Towards Sound Detection of Virtual Machines

  • Jason Franklin
  • Mark Luk
  • Jonathan M. McCune
  • Arvind Seshadri
  • Adrian Perrig
  • Leendert van Doorn
Part of the Advances in Information Security book series (ADIS, volume 36)


We design, implement, and evaluate a practical timing-based approach to detect virtual machine monitors (VMMs) without relying on VMM implementation details. The algorithms developed in this paper are based on fundamental properties of virtual machine monitors rather than easily modified software artifacts. We evaluate our approach against two common VMM implementations on machines with and without hardware support for virtualization in a number of remote and local experiments. We successfully distinguish between virtual and real machines in all cases even with incomplete information regarding the VMM implementation and hardware configuration of the targeted machine.


Virtual Machine Virtual Machine Monitor Real Machine Target Machine Sound Detection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    K. Adams and O. Agesen. A comparison of software and hardware techniques for x86 virtualization. In Proceedings of the ACM Conference on Architectural Support for Programming Languages and Operating Systems, October 2006.Google Scholar
  2. 2.
    P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the art of virtualization. In Proceedings of the Symposium on Operating Systems Principles (SOSP), 2003.Google Scholar
  3. 3.
    D. Boggs, A. Baktha, J. Hawkins, D. T. Marr, J. A. Miller, P. Roussel, Singhal R, B. Toll, and K. S. Venkatraman. The microarchitecture of the Intel Pentium 4 processor on 90nm technology. Intel Technology Journal, 8(1), February 2004.Google Scholar
  4. 4.
    G. Delalleau. Mesure locale des temps d’execution: application au controle d’integrite et au fingerprinting. In Proceedings of SSTIC, 2004.Google Scholar
  5. 5.
    Advanced Micro Devices. AMD64 virtualization: Secure virtual machine architecture reference manual. AMD Publication no. 33047 rev. 3.01, May 2005.Google Scholar
  6. 6.
    M. Dornseif, T. Holz, and C. Klein. Nosebreak - attacking honeynets. In Proceedings of the 2004 IEEE Information Assurance Workshop, June 2004.Google Scholar
  7. 7.
    T. Holz and F. Raynal. Detecting honeypots and other suspicious environments. In Proceedings of the IEEE Workshop on Information Assurance and Security, June 2005.Google Scholar
  8. 8.
    Intel Corporation. Intel virtualization technology. Available at: com/technology/computing/vptech/, October 2005.Google Scholar
  9. 9.
    X. Jiang, D. Xu, H. J. Wang, and E. H. Spafford. Virtual playgrounds for worm behavior investigation. In 8th International Symposium on Recent Advances in Intrusion Detection (RAID ’05), 2005.Google Scholar
  10. 10.
    S. T. King, P. M. Chen, Y.-M. Wang, C. Verbowski, H. J. Wang, and J. R. Lorch. SubVirt: Implementing malware with virtual machines. In Proceedings of the IEEE Symposium on Security and Privacy, May 2006.Google Scholar
  11. 11.
    T. Kohno, A. Broido, and K. Claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, May 2005.Google Scholar
  12. 12.
    G. J. Popek and R. P. Goldberg. Formal requirements for virtualizable third generation architectures. Communications of the ACM, 17, July 1974.Google Scholar
  13. 13.
    N. Provos. Honeyd: A virtual honeypot daemon. In Proceedings of the 10th DFN-CERT Workshop, 2003.Google Scholar
  14. 14.
    J. S. Robin and C. E. Irvine. Analysis of the intel pentium’s ability to support a secure virtual machine monitor. In Proceedings of the USENIX Security Symposium, 2000.Google Scholar
  15. 15.
    R. Rose. Survey of system virtualization techniques. Available at: http://www., March 2004.Google Scholar
  16. 16.
    M. Rosenblum, S. A. Herrod, E. Witchel, and A. Gupta. Complete computer system simulation: The SimOS approach. IEEE Parallel and Distributed Technology: Systems and Applications, 3(4):34–43, Winter 1995.CrossRefGoogle Scholar
  17. 17.
    E. Rotenberg, S. Bennett, and J. E. Smith. Trace cache: A low latency approach to high bandwidth instruction fetching. In Proceedings of the 29th Annual International Symposium on Microarchitecture, November 1996.Google Scholar
  18. 18.
    J. Rutkowska. Subverting Vista kernel for fun and profit. Presented at Black Hat USA, 2006.Google Scholar
  19. 19.
    J. Rutkowska. Red Pill... or how to detect VMM using (almost) one CPU instruction., 2004.Google Scholar
  20. 20.
    J. Rutkowski. Execution path analysis: finding kernel rootkits. Phrack, 11(59), July 2002.Google Scholar
  21. 21.
    A. Seshadri, M. Luk, E. Shi, A. Perrig, L. VanDoorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In Proceedings of the Symposium on Operating Systems Principals (SOSP), 2005.Google Scholar
  22. 22.
    S. Staniford, V. Paxson, and N. Weaver. How to 0wn the internet in your spare time. In Proceedings of the 11th USENIX Security Symposium (Security ’02), 2002.Google Scholar
  23. 23.
    G. Venkitachalam and B. Lim. Virtualizing I/O devices on VMware workstation’s hosted virtual machine monitor. In USENIX Technical Conference, 2001.Google Scholar
  24. 24.
    VMWare. Timekeeping in VMWare virtual machines. Technical Report NP-ENG-Q305127, VMWare, Inc., July 2005.Google Scholar
  25. 25.
    VMWare. VMWare Workstation. Available at:, October 2005.Google Scholar
  26. 26.
    M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A. C. Snoeren, G. M. Voelker, and S. Savage. Scalability, fidelity and containment in the potemkin virtual honeyfarm. In Proceedings of the Symposium on Operating Systems Principals (SOSP), 2005.Google Scholar
  27. 27.
    D. D. Zovi. Hardware virtualization-based rootkits. Presented at Black Hat USA, August 2006.Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2008

Authors and Affiliations

  • Jason Franklin
    • 1
  • Mark Luk
    • 1
  • Jonathan M. McCune
    • 1
  • Arvind Seshadri
    • 1
  • Adrian Perrig
    • 1
  • Leendert van Doorn
    • 2
  1. 1.Carnegie Mellon UniversityPittsburgh
  2. 2.Advanced Micro Devices

Personalised recommendations