Detecting Hardware-Assisted Virtualization With Inconspicuous Features

Recent years have witnessed the proliferation of the deployment of virtualization techniques. Virtualization is designed to be transparent, that is, unprivileged users should not be able to detect whether a system is virtualized. Such detection can result in serious security threats such as evading...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on information forensics and security 2021, Vol.16, p.16-27
Main Authors: Zhang, Zhi, Cheng, Yueqiang, Gao, Yansong, Nepal, Surya, Liu, Dongxi, Zou, Yi
Format: Article
Language:English
Subjects:
Chips (electronics)
Cloud computing
Feature extraction
Fingerprints
Hardware
Malware
microarchitectural timing
Runtime
Security
Software reliability
Translations
Virtual environments
Virtual machine monitors
virtual machine-based rootkit
Virtualization
virtualization detection
Virtualization-based malware analysis
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Recent years have witnessed the proliferation of the deployment of virtualization techniques. Virtualization is designed to be transparent, that is, unprivileged users should not be able to detect whether a system is virtualized. Such detection can result in serious security threats such as evading virtual machine (VM)-based malware dynamic analysis and exploiting vulnerabilities for cross-VM attacks. The traditional software-based virtualization leaves numerous artifacts/fingerprints, which can be exploited without much effort to detect the virtualization. In contrast, current mainstream hardware-assisted virtualization significantly enhances the virtualization transparency, making itself more transparent and difficult to be detected. Nonetheless, we showcase three new identified low-level inconspicuous features, which can be leveraged by an unprivileged adversary to effectively and stealthily detect the hardware-assisted virtualization. All three features come from the chipset fingerprints, rather than the traces of software-based virtualization implementations (e.g., Xen or KVM). The identified features include i) Translation-Lookaside Buffer (TLB) stores an extra layer of address translations; ii) Last-Level Cache (LLC) caches one more layer of page-table entries; and iii) Level-1 Data (L1D) Cache is unstable. Based on the above features, we develop three corresponding virtualization detection techniques, which are then comprehensively evaluated on three native environments and three popular cloud providers: i) Amazon Elastic Compute Cloud, ii) Google Compute Engine and iii) Microsoft Azure. Experimental results validate that these three adversarial detection techniques are effective (with no false positive) and stealthy (without triggering suspicious system events, e.g., VM-exit) in detecting the above commodity virtualized environments.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2020.3004264