Hypervisors are the building blocks of cloud computing. They host the virtualized operating systems and applications which provide highly-scalable, pervasive services on a continuous basis. These thin-layer, bare-metal operating systems create a prime target for attack. A compromised hypervisor grants access to hosted virtual machines and data stores. Its computing resources can be used for malicious purposes, including mounting additional attacks. To avoid detection, rooted hypervisors must not only avoid tripping internal alarms, but also convince external monitors that they are operating normally. To conceal illicit activities, they may underreport performance metrics. Although rootkits can hide unauthorized activity by understating system load, they cannot tamper with external measures of power usage. This research develops a new method for identifying compromised hypervisors which integrates energy usage statistics. This method correlates independent measures of server energy usage with hypervisor reports of system state to create models of power consumption. The detection process focuses on hypervisors which appear to use more power than expected, given reported performance metrics. Three out-of-band tests for detecting compromise are undergoing testing and refinement. The results of this research will indicate the effectiveness of energy correlation-approaches at identifying rooted hypervisors. If successful, this project will provide a platform-neutral method for cloud management monitors to identify compromised hypervisors. It reduces adoption risks for organizations and individual users of cloud services. In addition, it will provide opportunities for graduate and undergraduate students to developed advanced skills in cloud and data center security.
