论文信息 - Virtualization Detection : New Strategies and Their Effectiveness

Virtualization Detection : New Strategies and Their Effectiveness

Previous methods for detecting execution within a virtual machine monitor have typically focused on specific anomalies of the implementation [4][14], have required running in kernel mode [5], or have been mitigated by newer versions of processor virtualization extensions [16]. We analyze a a basic non-privileged loop benchmarking test against MAVMM, a VMM designed for transparency [11]. We also implement and analyze the “counter-based timing” method discussed in [6][16], and a low-level cache interaction test using the sensitive unprivileged instruction CPUID. All of our implementations focus on detection from within the VMM, and without privileged instructions. Our results show that even virtual machine monitors specially designed to maximize their transparency and to prevent detection are susceptible to simple timing benchmarks. Additionally, we find that counter-based timing methods and low-level cache effects methods can distinguish execution in a virtual machine monitor from native execution. We also discuss how cache-flushing based methods are more complicated than previous work has suggested.

Christopher Thompson | Maria Huntley

[1] Samuel T. King,et al. MAVMM: Lightweight and Purpose Built VMM for Malware Analysis , 2009, 2009 Annual Computer Security Applications Conference.

[2] Helen J. Wang,et al. SubVirt: implementing malware with virtual machines , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[3] Gerald J. Popek,et al. Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[4] Ole Agesen,et al. A comparison of software and hardware techniques for x86 virtualization , 2006, ASPLOS XII.

[5] Min Gyung Kang,et al. Emulating emulation-resistant malware , 2009, VMSec '09.

[6] Cynthia E. Irvine,et al. Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor , 2000, USENIX Security Symposium.

[7] Ulrich Drepper,et al. What Every Programmer Should Know About Memory , 2007 .

[8] Adrian Perrig,et al. Towards Sound Detection of Virtual Machines , 2008, Botnet Detection.

[9] Tal Garfinkel,et al. Compatibility Is Not Transparency: VMM Detection Myths and Realities , 2007, HotOS.

[10] Peter Ferrie. Attacks on More Virtual Machine Emulators , 2007 .