Non-interactive OS fingerprinting through memory de-duplication technique in virtual machines

OS fingerprinting tries to identify the type and version of a system based on gathered information of a target host. It is an essential step for many subsequent penetration attempts and attacks. Traditional OS fingerprinting depends on banner grabbing schemes or network traffic analysis results to identify the system. These interactive procedures can be detected by intrusion detection systems (IDS) or fooled by fake network packets. In this paper, we propose a new OS fingerprinting mechanism in virtual machine hypervisors that adopt the memory de-duplication technique. Specifically, when multiple memory pages with the same contents occupy only one physical page, their reading and writing access delay will demonstrate some special properties. We use the accumulated access delay to the memory pages that are unique to some specific OS images to derive out whether or not our VM instance and the target VM are using the same OS. The experiment results on VMware ESXi hypervisor with both Windows and Ubuntu Linux OS images show the practicability of the attack. We also discuss the mechanisms to defend against such attacks by the hypervisors and VMs.

[1]  Tadayoshi Kohno,et al.  The limits of automatic OS fingerprint generation , 2010, AISec '10.

[2]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[3]  Michael K. Reiter,et al.  HomeAlone: Co-residency Detection in the Cloud via Side-Channel Analysis , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Greg Taleck,et al.  Ambiguity Resolution via Passive OS Fingerprinting , 2003, RAID.

[5]  Jie Ma,et al.  Exploiting Data Deduplication to Accelerate Live Virtual Machine Migration , 2010, 2010 IEEE International Conference on Cluster Computing.

[6]  Paul England,et al.  Resource management for isolation enhanced cloud services , 2009, CCSW '09.

[7]  Yoshihiro Oyama,et al.  Load-based covert channels between Xen virtual machines , 2010, SAC '10.

[8]  Patrice Auffret SinFP, unification of active and passive operating system fingerprinting , 2008, Journal in Computer Virology.

[9]  Ollie Whitehouse An Analysis of Address Space Layout Randomization on Windows Vista , 2007 .

[10]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[11]  Ramakrishna Gummadi,et al.  Determinating timing channels in compute clouds , 2010, CCSW '10.

[12]  virtualization.info 日本語,et al.  白書:Understanding Memory Resource Management in VMware ESX 4.1(20100719-3) , 2010 .

[13]  George Varghese,et al.  Difference engine , 2010, OSDI.

[14]  Akshat Verma,et al.  Power-aware dynamic placement of HPC applications , 2008, ICS '08.

[15]  F. O R M A T I O N G U I D Timekeeping in VMware Virtual Machines , 2004 .

[16]  Cyrille Artho,et al.  Memory deduplication as a threat to the guest OS , 2011, EUROSEC '11.

[17]  Lloyd G. Greenwald,et al.  Toward Undetected Operating System Fingerprinting , 2007, WOOT.