What & where is a hypervisor?
OPERATING
SYSTEM
COMPUTER
HARDWARE
OPERATING
SYSTEM
HYPERVISOR*
• VT-x
• AMD-V
*Hypervisor (or HYP) is a code run by
CPU in a more privileged mode than OS
COMPUTER
HARDWARE
AV
Image source: http://pngimg.com/download/5932

11. CPU without VT-x
low performance computers
CPU with VT-x
high performance computers
Does your CPU support Hardware Virtualization?
Check on ark.intel.com or use CPU-Z
What computers support hardware virtualization?
Server
Workstation
LaptopNetbook &
Ultrabook
mini PC
tablet PC
VT-x
VT-x
VT-x
no
no
no

12. Five features of HYP &
the area of its application
Features
1. HYP can control access to memory, HDD etc
2. Impossible to block or delete HYP by OS
3. There is no built-in tool for HYP detection
4. HYP can prevent its detection = stealthy HYP
e.g. by using time cheating
5. HYP installs invisibly for both users & AVs
Areas

13. Five features of HYP &
the area of its application
Features
1. HYP can control access to memory, HDD etc
2. Impossible to block or delete HYP by OS
3. There is no built-in tool for HYP detection
4. HYP can prevent its detection = stealthy HYP
e.g. by using time cheating
5. HYP installs invisibly for both users & AVs
Areas
1 + 2 = for security
1 + 2 + 3 + 4 + 5 = for backdoor

14. Backdoor HYP can Ways to plant a HYP
Overview of a backdoor HYP facilities
● using OS
vulnerabilities to load
a driver-based HYP
● using BIOS-based
approach to infect a
motherboard
● record keystrokes
● steal all data
● block PC

15. Hardware
Hypervisor with secure
system monitor functions
Backdoor
hypervisor
Backdoor HYP & well-known examples
Loaded #2
Loaded #1

16. HYP example Author HYP is loaded by CPU
Blue Pill Invisible Things Lab Windows driver
Vitriol Matasano Security MAC OS driver
Russian Ghost M.Utin by DeepSec14 BIOS
Backdoor HYP & well-known examples
Loaded #2
Loaded #1
Hardware
Hypervisor with secure
system monitor functions
Backdoor
hypervisor

17. Analysis of hypervisor detection tools
Tool
Detection
method
Resi-
lient?
Easy to
distribute?
Hardware
Copilot 2004
Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint
Protection 2012 Based on the
trusted HYP
― +
McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts
2008 - 2015
Behavior based
& Time based
New proposal tool Time based + +

18. Tool
Detection
method
Resi-
lient?
Easy to
distribute?
Hardware
Copilot 2004
Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint
Protection 2012 Based on the
trusted HYP
― +
McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts
2008 - 2015
Behavior based
& Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools

19. Tool
Detection
method
Resi-
lient?
Easy to
distribute?
Hardware
Copilot 2004
Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint
Protection 2012 Based on the
trusted HYP
― +
McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts
2008 - 2015
Behavior based
& Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools

20. Tool
Detection
method
Resi-
lient?
Easy to
distribute?
Hardware
Copilot 2004
Signature based + ―
Deep Watch 2008
Software
Symantec EndPoint
Protection 2012 Based on the
trusted HYP
― +
McAfee Deep
Defender 2012
Actaeon 2013 Signature based
Proof of Concepts
2008 - 2015
Behavior based
& Time based
New proposal tool Time based + +
Analysis of hypervisor detection tools

21. What are the principles of
these software detection
tools?

22. Hypervisor detection methods
Signature based
Behavior based
Based on the
trusted HYP
Time based

23. Without HYP Non-stealthy HYP Stealthy HYP
Signature based detection
HYP
code
Physical
memor y
Physical
memor y
HYP
code
• HYP is loaded to memory
• We can detect a HYP using
a search in the mem dump
• HYP hides memory areas
• HYP prevents acquiring a
real memory dump from OS
Physical
memor y

24. Detection based on the trusted HYP
*McAfee Deep Defender Technical Evaluation and Best Practices Guide
The boot process with McAfee Deep Defender

