More Web Proxy on the site http://driver.im/

Article

Compatibility is not transparency: VMM detection myths and realities

Authors:

Andrew Warfield,

Jason FranklinAuthors Info & Claims

HOTOS'07: Proceedings of the 11th USENIX workshop on Hot topics in operating systems

Article No.: 6, Pages 1 - 6

Published: 07 May 2007 Publication History

Abstract

Recent work on applications ranging from realistic honeypots to stealthier rootkits has speculated about building transparent VMMs - VMMs that are indistinguishable from native hardware, even to a dedicated adversary. We survey anomalies between real and virtual hardware and consider methods for detecting such anomalies, as well as possible countermeasures. We conclude that building a transparent VMM is fundamentally infeasible, as well as impractical from a performance and engineering standpoint.

References

[1]

{1} K. Adams and O. Agesen. A Comparison of Software and Hard-ware Techniques for x86 Virtualization. In Proceedings of the 12th International Conference on Architectural Support for Programming Languages and Operating Systems, Oct. 2006.

Digital Library

[2]

{2} AMD. AMD64 Virtualization Codenamed "Pacifica" Technology: Secure Virtual Machine Architecture Reference Manual, May 2005.

[3]

{3} AMD. AMD I/O Virtualization Technology (IOMMU) Specification , Feb. 2006.

[4]

{4} Z. Amsden, D. Arai, D. Hecht, and P. Subrahmanyan. Paravirtualization API Version 2.5. www.vmware.com/pdf/ vmi_specs.pdf.

[5]

{5} K. Asrigo, L. Litty, and D. Lie. Using VMM-based Sensors to Monitor Honeypots. In Proceedings of the 2nd International Conference on Virtual Execution Environments, June 2006.

Digital Library

[6]

{6} P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles, Oct. 2003.

Digital Library

[7]

{7} Intel Corporation. Intel® Virtualization Technology Specification for the IA-32 Intel® Architecture, April 2005.

[8]

{8} X. Jiang and D. Xu. Collapsar: A VM-Based Architecture for Network Attack Detention Center. In Proceedings of 13th USENIX Security Symposium, Aug. 2004.

Digital Library

[9]

{9} E. Jonsson, A. Valdes, and M. Almgren. HoneyStat: Local Worm Detection Using Honeypots. In Proceedings of Seventh International Symposium on Recent Advances in Intrusion Detection, Sept. 2004.

[10]

{10} S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing Malware with Virtual Machines. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.

Digital Library

[11]

{11} T. Liston and E. Skoudis. On the Cutting Edge: Thwarting Virtual Machine Detection. http://handlers.sans.org/ tliston/ThwartingVMDetection_Liston_Skoudis. pdf, July 2006.

[12]

{12} Microsoft. CPU Virtualization Extensions: Analysis of Rootkit Issues. http://www.microsoft.com/whdc/ system/platform/virtual/CPUVirtExt.mspx. Windows Hardware Developer Central, October 20, 2006.

[13]

{13} G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. Intel Technology Journal, 10(3), Aug. 2006.

[14]

{14} PCI SIG. PCI I/O Virtualization Specifications.

[15]

{15} J. Robin and C. Irvine. Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor. In Proceedings of the 9th USENIX Security Symposium, Aug. 2000.

Digital Library

[16]

{16} M. Rosenblum, S. A. Herrod, E. Witchel, and A. Gupta. Complete computer system simulation: The SimOS approach. IEEE Parallel and Distributed Technology: Systems and Applications, 3(4):34-43, Winter 1995.

Digital Library

[17]

{17} J. Rutkowska. Subverting Vista Kernel for Fun and Profit. Presented at Black Hat USA, Aug. 2006.

[18]

{18} S. Sidiroglou, J. Ioannidis, A. D. Keromytis, and S. J. Stolfo. An Email Worm Vaccine Architecture. In Proceedings of the First Information Security Practice and Experience Conference, 2005.

Digital Library

[19]

{19} M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. In Proceedings of the 20th ACM Symposium on Operating Systems Principles, Oct. 2005.

Digital Library

[20]

{20} C. A. Waldspurger. Memory Resource Management in VMware ESX Server. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation, Dec. 2002.

Digital Library

[21]

{21} Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities. In Proceedings of Network and Distributed Systems Security Symposium, Feb. 2006.

[22]

{22} A. Whitaker, M. Shaw, and S. D. Gribble. Scale and Performance in the Denali Isolation Kernel. In Proceedings of the 5th USENIX Symposium on Operating Systems Design and Implementation, Dec. 2002.

Digital Library

[23]

{23} L. Zeltser. Virtual Machine Detection in Malware via Commercial Tools. http://isc.sans.org/diary.php? storyid=1871. Handlers Diary, November 19, 2006.

