Summary
We design, implement, and evaluate a practical timing-based approach to detect virtual machine monitors (VMMs) without relying on VMM implementation details. The algorithms developed in this paper are based on fundamental properties of virtual machine monitors rather than easily modified software artifacts. We evaluate our approach against two common VMM implementations on machines with and without hardware support for virtualization in a number of remote and local experiments. We successfully distinguish between virtual and real machines in all cases even with incomplete information regarding the VMM implementation and hardware configuration of the targeted machine.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
K. Adams and O. Agesen. A comparison of software and hardware techniques for x86 virtualization. In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems, October 2006.
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the Symposium on Operating Systems Principles (SOSP), 2003.
D. Boggs, A. Baktha, J. Hawkins, D. T. Marr, J. A. Miller, P. Roussel, Singhal R, B. Toll, and K. S. Venkatraman. The microarchitecture of the Intel Pentium 4 processor on 90nm technology. Intel Technology Journal, 8(1), February 2004.
G. Delalleau. Mesure locale des temps d’execution: application au controle d’integrite et au fingerprinting. In Proceedings of SSTIC, 2004.
Advanced Micro Devices. AMD64 virtualization: Secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01, May 2005.
M. Dornseif, T. Holz, and C. Klein. Nosebreak - attacking honeynets. In Proceedings of the 2004 IEEE Information Assurance Workshop, June 2004.
T. Holz and F. Raynal. Detecting honeypots and other suspicious environments. In Proceedings of the IEEE Workshop on Information Assurance and Security, June 2005.
Intel Corporation. Intel virtualization technology. Available at: http://www.intel. com/technology/computing/vptech/, October 2005.
X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual playgrounds for worm behavior investigation. In 8th International Symposium on Recent Advances in Intrusion Detection (RAID ’05), 2005.
S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.
T. Kohno, A. Broido, and K. Claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, May 2005.
G. J. Popek and R. P. Goldberg. Formal requirements for virtualizable third generation architectures. Communications of the ACM, 17, July 1974.
N. Provos. Honeyd: A virtual honeypot daemon. In Proceedings of the 10th DFN-CERT Workshop, 2003.
J. S. Robin and C. E. Irvine. Analysis of the intel pentium’s ability to support a secure virtual machine monitor. In Proceedings of the USENIX Security Symposium, 2000.
R. Rose. Survey of system virtualization techniques. Available at: http://www. robertwrose.com/vita/rose-virtualization.pdf, March 2004.
M. Rosenblum, S. A. Herrod, E. Witchel, and A. Gupta. Complete computer system simulation: The SimOS approach. IEEE Parallel and Distributed Technology: Systems and Applications, 3(4):34–43, Winter 1995.
E. Rotenberg, S. Bennett, and J. E. Smith. Trace cache: A low latency approach to high bandwidth instruction fetching. In Proceedings of the 29th Annual International Symposium on Microarchitecture, November 1996.
J. Rutkowska. Subverting Vista kernel for fun and profit. Presented at Black Hat USA, 2006.
J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction. http://invisiblethings.org/papers/redpill.html, 2004.
J. Rutkowski. Execution path analysis: finding kernel rootkits. Phrack, 11(59), July 2002.
A. Seshadri, M. Luk, E. Shi, A. Perrig, L. VanDoorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of the Symposium on Operating Systems Principals (SOSP), 2005.
S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security ’02), 2002.
G. Venkitachalam and B. Lim. Virtualizing I/O devices on VMware workstation’s hosted virtual machine monitor. In USENIX Technical Conference, 2001.
VMWare. Timekeeping in VMWare virtual machines. Technical Report NP-ENG-Q305127, VMWare, Inc., July 2005.
VMWare. VMWare Workstation. Available at: http://www.vmware.com/, October 2005.
M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the Symposium on Operating Systems Principals (SOSP), 2005.
D. D. Zovi. Hardware virtualization-based rootkits. Presented at Black Hat USA, August 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Doorn, L.v. (2008). Towards Sound Detection of Virtual Machines. In: Lee, W., Wang, C., Dagon, D. (eds) Botnet Detection. Advances in Information Security, vol 36. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-68768-1_5
Download citation
DOI: https://doi.org/10.1007/978-0-387-68768-1_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-68766-7
Online ISBN: 978-0-387-68768-1
eBook Packages: Computer ScienceComputer Science (R0)