25. Detection based on the trusted HYP
*McAfee Deep Defender Technical Evaluation and Best Practices Guide
The boot process with McAfee Deep DefenderWORM HYP
WORM HYP
Vulnerability:
• If worm HYP
is loaded first
it blocks Deep
Defender
• Exp. BIOS-
based HYP

26. Old CPU & HYP
2007-2011
New CPU & HYP
nowadays
Behavior based detection
Is OS
Freezed?
VMSAVE 0x67
Yes
No
HYP is present
No HYP ? ? ?
? ? ?
Yes
No
VMSAVE 0x67 is a “bug” instruction
presented by Barbosa in the 2007
There is no such “bug”
instruction for new CPU

27. Time based detection
Operating System
event 1
event 2
∆𝑡
𝑡2
timer
𝑡1
∆𝑡 is small

28. Time based detection
Operating System Hypervisor
event 1
event 2
∆𝑡
𝑡2
timer
𝑡1
Dispatcher
∆𝑡 is significant

29. Time based detection
Operating System Hypervisor
event 1
event 2
Dispatcher
Time cheating
function
VM Entry
𝑡2
timer
𝑡1
∆𝑡 is small
∆𝑡

30. Drawbacks of HYP detection methods
Based on the trusted HYP
Behavior based
Signature based
Time based
Is good only for
old CPU & HYPS
Vulnerable to
hidden pages
Susceptible to
MITM attack*
Vulnerable to
time cheating
*MITM attack - man in the middle attack

31. Time based detection. Yesterday.
Time based
HYP
detection
Using
average
values (2007)

32. Time based detection. Today.
Time
cheating
(2008)
Time based
#1 How to detect a HYP
that applies time cheating?
Using
average
values (2007)

33. Time based detection. Today & tomorrow
Time
cheating
(2008)
Using
average
values (2007)
Using
statistics
(CDFSL 2015)
HYP
detection
Time based
#1 How to detect a HYP
that applies time cheating?

34. Operating System
Unconditionally
Intercepted
Instructions
event
Let's focus on the time-based detection
by unconditionally intercepted
instructions
Our detection
program is execute
these instructions

35. Time based detection by
Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?

36. 1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by
Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?

37. 1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by
Unconditionally Intercepted Instructions
Their execution is always trapped by HYP
e.g. CPUID instruction
How to detect
a HYP using
them?
Average
IET values
What are these?
* Lifebook E752 Core i5, Windows Live CD XP DDD
Non Stealthy
Without HYP ~2,000
With HYP ~20,000

38. 1. T1 = get_time()
Instructions Execution
Time (IET) = T2 - T1
2. execute CPUIDs
3. T2 = get_time()
Time based detection by
Unconditionally Intercepted Instructions
Non Stealthy Stealthy HYP
Without HYP ~2,000 ~2,000
With HYP ~20,000 ~2,000
Their execution is always trapped by HYP
e.g. CPUID instruction
!
How to detect
a HYP using
them?
What are these?
* Lifebook E752 Core i5, Windows Live CD XP DDD
Average
IET values

39. How do we want to detect a HYP?
What steps can be used
to detect a stealthy
hypervisor?

40. PreliminarystageDetectionstage
𝐼𝑓 ∗STAT∗ ∈ 𝑁𝑜𝐻𝑌𝑃 ∴ 𝑃𝐶 𝑖𝑠 𝑐𝑙𝑒𝑎𝑟
𝐼𝑓 ∗STAT∗ ∈ 𝐻𝑌𝑃 𝑝𝑟𝑒𝑠𝑒𝑛𝑡 ∴ 𝐻𝑌𝑃 𝑖𝑠 𝑝𝑟𝑒𝑠𝑒𝑛𝑡
What are the steps for time-based detection?
1. Load a clear PC without any HYP
2. Measure time for no HYP and for HYP present
3. Calculate *STAT* value (now it is average)
4. Achieve intervals for each of two cases:
5. Measure time & calculate *STAT* value
6. Check if *STAT* value is belongs to the intervals:
No HYP tiny HYP present *STAT*
*STAT* = ?

