moinmoin
Diamond Member
- Jun 1, 2017
- 4,933
- 7,619
- 136
From the article:
“In this particular case, once we had identified the issue with the incorrect emulation of the trap flag, our hypervisor team was able to test and deploy a fix.”
Researchers have since been able to fix this evasion problem for any malware sample by deploying this technique.
So it's not a vulnerability in the CPU but a behavior that hypervisors didn't replicate before, thus allowing applications to use this to detect whether they are in a VM or not. The question now is if that "Trap Flag" is completely undocumented. If so, all the blame still goes to Intel. (No mention of AMD unfortunately. If AMD CPUs don't show that behavior it's indeed completely undocumented.)
“In this particular case, once we had identified the issue with the incorrect emulation of the trap flag, our hypervisor team was able to test and deploy a fix.”
Researchers have since been able to fix this evasion problem for any malware sample by deploying this technique.
So it's not a vulnerability in the CPU but a behavior that hypervisors didn't replicate before, thus allowing applications to use this to detect whether they are in a VM or not. The question now is if that "Trap Flag" is completely undocumented. If so, all the blame still goes to Intel. (No mention of AMD unfortunately. If AMD CPUs don't show that behavior it's indeed completely undocumented.)