VMM detection using privilege rings and benchmark execution times

Authors:
Mohsen Sharifi;Hadi Salimi;Alireza Saberi;Joobin Gharibshah
Affiliations:
Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran;Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran;Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran;Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran
Venue:
International Journal of Communication Networks and Distributed Systems
Year:
2013

Citing 12
Cited 0

Formal requirements for virtualizable third generation architectures

Communications of the ACM
Xen and the art of virtualization

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Defeating Internet Attacks Using Risk Awareness and Active Honeypots

IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
SubVirt: Implementing malware with virtual machines

SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)

Virtual Machines: Versatile Platforms for Systems and Processes (The Morgan Kaufmann Series in Computer Architecture and Design)
Analysis of the Intel Pentium's ability to support a secure virtual machine monitor

SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Virtual Clusters on the Fly - Fast, Scalable, and Flexible Installation

CCGRID '07 Proceedings of the Seventh IEEE International Symposium on Cluster Computing and the Grid
Hiding Virtualization from Attackers and Malware

IEEE Security and Privacy
SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes

Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles
Taming Virtualization

IEEE Security and Privacy
Compatibility is not transparency: VMM detection myths and realities

HOTOS'07 Proceedings of the 11th USENIX workshop on Hot topics in operating systems
Remote detection of virtual machine monitors with fuzzy benchmarking

ACM SIGOPS Operating Systems Review

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper proposes two complementary virtual machine monitor VMM detection methods. These methods can be used to detect any VMM that is designed for ×86 architecture. The first method works by finding probable discrepancies in hardware privilege levels of the guest operating system's kernel on which user applications run. The second method works by measuring the execution times of a set of benchmark programs and comparing them with the stored execution times of the same programmes previously ran on a trusted physical machine. Unlike other methods, our proportional execution time technique could not be easily thwarted by VMMs. In addition, using proportional execution times, there is no need for a trusted external source of time during detection. It is shown experimentally that the deployment of both methods together can detect the existence of four renowned VMMs, namely, Xen, VirtualBox, VMware, and Parallels, on both types of processors that support virtualisation technology VT-enabled or do not support it VT-disabled.