[24]

{24} D. D. Zovi. Hardware Virtualization-Based Rootkits. Presented at Black Hat USA, Aug. 2006.

Cited By

Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Sierra-Arriaga FBranco RLee B(2020)Security Issues and Challenges for Virtualization TechnologiesACM Computing Surveys10.1145/338219053:2(1-37)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3382190
Randal A(2020)The Ideal Versus the RealACM Computing Surveys10.1145/336519953:1(1-31)Online publication date: 6-Feb-2020
https://dl.acm.org/doi/10.1145/3365199
Show More Cited By

Index Terms

Compatibility is not transparency: VMM detection myths and realities
1. Software and its engineering
  1. Software notations and tools
    1. Context specific languages
  2. Software organization and properties
    1. Contextual software domains
      1. Operating systems

Recommendations

Virtualization Technologies in the Android Framework and Compatibility with SEAndroid
Information Security Applications
Abstract
Virtualization is used in various environments such as cloud and network, but it was difficult to utilize it in mobile devices due to computing resource problems. Technology such as containers that are faster and lighter than traditional ...
Host migration transparency in IP networks: the VIP approach

Increasing portability of computers will require users in the future to access the network regardless of location. Host migration transparency will be an essential feature of wide area network environments. We proposed the concept of virtual network and ...
Using Hardware Features for Increased Debugging Transparency
SP '15: Proceedings of the 2015 IEEE Symposium on Security and Privacy

With the rapid proliferation of malware attacks on the Internet, understanding these malicious behaviors plays a critical role in crafting effective defense. Advanced malware analysis relies on virtualization or emulation technology to run samples in a ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Guide Proceedings

HOTOS'07: Proceedings of the 11th USENIX workshop on Hot topics in operating systems

May 2007

127 pages

Editor:
Galen Hunt
Microsoft Research

Sponsors

USENIX Assoc: USENIX Assoc

Publisher

USENIX Association

United States

Publication History

Published: 07 May 2007

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

45
Total Citations
View Citations
16
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Song WMing JJiang LXiang YPan XFu JPeng GKim YKim JVigna GShi E(2021)Towards Transparent and Stealthy Android OS Sandboxing via Customizable Container-Based VirtualizationProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484544(2858-2874)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484544
Sierra-Arriaga FBranco RLee B(2020)Security Issues and Challenges for Virtualization TechnologiesACM Computing Surveys10.1145/338219053:2(1-37)Online publication date: 19-May-2020
https://dl.acm.org/doi/10.1145/3382190
Randal A(2020)The Ideal Versus the RealACM Computing Surveys10.1145/336519953:1(1-31)Online publication date: 6-Feb-2020
https://dl.acm.org/doi/10.1145/3365199
D'Elia DCoppa ENicchi SPalmaro FCavallaro LGalbraith SRussello GSusilo WGollmann DKirda ELiang Z(2019)SoKProceedings of the 2019 ACM Asia Conference on Computer and Communications Security10.1145/3321705.3329819(15-27)Online publication date: 2-Jul-2019
https://dl.acm.org/doi/10.1145/3321705.3329819
Shi LFu JGuo ZMing JSong JKim MLane NBalan R(2019)"Jekyll and Hyde" is RiskyProceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services10.1145/3307334.3326072(222-235)Online publication date: 12-Jun-2019
https://dl.acm.org/doi/10.1145/3307334.3326072
Song GLee MHung CPapadopoulos G(2019)Design and implementation of emulab-based malware analysis service through EmuLiBProceedings of the 34th ACM/SIGAPP Symposium on Applied Computing10.1145/3297280.3297490(2146-2151)Online publication date: 8-Apr-2019
https://dl.acm.org/doi/10.1145/3297280.3297490
Papazis KChilamkurti N(2019)Detecting indicators of deception in emulated monitoring systemsService Oriented Computing and Applications10.1007/s11761-018-0252-213:1(17-29)Online publication date: 1-Mar-2019
https://dl.acm.org/doi/10.1007/s11761-018-0252-2
Proskurin SLengyel TMomeu MEckert CZarras A(2018)Hiding in the ShadowsProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274698(407-417)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274698
Botacin MGeus Pgrégio A(2018)Who Watches the WatchmenACM Computing Surveys10.1145/319967351:4(1-34)Online publication date: 13-Jul-2018
https://dl.acm.org/doi/10.1145/3199673
Bulazel AYener B(2017)A Survey On Automated Dynamic Malware Analysis Evasion and Counter-EvasionProceedings of the 1st Reversing and Offensive-oriented Trends Symposium10.1145/3150376.3150378(1-21)Online publication date: 16-Nov-2017
https://dl.acm.org/doi/10.1145/3150376.3150378
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents