in-band detection of virtual machines
DESCRIPTION
In-Band Detection of Virtual Machines. Estefan Ortiz & Cory Hayes Computer Science and Engineering Graduate Operating Systems December 16, 2011. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/1.jpg)
In-Band Detection of Virtual Machines
Estefan Ortiz & Cory Hayes
Computer Science and Engineering
Graduate Operating Systems
December 16, 2011
1
![Page 2: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/2.jpg)
2
Introduction
Malicious programs (malware) need to know if they are in a virtual environment so they can modify their behavior and avoid detection
Related work Red Pill Tests: Examine byte-level behavior of instructions
for physical and emulated CPUs. If any disagreements in output, create one or more “red pills” that can avoid detection
SubVirt: Virtual machine-based rootkit installed underneath host OS that runs OS as a guest to remain nearly undetectable
![Page 3: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/3.jpg)
3
Our Approach
Similar to Red Pill and SubVirt, but client-server based
Idea: Instead of monitoring system call discrepancies, analyze network data sent to/from physical and virtual machines
Goal: Determine if there are sufficient differences in network traffic to detect if a client/server is being run on a virtual machine
![Page 4: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/4.jpg)
4
Goal
Client <-> Native TCP/IP Packet Client <-> Virtual Machine TCP/IP Packet
Byte 0
Byte n
Byte k1
Byte k2
Difference Found
![Page 5: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/5.jpg)
5
General Setup
![Page 6: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/6.jpg)
6
Actual Setup
Host Server(Apache)
Wireshark
Port
Client
Port
Switch
Network output saved for analysis
Functions as the “MITM”
![Page 7: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/7.jpg)
7
Experiment Setup
Using Wireshark, capture and compare the raw info of TCP/IP packets sent back and forth between a client and a physical/virtual server running Apache Bits 1-160: IP Remainder: TCP
Virtual machine OS matches the OS of the host (Ubuntu-Ubuntu, Vista-Vista)
Use a small set of Matlab commands to send regular and malformed packets
Dynex 5-port 10/100/1000 Gigabit Ethernet Switch
![Page 8: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/8.jpg)
8
Sample Captured Wireshark Output
8th Packet sent between Client & VM running Apache
8th Packet sent between Client & Host running Apache
VM
Client
Host
![Page 9: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/9.jpg)
9
Metrics
Bit Difference Comparison: Fractional Hamming distance between two packets
![Page 10: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/10.jpg)
10
Metrics (cont.)
Round trip time: Time from SYN request sent by client to received ACK from server
![Page 11: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/11.jpg)
11
Metrics (cont.)*
Pairwise Packet Length Comparison: Number of concurrent packet pairs that differ in length
![Page 12: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/12.jpg)
12
Experiment #1
Client: Windows Vista (4GB RAM, 2.6GHz) Server: Ubuntu 11.04 32-bit w/ Apache Web Server 2.2 Server: Host OS Ubuntu: VirtualBox w/ Ubuntu running
Apache
On isolated switch network (no other traffic)
![Page 13: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/13.jpg)
13
Exp. #1: Frac. Hamming Distance
![Page 14: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/14.jpg)
14
Exp. #1: Round-trip Timing
![Page 15: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/15.jpg)
15
Example: Packet #9
These bits correspond to the header length & flags in the TCP header
![Page 16: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/16.jpg)
16
Experiment #2
Client: Mac (4GB RAM, 2.4GHz, MacOSX 10.6.8) Server: Windows Vista 32-bit w/ Apache Web Server 2.2 Server: Host OS Windows Vista: VirtualBox w/ Windows
Vista running Apache
On isolated switch network (no other traffic)
![Page 17: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/17.jpg)
17
Exp. #2: Frac. Hamming Distance
![Page 18: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/18.jpg)
18
Exp. #2: Round-trip Timing
![Page 19: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/19.jpg)
19
Example: Packet #4
Destination Address in IP header
Flags in TCP header
![Page 20: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/20.jpg)
20
Experiment #3
Client: Windows Vista (4GB RAM, 2.6GHz) Server: Ubuntu 11.04 32-bit w/ Apache Web Server 2.2 Server: Host OS Ubuntu: VirtualBox w/ Ubuntu running
Apache
Both client and server on CVRL subnet (at ~3:00 am)
![Page 21: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/21.jpg)
21
Exp. #3: Frac. Hamming Distance
![Page 22: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/22.jpg)
22
Exp. #3: Round-trip Timing
![Page 23: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/23.jpg)
23
Example: Packet #3
Destination Address in IP header
![Page 24: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/24.jpg)
24
Experiment #4
Internet
Sprint Mobile Hotspot
Host Server(Apache)
Port
ND/CVRL subnet
Client
PortFIREWALL
![Page 25: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/25.jpg)
25
Experiment #4
Client: Windows Vista (4GB RAM, 2.6GHz) Server: Ubuntu 11.04 32-bit w/ Apache Web Server 2.2 Server: Host OS Ubuntu: VirtualBox w/ Ubuntu running
Apache
Could not monitor packet information; only ping tests Varied number of bytes sent using ping Performed 100 per fixed byte amount Calculated avg. & std. dev
Executed at ~3:30 am
![Page 26: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/26.jpg)
26
Exp. #4: Ping Timing
![Page 27: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/27.jpg)
27
Conclusion
Examined packet information from a high level (packet-length) down to specific bit difference comparisons
Packet length provided no insight
Timing tests didn’t provide conclusive evidence of a connection to a virtual machine
Fractional hamming dist. provided first level of insight
Further analysis of differences at the bit level provided clues where to look for VM traces
![Page 28: In-Band Detection of Virtual Machines](https://reader035.vdocuments.mx/reader035/viewer/2022062519/568152d9550346895dc0f5fd/html5/thumbnails/28.jpg)
28
Future Direction
Experiments 1-3 were conducted under somewhat “ideal” scenarios
More realistic approach would be packet analysis on multi-hop connections with knowledge of which sections of the TCP/IP packets to monitor