Abstract
With the rapid development of cloud computing, virtual machines are now attracting more and more attention. Virtual machines used at malicious motivation cause enormous threats to the security of computer systems. Virtual machine detection is crucial for honeypot systems and software that provide free trials. Various strategies based on local register values affected by virtualization have been proposed. However, these strategies have a limited scope of application since they can only run natively. What’s more, the values they depend on can be modified with ease. In this paper, we propose a new remote virtual machine detection strategy applying to different types of virtual machines and different operating systems based on time difference in thread scheduling. Our main contribution is to set up a probability-based thread scheduling analysis model to describe the time difference between physical machines and virtual machines. This paper shows that the probability distribution of execution time of a piece of CPU-bound code in virtual machines has higher variance along with lower kurtosis and skewness, which make up our index system for detection. Results of Numeric simulation and real test show good agreement and provide a clear criterion for detection. In the real test all the virtual machines and 97.2% of the physical machines were identified correctly.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alnaim, A.K., Alwakeel, A.M., Fernandez, E.B.: A pattern for an NFV virtual machine environment. In: 2019 IEEE International Systems Conference (SysCon), pp. 1–6. IEEE (2019)
Asvija, B., Eswari, R., Bijoy, M.: Security in hardware assisted virtualization for cloud computing-state of the art issues and challenges. Comput. Netw. 151, 68–92 (2019)
Brengel, M., Backes, M., Rossow, C.: Detecting hardware-assisted virtualization. In: Caballero, J., Zurutuza, U., RodrÃguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 207–227. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-40667-1_11
Favre, O., Tellenbach, B., Asenz, J.: Honey-copy: a concept and prototype of a generic honeypot system. In: ICIMP 2017 the Twelfth International Conference on Internet Monitoring and Protection, Venice, Italy, 25–29 July 2017, pp. 7–11. IARIA (2017)
Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., Van Doorn, L.: Remote detection of virtual machine monitors with fuzzy benchmarking. ACM SIGOPS Oper. Syst. Rev. 42(3), 83–92 (2008)
Ho, G., Boneh, D., Ballard, L., Provos, N.: Tick tock: building browser red pills from timing side channels. In: 8th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 14) (2014)
Jämthagen, C., Hell, M., Smeets, B.: A technique for remote detection of certain virtual machine monitors. In: Chen, L., Yung, M., Zhu, L. (eds.) INTRUST 2011. LNCS, vol. 7222, pp. 129–137. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-32298-3_9
Keith, A.: Detection in two easy steps. http://x86vmm.blogspot.mx/2007/07/bluepill-detection-in-two-easy-steps.html
King, S.T., Chen, P.M.: Subvirt: Implementing malware with virtual machines. In: 2006 IEEE Symposium on Security and Privacy (S&P 2006), pp. 14-pp. IEEE (2006)
Klein, T.: Scoopyng-the vmware detection tool. http://www.trapkit.de/research/vmm/scoopyng/index.html
Ma, T., Pang, S., Zhang, W., Hao, S.: Virtual machine based on genetic algorithm used in time and power oriented cloud computing task scheduling. Intell. Autom. Soft Comput. 25(3), 605–613 (2019)
Sierra-Arriaga, F., Branco, R., Lee, B.: Security issues and challenges for virtualization technologies. ACM Comput. Surv. (CSUR) 53(2), 1–37 (2020)
Wang, Q., Zhu, F., Leng, Y., Ren, Y., Xia, J.: Ensuring readability of electronic records based on virtualization technology in cloud storage. J. Internet Things 1(1), 33 (2019)
Zhang, Z., Cheng, Y., Gao, Y., Nepal, S., Liu, D., Zou, Y.: Detecting hardware-assisted virtualization with inconspicuous features. IEEE Trans. Inf. Forensics Secur. 16, 16–27 (2020)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Lin, Z., Song, Y., Wang, J. (2021). Detection of Virtual Machines Based on Thread Scheduling. In: Sun, X., Zhang, X., Xia, Z., Bertino, E. (eds) Artificial Intelligence and Security. ICAIS 2021. Lecture Notes in Computer Science(), vol 12737. Springer, Cham. https://doi.org/10.1007/978-3-030-78612-0_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-78612-0_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-78611-3
Online ISBN: 978-3-030-78612-0
eBook Packages: Computer ScienceComputer Science (R0)