Introduction

Most hypervisors intercept the CPUID instruction to present a modified feature set to the guest. This behavior is critical for use cases like live migration across different hardware models, and disabling features that the emulator does not handle.

However, this interception introduces a detectable side effect. Timing attacks are a common method for virtual machine (VM) detection because VM exits are relatively expensive operations. On Intel CPUs that support Virtual Machine Extensions (VMX), executing CPUID unconditionally causes a VM exit. Without manual mitigation of the transition overhead, the resulting latency serves as a flag of hypervisor presence.