当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your
feedback! (Note: you will need to create a separate account there.)
Detecting Hardware-Assisted Virtualization With Inconspicuous Features
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-22-2020 , DOI: 10.1109/tifs.2020.3004264 Zhi Zhang , Yueqiang Cheng , Yansong Gao , Surya Nepal , Dongxi Liu , Yi Zou
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 6-22-2020 , DOI: 10.1109/tifs.2020.3004264 Zhi Zhang , Yueqiang Cheng , Yansong Gao , Surya Nepal , Dongxi Liu , Yi Zou
Recent years have witnessed the proliferation of the deployment of virtualization techniques. Virtualization is designed to be transparent, that is, unprivileged users should not be able to detect whether a system is virtualized. Such detection can result in serious security threats such as evading virtual machine (VM)-based malware dynamic analysis and exploiting vulnerabilities for cross-VM attacks. The traditional software-based virtualization leaves numerous artifacts/fingerprints, which can be exploited without much effort to detect the virtualization. In contrast, current mainstream hardware-assisted virtualization significantly enhances the virtualization transparency, making itself more transparent and difficult to be detected. Nonetheless, we showcase three new identified low-level inconspicuous features, which can be leveraged by an unprivileged adversary to effectively and stealthily detect the hardware-assisted virtualization. All three features come from the chipset fingerprints, rather than the traces of software-based virtualization implementations (e.g., Xen or KVM). The identified features include i) Translation-Lookaside Buffer (TLB) stores an extra layer of address translations; ii) Last-Level Cache (LLC) caches one more layer of page-table entries; and iii) Level-1 Data (L1D) Cache is unstable. Based on the above features, we develop three corresponding virtualization detection techniques, which are then comprehensively evaluated on three native environments and three popular cloud providers: i) Amazon Elastic Compute Cloud, ii) Google Compute Engine and iii) Microsoft Azure. Experimental results validate that these three adversarial detection techniques are effective (with no false positive) and stealthy (without triggering suspicious system events, e.g., VM-exit) in detecting the above commodity virtualized environments.
中文翻译:
检测具有不显眼功能的硬件辅助虚拟化
近年来,虚拟化技术的部署激增。虚拟化被设计为透明的,也就是说,非特权用户不应该能够检测到系统是否被虚拟化。此类检测可能会导致严重的安全威胁,例如逃避基于虚拟机 (VM) 的恶意软件动态分析和利用漏洞进行跨 VM 攻击。传统的基于软件的虚拟化留下了大量的工件/指纹,无需花费太多精力即可利用它们来检测虚拟化。相比之下,目前主流的硬件辅助虚拟化显着增强了虚拟化的透明度,使其更加透明且难以被发现。尽管如此,我们还是展示了三个新识别的低级不显眼功能,非特权对手可以利用这些功能来有效且秘密地检测硬件辅助虚拟化。所有三个功能都来自芯片组指纹,而不是基于软件的虚拟化实现(例如,Xen 或 KVM)的痕迹。已确定的功能包括 i) 转换后备缓冲区 (TLB) 存储额外的地址转换层; ii) 最后一级缓存(LLC)多缓存一层页表条目; iii) 1 级数据 (L1D) 缓存不稳定。基于上述特征,我们开发了三种相应的虚拟化检测技术,然后在三个本地环境和三个流行的云提供商上进行综合评估:i)Amazon Elastic Compute Cloud,ii)Google Compute Engine和iii)Microsoft Azure。 实验结果验证了这三种对抗性检测技术在检测上述商品虚拟化环境时是有效的(没有误报)和隐秘的(不会触发可疑的系统事件,例如VM退出)。
更新日期:2024-08-22
中文翻译:
检测具有不显眼功能的硬件辅助虚拟化
近年来,虚拟化技术的部署激增。虚拟化被设计为透明的,也就是说,非特权用户不应该能够检测到系统是否被虚拟化。此类检测可能会导致严重的安全威胁,例如逃避基于虚拟机 (VM) 的恶意软件动态分析和利用漏洞进行跨 VM 攻击。传统的基于软件的虚拟化留下了大量的工件/指纹,无需花费太多精力即可利用它们来检测虚拟化。相比之下,目前主流的硬件辅助虚拟化显着增强了虚拟化的透明度,使其更加透明且难以被发现。尽管如此,我们还是展示了三个新识别的低级不显眼功能,非特权对手可以利用这些功能来有效且秘密地检测硬件辅助虚拟化。所有三个功能都来自芯片组指纹,而不是基于软件的虚拟化实现(例如,Xen 或 KVM)的痕迹。已确定的功能包括 i) 转换后备缓冲区 (TLB) 存储额外的地址转换层; ii) 最后一级缓存(LLC)多缓存一层页表条目; iii) 1 级数据 (L1D) 缓存不稳定。基于上述特征,我们开发了三种相应的虚拟化检测技术,然后在三个本地环境和三个流行的云提供商上进行综合评估:i)Amazon Elastic Compute Cloud,ii)Google Compute Engine和iii)Microsoft Azure。 实验结果验证了这三种对抗性检测技术在检测上述商品虚拟化环境时是有效的(没有误报)和隐秘的(不会触发可疑的系统事件,例如VM退出)。
京公网安备 11010802027423号