Title: VMM detection using privilege rings and benchmark execution times

Authors: Mohsen Sharifi; Hadi Salimi; Alireza Saberi; Joobin Gharibshah

Addresses: Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran ' Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran ' Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran ' Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran

Abstract: This paper proposes two complementary virtual machine monitor (VMM) detection methods. These methods can be used to detect any VMM that is designed for ×86 architecture. The first method works by finding probable discrepancies in hardware privilege levels of the guest operating system's kernel on which user applications run. The second method works by measuring the execution times of a set of benchmark programs and comparing them with the stored execution times of the same programmes previously ran on a trusted physical machine. Unlike other methods, our proportional execution time technique could not be easily thwarted by VMMs. In addition, using proportional execution times, there is no need for a trusted external source of time during detection. It is shown experimentally that the deployment of both methods together can detect the existence of four renowned VMMs, namely, Xen, VirtualBox, VMware, and Parallels, on both types of processors that support virtualisation technology (VT-enabled) or do not support it (VT-disabled).

Keywords: VMM detection; virtual machine monitor; virtualisation technology; security; malware detection; cloud computing; distributed systems; operating systems; kernel; hardware privilege levels; execution times; benchmark programs.

DOI: 10.1504/IJCNDS.2013.056226

International Journal of Communication Networks and Distributed Systems, 2013 Vol.11 No.3, pp.310 - 326

Published online: 28 Feb 2014 *

Full-text access for editors Full-text access for subscribers Purchase this article Comment on this article