VM-Based Information Warfare-De-Virtualization

Virtualization technology has been widely used in the information security domain. To monitor and analyze malwares, researchers often utilize virtual machines to establish monitor environments to encapsulate collected malwares inside virtual worlds. Consequently, these encapsulated malwares have little chance to attack physical machines and the compromised virtual systems can be recovered to there initial healthy states with ease. However, recognizing this, malwares are adding VM detection technologies to avoid being trapped in opponents'virtual monitoring environments. In addition, VM-based rookits have also emerged in the marketplace.In order to understand the working mechanism of malware's VM detection techniques and to detect VM-based rookits, this paper proposes three techniques to detect a VM environment (De-Virtualization). These techniques explore VM's fingerprints on instruction execution, memory management and I/O operation. Our instruction based detection constructs detection instruction sequences to discover VM performance fingerprints, utilizing the fact that virtual machine monitors incur performance degradation when executing special instructions. TLB based detection checks the consistency of data and time required for accessing data to discover TLB flush in virtual machines. TCP timestamp based detection works by looking at the abnormal relationship between TCP timestamps and real time in a remote system.Experiments targeting at VMware and Xen show that our detection methods are able to detect virtual environments based on exposing obvious difference between virtual and non-virtual systems. Some counter measures for these VM detection methods are also presented in this paper.