Xjyuk

Methodology: Writing unit tests for another developer

How to mark the seams of UV maps to edit textures in external programs?

What does this Swiss black on yellow rectangular traffic sign with a symbol looking like a dart mean?

Improve appearance of the table in Latex

Why does independence imply zero correlation?

Can I change normal plug to a 15amp round pin plug?

Is there a name for the trope when there is a moments dialogue when someone pauses just before they leave the room?

What is the oldest commercial MS-DOS program that can run on modern versions of Windows without third-party software?

Why don't we have a weaning party like Avraham did?

What are the pros and cons for the two possible "gear directions" when parking the car on a hill?

Can the pre-order traversal of two different trees be the same even though they are different?

Why don't countries like Japan just print more money?

Does a proton have a binding energy?

Am I legally required to provide a (GPL licensed) source code even after a project is abandoned?

How did the Vostok ejection seat safely eject an astronaut from a sealed space capsule?

Can you use one creature for both convoke and delve for Hogaak?

Greeting with "Ho"

Draw a symmetric alien head

Has a life raft ever been successfully deployed on a modern commercial flight?

A word for delight at someone else's failure?

How do I remove this inheritance-related code smell?

Why isn't it a compile-time error to return a nullptr as a std::string?

Is "Busen" just the area between the breasts?

Is the continuity test limit resistance of a multimeter standard?

How hard is it to distinguish between remote access to a virtual machine vs a piece of hardware?

Protection of Keys/Passwords on Virtual Hardware (XEN, KVM, VMWare, etc.)How isolated are files on a VirtualBox virtual machine from the host filesystem?Using a virtual machine as a buffer between USB media and OSHow does a root kit work inside a virtual machine?SFTP between guest virtual machine and its hosthow to access freenet on a remote machine from androidSecurity vulnerabilities when sharing files between virtual machine and hostHow to get IP address of a virtual box machine from hostmachine?What kind of access on the guest is required to break out of a virtual machine?How does testing on a Virtual Machine prevent the security tester from breaching the misuse act?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

6

2

Let's say I have full access to a remote machine (specifically, root on a Linux). What is the best method to check whether this is a real piece of hardware or a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  15 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  14 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Often asked in the context of vm rootkits and breakout: red pill blue pill detect vm. Be sure to read the first one, which is Joanna Rutkowska blog.
  
  – jww
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I do think you need to add more context to the question. If you just want to not be fooled by scammy hosting companies that claim to sell you a dedi but really give you a crappy VM, it's pretty damn easy. If you're given a VM that's using a large number of state-of-the-art techniques to hide its existence, complete with custom hardware drivers that mimic all sorts of (possibly undefined) behavior unique to genuine hardware, then the answer will be quite different. It will still be possible, but now it takes advanced or novel attacks.
  
  – forest
  3 hours ago
  
  

  
  
  
  

 | 
show 1 more comment

6

2

Let's say I have full access to a remote machine (specifically, root on a Linux). What is the best method to check whether this is a real piece of hardware or a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  15 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  14 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Often asked in the context of vm rootkits and breakout: red pill blue pill detect vm. Be sure to read the first one, which is Joanna Rutkowska blog.
  
  – jww
  6 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  I do think you need to add more context to the question. If you just want to not be fooled by scammy hosting companies that claim to sell you a dedi but really give you a crappy VM, it's pretty damn easy. If you're given a VM that's using a large number of state-of-the-art techniques to hide its existence, complete with custom hardware drivers that mimic all sorts of (possibly undefined) behavior unique to genuine hardware, then the answer will be quite different. It will still be possible, but now it takes advanced or novel attacks.
  
  – forest
  3 hours ago
  
  

  
  
  
  

 | 
show 1 more comment

Let's say I have full access to a remote machine (specifically, root on a Linux). What is the best method to check whether this is a real piece of hardware or a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 3 hours ago

RonJohn

1052

edited 3 hours ago

RonJohn

1052

asked 15 hours ago

ffcffc

1313

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 15 hours ago

ffcffc

1313

1 Answer
1

active

oldest

votes

8

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 14 hours ago

vidarlovidarlo

5,1131327

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Turn off kptl and try the kaiser vulnerability path. If it works it's not a VM.
  
  – Joshua
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Timing attacks can be very effective if you're using more than just the TSC (e.g. perf counters). It's easy enough to spoof the cycle counter (VM Exit on RDTSC/RDTSCP), but not all performance metrics. Also, if you can load kernel drivers, you can interact directly with hardware which makes detection trivial. It's close to impossible to have cycle-accurate emulation of all the components of a modern x86 system.
  
  – forest
  3 hours ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

ffc is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211991%2fhow-hard-is-it-to-distinguish-between-remote-access-to-a-virtual-machine-vs-a-pi%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

8

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 14 hours ago

vidarlovidarlo

5,1131327

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Turn off kptl and try the kaiser vulnerability path. If it works it's not a VM.
  
  – Joshua
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Timing attacks can be very effective if you're using more than just the TSC (e.g. perf counters). It's easy enough to spoof the cycle counter (VM Exit on RDTSC/RDTSCP), but not all performance metrics. Also, if you can load kernel drivers, you can interact directly with hardware which makes detection trivial. It's close to impossible to have cycle-accurate emulation of all the components of a modern x86 system.
  
  – forest
  3 hours ago
  
  

  
  
  
  

add a comment | 

8

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 14 hours ago

vidarlovidarlo

5,1131327

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Turn off kptl and try the kaiser vulnerability path. If it works it's not a VM.
  
  – Joshua
  3 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Timing attacks can be very effective if you're using more than just the TSC (e.g. perf counters). It's easy enough to spoof the cycle counter (VM Exit on RDTSC/RDTSCP), but not all performance metrics. Also, if you can load kernel drivers, you can interact directly with hardware which makes detection trivial. It's close to impossible to have cycle-accurate emulation of all the components of a modern x86 system.
  
  – forest
  3 hours ago
  
  

  
  
  
  

add a comment | 

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 14 hours ago

vidarlovidarlo

5,1131327

share|improve this answer

answered 14 hours ago

vidarlovidarlo

5,1131327

answered 14 hours ago

vidarlovidarlo

5,1131327

answered 14 hours ago

vidarlovidarlo

5,1131327