41. How to find the appropriate statistics?
What is happening to
the PC during time
measurements?

42. What is happening to the computer
during time measurements?
Without HYP: OS SMM*
With HYP:
OS HYP
SMM*
SMM ― System Management Mode, works lower than HYP & OS
SMM interrupts ― occur randomly & suspend PC for a short time
VMX transitions ― catch execution of every CPUID instruction
SMM interrupts
VMX transitions

43. SMM
OS HYP
SMM
Switching between CPU modes during
time measurements of CPUID execution
1. Without HYP:
2. With HYP:
OS SMM
Process of execution
CPUID instructions

44. ● CPU works as a
stochastic system
● SMM interrupts
both OS & HYP
● IET indexes are increased after HYP is loaded:
Theoretic analysis of switches between
modes
IET has a layered structure
Average
Number of layers
Variance & 4th order moment
IET is a random variable

45. ● CPU works as a
stochastic system
● SMM interrupts
both OS & HYP
● IET indexes are increased after HYP is loaded:
Average Time-cheating by HYP
Number of layers Both are possible for
stealth HYP detectionVariance & 4th order moment
Theoretic analysis of switches between
modes
IET has a layered structure
IET is a random variable

46. Let’s check these three ideas by
experiment

47. Scheme of the experiment
1. Run a tiny HYP with time cheating
2. Measure IET by the own driver:
→ matrix 1000 x 10

48. Instruction Execution Time in CPU ticks*
Number of outer loop interactions
1 2 3 … 10
Numberofinnerloop
interactions
1 2004 2008 2048 … 2044
2 2000 2008 2048 … 2048
3 2012 2004 2048 … 2044
4 2008 2000 2048 … 2048
5 2008 2004 2044 … 2040
… … … … … …
1000 2008 2000 2040 … 2036
* without HYP, Lifebook E752 Core i5, Windows Live CD XP DDD

49. Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Are averages values the same? 
No HYP Stealthy HYP Present

50. Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same 
Does IET have a layered nature? 
No HYP Stealthy HYP Present

51. Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same 
Yes, IET has a layered nature 
Is the number of layers increased?
Is the variance increased ?

No HYP Stealthy HYP Present

52. Analysis of the experimental results
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
1985
1995
2005
2015
2025
2035
1 20 39 58 77 96
Comparison of statistical indexes values
Yes, averages values are the same 
Yes, IET has a layered nature 
The number of layers is increased: 4 < 12
The variance is increased: 14 < 85

No HYP Stealthy HYP Present

53. Yeah! We’ve done it!
We’ve found the following “resilient” statistics:
● number of horizontal layers
● variance
● 4th order moment
𝑉 =
𝑥𝑖 − 𝑋 2
𝑛
𝑀4 =
𝑥𝑖 − 𝑋 4
𝑛
Let’s use statistical tests to complete samples

54. What statistical tests are
appropriate to compare
these samples?
But also IET has the following
anomalies:
● IET samples include noise
● IET samples statistics fluctuate daily
● IET random variable is not normally distributed

55. Possible ways to compare the samples
Classical parametric tests Non-parametric tests
● Student’s t-test
● ANOVA & ANCOVA
Require normal distribution
● Wilcoxon test
Give bad approximation

56. Possible ways to compare the samples
Classical parametric tests Non-parametric tests
● Student’s t-test
● ANOVA & ANCOVA
Require normal distribution
● Wilcoxon test
Give bad approximation
Kornfeld (USSR’65) or Strellen (GER’01) method:
𝑐𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒 𝑖𝑛𝑡𝑒𝑟𝑣𝑎𝑙: 𝑇 𝑀𝐼𝑁, 𝑇 𝑀𝐴𝑋
𝑐𝑜𝑛𝑓𝑖𝑑𝑒𝑛𝑐𝑒 𝑙𝑒𝑣𝑒𝑙: 𝑃 = 1 − 0.5 𝑛−1
𝐿𝑒𝑡 𝑇1, 𝑇2, . . 𝑇𝑛 𝑖𝑠 𝑎 𝑠𝑎𝑚𝑝𝑙𝑒, 𝑡ℎ𝑒𝑟𝑒𝑓𝑜𝑟𝑒

57. 1. Calculate variances for each matrixes of IET values:
V1 V2 .. V10
Calculate statistics & variation intervals
1 2 .. 10
1
…
1000
1 2 .. 10
1
…
1000
V1 V2 .. V10
2. The result:
No HYP HYP present

