In-Band Detection of Virtual Machines

Estefan Ortiz & Cory Hayes

Computer Science and Engineering

Graduate Operating Systems

December 16, 2011

Introduction

Malicious programs (malware) need to know if they are in a virtual environment so they can modify their behavior and avoid detection

Related work Red Pill Tests: Examine byte-level behavior of instructions

for physical and emulated CPUs. If any disagreements in output, create one or more “red pills” that can avoid detection

SubVirt: Virtual machine-based rootkit installed underneath host OS that runs OS as a guest to remain nearly undetectable

Our Approach

Similar to Red Pill and SubVirt, but client-server based

Idea: Instead of monitoring system call discrepancies, analyze network data sent to/from physical and virtual machines

Goal: Determine if there are sufficient differences in network traffic to detect if a client/server is being run on a virtual machine

Client <-> Native TCP/IP Packet Client <-> Virtual Machine TCP/IP Packet

Byte 0

Byte n

Byte k1

Byte k2

Difference Found

General Setup

Actual Setup

Host Server(Apache)

Wireshark

Client

Switch

Network output saved for analysis

Functions as the “MITM”

Experiment Setup

Using Wireshark, capture and compare the raw info of TCP/IP packets sent back and forth between a client and a physical/virtual server running Apache Bits 1-160: IP Remainder: TCP

Virtual machine OS matches the OS of the host (Ubuntu-Ubuntu, Vista-Vista)

Use a small set of Matlab commands to send regular and malformed packets

Dynex 5-port 10/100/1000 Gigabit Ethernet Switch

Sample Captured Wireshark Output

8th Packet sent between Client & VM running Apache

8th Packet sent between Client & Host running Apache

Client

Metrics

Bit Difference Comparison: Fractional Hamming distance between two packets

Metrics (cont.)

Round trip time: Time from SYN request sent by client to received ACK from server

Metrics (cont.)*

Pairwise Packet Length Comparison: Number of concurrent packet pairs that differ in length

Experiment #1

Client: Windows Vista (4GB RAM, 2.6GHz) Server: Ubuntu 11.04 32-bit w/ Apache Web Server 2.2 Server: Host OS Ubuntu: VirtualBox w/ Ubuntu running

Apache

On isolated switch network (no other traffic)

Exp. #1: Frac. Hamming Distance

Exp. #1: Round-trip Timing

Example: Packet #9

These bits correspond to the header length & flags in the TCP header

Experiment #2

Client: Mac (4GB RAM, 2.4GHz, MacOSX 10.6.8) Server: Windows Vista 32-bit w/ Apache Web Server 2.2 Server: Host OS Windows Vista: VirtualBox w/ Windows

Vista running Apache

On isolated switch network (no other traffic)

Example: Packet #4

Destination Address in IP header

Flags in TCP header

Experiment #3

Apache

Both client and server on CVRL subnet (at ~3:00 am)

Example: Packet #3

Destination Address in IP header

Experiment #4

Internet

Sprint Mobile Hotspot

Host Server(Apache)

ND/CVRL subnet

Client

PortFIREWALL

Experiment #4

Apache

Could not monitor packet information; only ping tests Varied number of bytes sent using ping Performed 100 per fixed byte amount Calculated avg. & std. dev

Executed at ~3:30 am

Exp. #4: Ping Timing

Conclusion

Examined packet information from a high level (packet-length) down to specific bit difference comparisons

Packet length provided no insight

Timing tests didn’t provide conclusive evidence of a connection to a virtual machine

Fractional hamming dist. provided first level of insight

Further analysis of differences at the bit level provided clues where to look for VM traces

Future Direction

Experiments 1-3 were conducted under somewhat “ideal” scenarios

More realistic approach would be packet analysis on multi-hop connections with knowledge of which sections of the TCP/IP packets to monitor

In-Band Detection of Virtual Machines

Documents

Restudy of 5GHz band radar detection requirement and ... · Restudy of 5GHz band radar detection requirement and market outlook - March 5th, 2015- Eiji Takagi . Wing Corporation

Life detection using microwave L band

BEARING FAULT DETECTION BY FOUR-BAND WAVELET PACKET

UNBALANCE DEFECT DETECTION IN ROTATING MACHINES … · UNBALANCE DEFECT DETECTION IN ROTATING MACHINES BY MEANS OF SOUND ANALYSIS Bachelor of Science Thesis in Software Engineering

IOT: Detection of Keys, Controlling Machines and ... · IOT: Detection of Keys, Controlling Machines and Wireless Sensing Via Mesh Networking Through Internet connecting each component

People Detection in Heavy Machines Applications

Bearing Fault Detection of Electrical Machines Used in

Radar Detection Performance in Medium Grazing Angle X-band

Manual Machine Tools & Band Saw Machines Manual Machine Tools & Band Saw Machines MACHINE TOOLS ... KGS-616S MANUAL SERIES ... • Magnetic separator MODELS

Detection and Localization of L-Band Satellites Using an

Machines for Hepatitis Detection

Broken Bar Detection in Induction Machines

VIRTUAL MACHINES DETECTION METHODS USING IP … · Virtual machine, remote detection, security, malware, mobile devices, smartphones. 1. INTRODUCTION Virtual machines (VMs) are underlying

Sequence Detection : Regular Expressions conversion to Finite State Machines

Static Eccentricity Fault Detection in Brushless Doubly Fed Induction Machines … · Static Eccentricity Fault Detection in Brushless Doubly Fed Induction Machines based on Motor

Cavitation Detection in Hydraulic Machines: A · PDF fileCavitation Detection in Hydraulic Machines: A Review ... Nirma University, S G Highway, Opp. SGVP, Ahmedabad-382481 ... Fig

Sealopack Machines Mfg. Co., Mumbai, Maxi Vertical Band Sealer

Rotating Machines Based Islanding Detection Using …article.sciencepublishinggroup.com/pdf/10.11648.j.ijepe...313 Lucas Ongondo Mogaka et al.: Rotating Machines Based Islanding Detection

Tomato leaves diseases detection approach based on support vector machines

Using Machines to Improve Human Saliency Detection