Saturday, October 20, 2012

Cyberspace and Cybersecurity: Archive Post 9

As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.

Topic - Virtual Machine Security
Discuss one significant issue associated with virtual machine technology and identify appropriate countermeasures.
From March 23, 2012.

Virtual Machines are useful for security researchers because they enable malware analysis through multiple ways: easy reverting to a known (ideally known good) state via snapshots, ability to run malicious code (usually) without putting a physical system at risk, and easy kernel debugging. Unfortunately, malware authors have identified the existence of these advantages and have begun performing virtualization detection and executing alternative code paths when virtualized or even :escape the context of the virtual machine and attack the host system or at least glean information from it" (Vacca, 2009, pg 699).

Liston and Skoudis claim that the leading method of detecting VMware detection is by looking for the communications channel used to communicate between the guest and host operating systems. Since this is, they claim, the "most widely deployed means of detecting virtual machines" they have researched into thwarting it. (Liston & Skoudis, 2006) Their research had yielded, as of the writing in 2006, "essentially a high speed search-and-replace tool that is designed to find the fixed “VMXh” magic value used to access the VMware communication channel and change it to a user-specified alternate value" (Liston & Skoudis, 2006). Unfortunately, since VMware disk images are huge and a given DWORD is small, there are false positives such that modifying them is disastrous to successful execution. At the time of writing, "the best [they]’ve been able to do is to coax a VM into booting ... but with severely limited functionality (i.e. no keyboard, no mouse)" (Liston & Skoudis, 2006).

Overall, VM detection is easy and thwarting it reliably is hard. According to Vacca, some administrators have instead begun setting up flags on real systems to convince malware that the machine is a VM to prevent the ones that hide their behavior in VMs from attacking. (Vacca, 2009, pg 699)


Liston, T., Skoudis, E. (2006) On the Cutting Edge: Thwarting Virtual Machine Detection. Retrieved from http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufman

No comments:

Post a Comment