1 / 11

In-Band Detection of Virtual Machines

In-Band Detection of Virtual Machines. Estefan Ortiz & Cory Hayes CSE 60641 November 3, 2011. Introduction. Malware programs need to know if they are in a virtual environment so they can modify their behavior and avoid detection Related work

ondrea
Download Presentation

In-Band Detection of Virtual Machines

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. In-Band Detection of Virtual Machines Estefan Ortiz & Cory Hayes CSE 60641 November 3, 2011

  2. Introduction • Malware programs need to know if they are in a virtual environment so they can modify their behavior and avoid detection • Related work • Red Pill Tests: Examine byte-level behavior of instructions for physical and emulated CPUs. If any disagreements in output, create one or more “red pills” that can avoid detection • SubVirt: Virtual machine-based rootkit installed underneath host OS that runs OS as a guest to remain nearly undetectable

  3. Our Approach • Similar to Red Pill and SubVirt, but client-server based • Idea: Instead of monitoring system call discrepancies, analyze network data sent to/from physical and virtual machines • Question: Can we detect if a client/server is being run in a virtual machine through network traffic?

  4. General Setup

  5. Goal Byte 0 Byte k1 Difference Found Byte k2 Byte n Client <-> Native TCP/IP Packet Client <-> Virtual Machine TCP/IP Packet

  6. Current Setup Host Server (Apache) Port Switch Client “Man-in-the-Middle” Port Port Wireshark Output

  7. Experiment • Using Wireshark, capture and compare the raw info of TCP/IP packets sent back and forth between a client and a physical/virtual server running Apache • Virtual machine OS matches the OS of the host (Ubuntu-Ubuntu) • Use a small set of Matlab commands to send regular and malformed packets

  8. Sample Captured Wireshark Output 8th Packet sent between Client & VM running Apache VM Host Client 8th Packet sent between Client & Host running Apache

  9. Sample Wireshark Output (cont.)

  10. Results

  11. Remaining Tasks • Understand what the differences in the packet information represent (checksums, acknowledgment differences, etc.) • Vary the malformed packets sent • Try a more low-level approach to sniffing or script Wireshark • Vary the host and VM operating systems (already have Vista-Vista set up)

More Related