Detecting Hardware-Assisted Virtualization With Inconspicuous Features

You are here

Top Reasons to Join SPS Today!

1. IEEE Signal Processing Magazine
2. Signal Processing Digital Library*
3. Inside Signal Processing Newsletter
4. SPS Resource Center
5. Career advancement & recognition
6. Discounts on conferences and publications
7. Professional networking
8. Communities for students, young professionals, and women
9. Volunteer opportunities
10. Coming soon! PDH/CEU credits
Click here to learn more.

Detecting Hardware-Assisted Virtualization With Inconspicuous Features

Zhi Zhang; Yueqiang Cheng; Yansong Gao; Surya Nepal; Dongxi Liu; Yi Zou

Recent years have witnessed the proliferation of the deployment of virtualization techniques. Virtualization is designed to be transparent, that is, unprivileged users should not be able to detect whether a system is virtualized. Such detection can result in serious security threats such as evading virtual machine (VM)-based malware dynamic analysis and exploiting vulnerabilities for cross-VM attacks. The traditional software-based virtualization leaves numerous artifacts/fingerprints, which can be exploited without much effort to detect the virtualization. In contrast, current mainstream hardware-assisted virtualization significantly enhances the virtualization transparency, making itself more transparent and difficult to be detected. Nonetheless, we showcase three new identified low-level inconspicuous features, which can be leveraged by an unprivileged adversary to effectively and stealthily detect the hardware-assisted virtualization. All three features come from the chipset fingerprints, rather than the traces of software-based virtualization implementations (e.g., Xen or KVM). The identified features include i) Translation-Lookaside Buffer (TLB) stores an extra layer of address translations; ii) Last-Level Cache (LLC) caches one more layer of page-table entries; and iii) Level-1 Data (L1D) Cache is unstable. Based on the above features, we develop three corresponding virtualization detection techniques, which are then comprehensively evaluated on three native environments and three popular cloud providers: i) Amazon Elastic Compute Cloud, ii) Google Compute Engine and iii) Microsoft Azure. Experimental results validate that these three adversarial detection techniques are effective (with no false positive) and stealthy (without triggering suspicious system events, e.g., VM-exit ) in detecting the above commodity virtualized environments.

SPS on Twitter

  • The Brain Space Initiative Talk Series continues this Friday, 24 September at 11:00 AM EDT when Dr. Jessica Damoise…
  • The 2022 membership year has begun! Join our community of more than 17,000 signal processing and data science profe…
  • Join us this Tuesday, 21 September for the Women in Signal Processing event at ICIP 2021! Registration available on…
  • The SPACE Webinar Series continues this Tuesday, 21 September when Dr. Bin Dong presents "Data- and Task-Driven CT…
  • Join SPS President Ahmed Tewfik on Wednesday, 22 September for the IEEE Signal Processing Society Town Hall in conj…

SPS Videos

Signal Processing in Home Assistants


Multimedia Forensics

Careers in Signal Processing             


Under the Radar