58. No HYP HYP present
1. Calculate variances for each matrixes of IET values:
V1 V2 .. V10
Calculate statistics & variation intervals
No HYP HYP present
Overlap too much
V
1 2 .. 10
1
…
1000
1 2 .. 10
1
…
1000
V1 V2 .. V10
2. The result: instability of statistics values

59. Data fluctuation: instability of statistics
What are the reasons for
the instability of statistics?

60. Reasons for the data instability or
data fluctuations are outliers & jumps
2000
4000
6000
8000
10000
1 31 61 91 121 151
jump
outlier
2000
3000
4000
5000
6000
7000
8000
9000
10000
11000
1 11 21 31 41 51 61 71
outliers
2360
2370
2380
2390
2400
2410
2420
2430
1 11 21 31 41 51 61 71 81 91 101 111
low frequency values
𝑉 =
𝑋𝑖 − 𝑋 2
𝑛
Variance is significantly
increased because of
outliers and jumps

61. Type of
noise
Outlier,
low frequency value
Jump
TO DO
Low frequency
filtration with 2-10%
How to overcome the negative influence
of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000

62. How to overcome the negative influence
of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 100
2000
3000
4000
5000
6000
7000
8000
9000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000 VAR = 93,000
without an outlier
Type of
noise
Outlier,
low frequency value
Jump
TO DO
Low frequency
filtration with 2-10%

63. How to overcome the negative influence
of outliers & jumps
2000
3000
4000
5000
6000
7000
8000
9000
10000
1 10 19 28 37 46 55 64 73 82 91 100
2000
3000
4000
5000
6000
7000
8000
9000
1 10 19 28 37 46 55 64 73 82 91 100
VAR = 526,000 VAR = 93,000
without an outlier
VAR = 123
without a jump
2000
2200
2400
2600
2800
3000
3200
3400
1 10 19 28 37 46 55 64 73 82 91 100
Type of
noise
Outlier,
low frequency value
Jump
TO DO
Low frequency
filtration with 2-10% 𝑉 =
𝑎
𝑎 + 𝑏
∗ 𝑉𝑎 +
𝑏
𝑎 + 𝑏
∗ 𝑉𝑏
𝑎 𝑏
𝑉𝑎
𝑉𝑏

64. I decided to test these ideas &
try to detect a HYP every day

65. day #1
day #2
day #3
Obtain different statistical values on
different days
No HYP
HYP present
V
No HYP HYP present
V
No HYP
HYP present
V

66. Obtain different statistical values on
different days
day #1
day #2
day #3
No HYP
HYP present
V
No HYP HYP present
V
No HYP
HYP present
V
no appropriate threshold

67. Data fluctuation: lack of repeatability
How to overcome this
data fluctuation every day?

68. 1. Two-step way to calculate statistics 𝑉:
2. Repeat measurements within 10 days
1 2 .. 10
1
…
1000
Overcoming the lack of repeatability
𝑉1 𝑉2 .. 𝑉10
𝑉 = 𝑎𝑣𝑒𝑟𝑎𝑔𝑒 𝑉1, . . , 𝑉10
Step #1
Step #2 as new sample
Matrix of IET values:
No HYP tiny HYP presentAs a results: 𝑉

69. What can we do if variation
intervals keep overlapping?
No HYP HYP present
V
- overlapping part𝐴 𝐵 𝛿

70. No HYP HYP present
V
→ repeat data acquisition & stats calculation
- overlapping part
Type errors Decision Reality Probability
I HYP is present no NYP 𝛼 = 𝛿 ⁄ 𝐴
II no NYP HYP is present 𝛽 = 𝛿 ⁄ 𝐵
𝐴 𝐵
What can we do if variation
intervals keep overlapping?
𝛿

71. Threshold values calculation
1.
2. Calculate two-step way statistics after filtration
3. Choose threshold values so that the sum of
probability of type I and II errors comes to its min
Day #1 Day #2 Day #10 Matrices count
no HYP 50
tiny HYP 50
..

