Xjyuk

Why does std::string_view create a dangling view in a ternary expression?

What triggered jesuits' ban on infinitesimals in 1632?

What was the first third-party commercial application for MS-DOS?

What is the "ls" directory in my home directory?

Find the common ancestor between two nodes of a tree

What mathematical theory is required for high frequency trading?

Prisoner on alien planet escapes by making up a story about ghost companions and wins the war

What are the current battlegrounds for people’s “rights” in the UK?

What does this Swiss black on yellow rectangular traffic sign with a symbol looking like a dart mean?

I found a password with hashcat, but it doesn't work

Syntax and semantics of XDV commands (XeTeX)

Extending prime numbers digit by digit while retaining primality

Is there a term for the belief that "if it's legal, it's moral"?

Greeting with "Ho"

I just entered the USA without passport control at Atlanta airport

Umlaut character order when sorting

How do I remove this inheritance-related code smell?

Too early in the morning to have SODA?

Draw a symmetric alien head

Helping ease my back pain by studying 13 hours everyday , even weekends

Covering index used despite missing column

How do internally carried IR missiles acquire a lock?

Non-misogynistic way to say “asshole”?

Why is "Congress shall have power to enforce this article by appropriate legislation" necessary?

How hard is it to distinguish if I am given remote access to a virtual machine vs a piece of hardware?

Protection of Keys/Passwords on Virtual Hardware (XEN, KVM, VMWare, etc.)How can I protect content distributed on a linux virtual machine?How isolated are files on a VirtualBox virtual machine from the host filesystem?How does a root kit work inside a virtual machine?How long to re-seed /dev/urandom in a virtual machine?how to access freenet on a remote machine from androidHow to get IP address of a virtual box machine from hostmachine?How can I connect a USB device to a virtual machine while bypassing the host?What kind of access on the guest is required to break out of a virtual machine?How does testing on a Virtual Machine prevent the security tester from breaching the misuse act?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

1

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  11 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Often asked in the context of vm rootkits and breakout: red pill blue pill detect vm. Be sure to read the first one, which is Joanna Rutkowska blog.
  
  – jww
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If it was a Windows guest, you could just look for VMWare tools. Presumably other VM technologies have similar tools that run within the guest OS for similar reasons.
  
  – YetAnotherRandomUser
  1 hour ago
  
  

  
  
  
  

add a comment | 

3

1

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  11 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  10 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  3 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Often asked in the context of vm rootkits and breakout: red pill blue pill detect vm. Be sure to read the first one, which is Joanna Rutkowska blog.
  
  – jww
  2 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If it was a Windows guest, you could just look for VMWare tools. Presumably other VM technologies have similar tools that run within the guest OS for similar reasons.
  
  – YetAnotherRandomUser
  1 hour ago
  
  

  
  
  
  

add a comment | 

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 11 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 11 hours ago

ffcffc

1163

1 Answer
1

active

oldest

votes

7

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 10 hours ago

vidarlovidarlo

5,0831327

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

ffc is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211991%2fhow-hard-is-it-to-distinguish-if-i-am-given-remote-access-to-a-virtual-machine-v%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

7

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 10 hours ago

vidarlovidarlo

5,0831327

add a comment | 

7

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 10 hours ago

vidarlovidarlo

5,0831327

add a comment | 

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 10 hours ago

vidarlovidarlo

5,0831327

share|improve this answer

answered 10 hours ago

vidarlovidarlo

5,0831327

answered 10 hours ago

vidarlovidarlo

5,0831327

answered 10 hours ago

vidarlovidarlo

5,0831327