Nytro Posted December 23, 2012 Report Posted December 23, 2012 Detection and Subversion of Virtual MachinesDan UptonUniversity of VirginiaCS 851 - Virtual MachinesAbstractRecent virtual machines have been designed to takeadvantage of run-time information to provide variousservices including dynamic optimization, instrumenta-tion, and enforcement of security policies. While thesesystems must run in the same user space as the pro-gram running under their control, they must remain astransparent as possible so as to prevent aecting thecorrectness of the guest program. However, the virtualmachine must store its own code and program state aswell as information about the guest program. This data,stored in the program's user space, may lead to gapsin transparency that can be used to detect their pres-ence. Additionally, while many virtual machines havea smaller code base than operating systems, they maystill contain their own unique errors and security holes.This research shows that it is possible to use dierentrun-time clues to detect the existence of several com-mon virtual machines. Further, information about theexistence of these virtual machines can be used to at-tack the system. As a result, this paper presents coun-termeasures that should be taken by designers of thesesystems to prevent detection and attacks.Download:www.cs.virginia.edu/~dsu9w/upton06detection.pdf Quote