72. Example of threshold values
Statistics
Filtration
level
Threshold values Type I
error,
%
Type II
error,
%
No
HYP
HYP is
present
Number of layers 0 ≤ 7 ≥ 8 4 0
Variance 0 ≤ 14 ≥ 18 2 0
Moment 0.1 ≤ 679 ≥ 947 2 0
Intel Core 2 Duo E6300 + Windows 7 x32

73. How to detect stealthy hypervisors?
Step by step method:

74. Stages Stage description
Preliminary
(calculate
thresholds)
1. Flash BIOS with a trusted image or firmware
2. Install OS
3. Get threshold values in case where no HYP is
present
Operational
(detect a
hypervisor)
4. Check in a loop if a hypervisor is present
5. Install Office etc
6. Monitor messages about a hypervisor presence
7. Go to step 3 to adapt the tool to new legitimate
HYP
How to detect stealthy hypervisors?

75. Stages Stage description
Preliminary
1. Flash BIOS with a trusted image or firmware
2. Install OS
3. Get threshold values in case where no HYP is
present
Operational
(detection)
4. Check in a loop if a hypervisor is present
5. Install Office etc
6. Monitor messages about a hypervisor presence
7. Go to step 3 to adapt the tool to new legitimate
HYP
How to detect stealthy hypervisors?
Image sources: wikipedia.org/wiki/BIOS batronix.com/versand/programmiergeraete/BX32P/index.html
http://myonsitetech.ca/images/image/SoftwareUpgrade.png

76. Stages Stage description
Preliminary
(calculate
thresholds)
1. Guarantee the absence of a HYP by checking
a scatter plot (coming soon)
2. Get threshold values in case where no HYP is
present
Operational
(detect a
hypervisor)
3. Check in a loop if a hypervisor is present
4. Install Office etc
5. Monitor messages about a hypervisor presence
6. Go to step 3 to adapt the tool to new legitimate
HYP
How to detect stealthy hypervisors?

77. Detection: architecture & source code
Source code components Details
Windows x32 drivers
& their config tools
Visual Studio &
WDK, C++ asm
Matlab
http://github.com/IgorKorkin/HypervisorsDetection
Preliminary
(calculate
thresholds)
Operational
(detect a HYP)
Tiny HYP Measure IET
Calc stats & get
Calc stats &
compare with thresholds
thresholds
Tiny HYP
Measure IET
Calc stats & get thresholds

78. Positive results on different PCs & HYPs
HYP title HYP authors & details CPU
Driver
Only 1 tiny HYP tested on 5 PCs
2 nested HYPs=
ADD* + tiny HYP
ADD is loaded first,
the tiny HYP is above it
BIOS
TRace EXplorer
(TREX)
A.Tichonov &
A.Avetisyan (ISP RAS)
Russian Ghost A.Lutsenko aka R_T_T
ADD ― Acronis Disk Director for Windows x86
Is run by

79. List of challenges
Challenges How to achieve
Stealthy HYP
cheats time
Use variability indexes
of IET
Data fluctuation:
jumps & outliers
Lack of
repeatability
Apply filtration &
two-step way statistics
Repeat measurements
within 10 days
IET is not normally
distributed & no HOV
Use Kornfeld method
And also:

80. Hardware
Hypervisor with secure
system monitor functions
Rootkit
hypervisor
“Statistical ruler” detects stealthy HYPs
- the detection tool is running in the background

81. Next steps
● Collaborate with security research
companies
● Publish 2 papers in the next 2 years
● Apply for an academic research position

82. ADDITIONAL SLIDES

83. Details of type I and II errors
1. Definition of type I and II errors:
2. How to calculate them?
Reality situation
No HYP HYP present
Our
decision
No HYP “true” type II
HYP present type I “true”
No HYP HYP present
- overlapping part
Type I error 𝛼 = ⁄𝛿
𝑛𝑜𝐻𝑌𝑃
Type II error 𝛽 = ⁄𝛿
𝐻𝑌𝑃
𝛿𝑛𝑜𝐻𝑌𝑃 𝐻𝑌𝑃

84. Analysis of methods to compare samples
Student t-test
(parametric stats)
Kornfeld method
(non parametric stats)
1. Requirements to input samples
Normal distribution
Homogeneity of variances
No requirements
2. Choosing the corresponding confidence level
95% or 99% see t-table 1 − 0,5 𝑛−1
3. Calculating the confidence interval for random variable
𝑥 − 𝑡 ∗ 𝑠, 𝑥 + 𝑡 ∗ 𝑠 ,
𝑠2-sample variance
𝓍 𝑚𝑖𝑛, 𝓍 𝑚𝑎𝑥

