Rich Mogull, reacting to our virtualization work:

[R]eading up on Nate and Tom's work I can't see any techniques for detecting an unapproved hypervisor in an already virtualized environment.

This is a misconception. Defenders will not have a hard time detecting unauthorized hypervisors, even when the defenders are already running VMware or Microsoft Virtual Server.

Here’s why: the defender is embedded in VMware or Microsoft Virtual Server.

Sound crazy? It isn’t. To detect kernel malware, you (typically) already need to be running in-kernel; in other words, you have to be part of the operating system. For the most part, to detect virtualization, you have to be in-kernel as well.

Both Blue Pill and Samsara need access to the hardware. The trick is, Samsara works even when Blue Pill is actively trying to “cheat” it, making it believe it’s talking to the hardware when it’s talking to a Blue Pill facade instead.

Joanna contests this argument. “Microsoft and VMware would never embed detection hacks into their hypervisors!” We agree. Microsoft and VMware are unlikely to ever need to. Hypervisor rootkits are not a major threat. But if they ever become one, hypervisor rootkit authors will find themselves a sitting duck for detectors. Joanna had the right idea, “chickening out” into the OS kernel to hide from Samsara.