Scribd
Upload
48 views9 pages

Module-3 2

1) A virus could install a malicious virtual machine monitor (VMM) on a victim's machine, hiding the virus in the VMM and making it invisible to antivirus software running in virtual machines. 2) Microsoft suggested disabling hardware virtualization by default on client systems due to the risk of "blue pill" viruses that install malicious VMMs. 3) However, virtual machine-based malware is easy to defeat since guest operating systems can detect they are running on top of a VMM using techniques like detecting reduced time latency variations, reduced TLB size, and emulated hardware.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
48 views9 pages

Module-3 2

1) A virus could install a malicious virtual machine monitor (VMM) on a victim's machine, hiding the virus in the VMM and making it invisible to antivirus software running in virtual machines. 2) Microsoft suggested disabling hardware virtualization by default on client systems due to the risk of "blue pill" viruses that install malicious VMMs. 3) However, virtual machine-based malware is easy to defeat since guest operating systems can detect they are running on top of a VMM using techniques like detecting reduced time latency variations, reduced TLB size, and emulated hardware.

Uploaded by

Harpreet Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Module 3.

2
VM Subversion
Isolation

Subverting VM
Isolation
Subvirt [King et al. 2006]

Virus idea:
Once on victim machine, install a malicious VMM
Virus hides in VMM
Invisible to virus detector running inside VM

antivirus
antivirus

OS
OS VMMandvirus
HW HW
The MATRIX
VM Based Malware (blue pill virus)
VMBR: a virus that installs a malicious VMM
(hypervisor)

Microsoft Security Bulletin: (Oct, 2006)


Suggests disabling hardware virtualization features
by default for client-side systems

But VMBRs are easy to defeat


A guest OS can detect that it is running on top of
VMM
VMM Detection
Can an OS detect it is running on top of a VMM?

Applications:
Virus detector can detect VMBR
Normal virus (non-VMBR) can detect VMM
refuse to run to avoid reverse engineering
Software that binds to hardware (e.g. MS Windows)
can
refuse to run on top of VMM
DRM systems may refuse to run on top of VMM
VMM detection (red pill techniques)
VM platforms often emulate simple hardware
VMWare emulates an ancient i440bx chipset
but report 8GB RAM, dual CPUs, etc.

VMM introduces time latency variances


Memory cache behavior differs in presence of VMM
Results in relative time variations for any two
operations
VMM shares the TLB with GuestOS
GuestOS can detect reduced TLB size

and many more methods [GAWF07]


VMM Detection
Bottom line: The perfect VMM does not exist

VMMs today (e.g. VMWare) focus on:


Compatibility: ensure off the shelf software works
Performance: minimize virtualization overhead

VMMs do not provide transparency


Anomalies reveal existence of VMM

You might also like