Honeypots mailing list archives
Re: VirtualPC detection?
From: Frédéric Raynal <pappy-ml () security-labs org>
Date: Wed, 9 Feb 2005 08:16:10 +0100
On Tue, Feb 08, 2005 at 06:48:48PM -0800, Dragos Ruiu wrote:
On February 8, 2005 01:02 pm, Maximillian Dornseif wrote:last fall the list had some fun with vmware detection: how to do it and what it means to malware analysis / honeypots. Now I wonder if anybody is aware of specialized code for detection full scale processor emulations like VirtualPC for Mac, bochs and qemu. Any pointers?Timing... There was a french paper published last year by Gael Dellalleau: "Measure locale des temps d'execution: application au controle d'integrite et au fingerprinting" It had much broader focus on timing effects and applications in all sorts of nifty ways, but section 5 of his paper dealt with general virtual machine detection. Synopsis: Under the emulators some system calls can be teltales by taking multiple orders of magnitude more time under virtual machines. E.g. linux/vmware illegal instructions with signal handlers take 8978ms under vmware vs 776ms on real reference machine. Other pathological corner cases like special x86 instructions are so slow under emulation that the variation far exceeds what could be naturally occurring on real machines because of differences in hardware. I would be surprised if the same method was not portable across all the emulators. As far as detection goes... there are many other vectors available - each usually dependent on the specific emulator. The timing one however seemed difficult to mask and/or countermeasure unlike some of the others like BIOS and emulated hardware detection. Obligatory editorial: Just like hardware reliability... putting too much faith on virtual machines staying virtual is folly. If you do use virtual honeypots, assume that at some point some clever attacker will cross that barrier and have integrity checks and countermeasures for the host machine. The virtual machine that can't be broken out of has yet to be invented :). Everything can fail.... and if it failing leaves very important things vulnerable, then maybe a little effort to mitigate that is justified :-). Caveat Lector...
Gael's slides are available online (in French): http://actes.sstic.org/SSTIC04/Fingerprinting_integrite_par_timing/ Fred Raynal
Current thread:
- VirtualPC detection? Maximillian Dornseif (Feb 08)
- Re: VirtualPC detection? Dragos Ruiu (Feb 08)
- Re: VirtualPC detection? Frédéric Raynal (Feb 09)
- Re: VirtualPC detection? Dragos Ruiu (Feb 09)
- Re: VirtualPC detection? Frédéric Raynal (Feb 09)
- Re: VirtualPC detection? Maximillian Dornseif (Feb 19)
- Re: VirtualPC detection? Dragos Ruiu (Feb 08)