85. Min-max confidence interval method by
Strelen’04 or Kornfeld’65
𝓍1, 𝓍2, . . , 𝓍 𝑛 - are result of measuring random variable 𝓍
The confidence interval for 𝓍 is 𝓍 𝑚𝑖𝑛, 𝓍 𝑚𝑎𝑥 ,
where 𝓍 𝑚𝑖𝑛 = min
1<𝑖<𝑛
𝑥𝑖 𝑎𝑛𝑑 𝓍 𝑚𝑎𝑥 = m𝑎𝑥
1<𝑖<𝑛
𝓍𝑖
with the confidence level
𝑃 𝓍 𝑚𝑖𝑛 ≤ 𝓍 ≤ 𝓍 𝑚𝑎𝑥 = 1 − 0,5 𝑛−1
.
In other words this is the probability of 𝑥 ∈ 𝑥 𝑚𝑖𝑛, 𝑥 𝑚𝑎𝑥 .

86. Analysis of sample comparison methods
*J.Ch. Strelen, Median confidence intervals. In E.J.H. Kerckhoffs and M. Snorek, editors, Modelling and Simulation 2001 - Proc. of the ESM2001,
pages 771-775. The SCS Publishing House, Erlangen, 2001 http://web.informatik.uni-bonn.de/IV/strelen/Forschung/Publikationen/ESM2001.pdf
**Kornfeld, M. (1965, March). Accuracy and Reliability of a Simple Experiment. (in Russian) 85 (3), Number UFN 85 533–542, 533-542,
Retrieved on October 12, 2014, from http://ufn.ru/ufn65/ufn65_3/Russian/r653e.pdf
1. Kornfeld method (USSR 1965)
2. Strelen method (Germany 2001)
1. Let’s arrange the set in order of increasing values
2. Therefore the probability P 𝑥 < 𝑥1 = P 𝑥 > 𝑥 𝑛 = ⁄1 2 𝑛
3. Therefore the probability of the complement event: P 𝑥1 < 𝑥 < 𝑥 𝑛 =
1 − P 𝑥 < 𝑥1 − P 𝑥 > 𝑥 𝑛 = 1 − ⁄1 2 𝑛 − ⁄1 2 𝑛 = 1 − ⁄1 2 𝑛−1
4. In other words the probability of the fact that
𝑥 ∈ 𝑥 𝑚𝑖𝑛, 𝑥 𝑚𝑎𝑥 is 1 − ⁄1 2 𝑛−1

87. Details of Time-based detection
__asm
{
RDTSC
MOV hst, EDX
MOV lst, EAX
CPUID // 1
RDTSC
MOV hfin, EDX
MOV lfin, EAX
}
save_time(...)
tRDTSC-1
tRDTSC-2
tCPUID-1
TSC
read_tsc(time)
time = time – Delta
write_tsc(time)
OS Hypervisor
VM exit
time = tVMM
time = (tVMM – Delta ) ≈ tCPUID-1
VM Entry

88. System Management mode:
what are the reasons of SMI?
 Maintenance mode:
– Used for efficient power management.
– Run specific proprietary code.
SMI
SMI
SMI
SMI
RSM instruction
SMM
Back to calling context
Assert a “System Management Interrupt” (SMI) from any other mode:
Thermal Sensor
Century Rollover
RTC Alarm
TCO, USB

89. ● WinDbg and VMWare to debug only a HYP driver
● hardware emulators: Bochs, AMD SimNow etc
● debug output by DbgPrint & DbgView
● COM port:
● debug card
The possible ways to debug a HYP

90. Special thanks to
● Peter Prokoptsev, scientist
● Iwan Nesterov, programmer
● Andrey Chechulin, scientist
● Alexander Nikonov, portfolio manager
● Ben Stein, teacher of English
● Alexey Nesterenko, teacher of English
● Natalia Korkina, teacher of English

91. Igor Korkin, Ph.D.
igor.korkin@gmail.com