A Technique for Remote Detection of Certain Virtual Machine Monitors

Christopher Jämthagen; Martin Hell; Ben Smeets

doi:10.1007/978-3-642-32298-3_9

A Technique for Remote Detection of Certain Virtual Machine Monitors

Christopher Jämthagen, Martin Hell, Ben Smeets

Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review

Abstract

The ability to detect a virtualized environment has both malicious and non-malicious uses. This paper reveals a new exploit and technique that can be used to remotely detect VMware Workstation, VMware Player and VirtualBox. The detection based on this technique can be done completely passively in that there is no need to have access to the remote machine and no network connections are initiated by the verifier. Using only information in the IP packet together with information sent in the user-agent string in an HTTP request, it is shown how to detect that the traffic originates from a guest in VMware Workstation, VMware Player or VirtualBox client. The limitation is that NAT has to be turned on and that the host and guest need to run different operating system families, e.g., Windows/Linux.

Original language	English
Title of host publication	Trusted Systems
Subtitle of host publication	Third International Conference, INTRUST 2011, Beijing, China, November 27-29, 2011, Revised Selected Papers
Publisher	Springer
Pages	129-137
Volume	7222
ISBN (Electronic)	978-3-642-32298-3
ISBN (Print)	978-3-642-32297-6
DOIs	https://doi.org/10.1007/978-3-642-32298-3_9
Publication status	Published - 2011
Event	The Third International Conference on Trusted Systems, INTRUST 2011 - Beijing Duration: 2011 Nov 27 → 2011 Nov 29

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	7222
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	The Third International Conference on Trusted Systems, INTRUST 2011
Period	2011/11/27 → 2011/11/29

Subject classification (UKÄ)

Electrical Engineering, Electronic Engineering, Information Engineering

Access to Document

10.1007/978-3-642-32298-3_9

Cite this

Jämthagen, C., Hell, M., & Smeets, B. (2011). A Technique for Remote Detection of Certain Virtual Machine Monitors. In Trusted Systems : Third International Conference, INTRUST 2011, Beijing, China, November 27-29, 2011, Revised Selected Papers (Vol. 7222, pp. 129-137). (Lecture Notes in Computer Science; Vol. 7222). Springer. https://doi.org/10.1007/978-3-642-32298-3_9

@inbook{8d8571b4bbd6473685301fa8d603746c,

title = "A Technique for Remote Detection of Certain Virtual Machine Monitors",

abstract = "The ability to detect a virtualized environment has both malicious and non-malicious uses. This paper reveals a new exploit and technique that can be used to remotely detect VMware Workstation, VMware Player and VirtualBox. The detection based on this technique can be done completely passively in that there is no need to have access to the remote machine and no network connections are initiated by the verifier. Using only information in the IP packet together with information sent in the user-agent string in an HTTP request, it is shown how to detect that the traffic originates from a guest in VMware Workstation, VMware Player or VirtualBox client. The limitation is that NAT has to be turned on and that the host and guest need to run different operating system families, e.g., Windows/Linux.",

author = "Christopher J{\"a}mthagen and Martin Hell and Ben Smeets",

year = "2011",

doi = "10.1007/978-3-642-32298-3_9",

language = "English",

isbn = "978-3-642-32297-6",

volume = "7222",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "129--137",

booktitle = "Trusted Systems",

address = "Germany",

note = "The Third International Conference on Trusted Systems, INTRUST 2011 ; Conference date: 27-11-2011 Through 29-11-2011",

}

Jämthagen, C, Hell, M & Smeets, B 2011, A Technique for Remote Detection of Certain Virtual Machine Monitors. in Trusted Systems : Third International Conference, INTRUST 2011, Beijing, China, November 27-29, 2011, Revised Selected Papers. vol. 7222, Lecture Notes in Computer Science, vol. 7222, Springer, pp. 129-137, The Third International Conference on Trusted Systems, INTRUST 2011, 2011/11/27. https://doi.org/10.1007/978-3-642-32298-3_9

A Technique for Remote Detection of Certain Virtual Machine Monitors. / Jämthagen, Christopher; Hell, Martin ; Smeets, Ben.

Trusted Systems : Third International Conference, INTRUST 2011, Beijing, China, November 27-29, 2011, Revised Selected Papers. Vol. 7222 Springer, 2011. p. 129-137 (Lecture Notes in Computer Science; Vol. 7222).

Research output: Chapter in Book/Report/Conference proceeding › Book chapter › Research › peer-review

TY - CHAP

T1 - A Technique for Remote Detection of Certain Virtual Machine Monitors

AU - Jämthagen, Christopher

AU - Hell, Martin

AU - Smeets, Ben

PY - 2011

Y1 - 2011

N2 - The ability to detect a virtualized environment has both malicious and non-malicious uses. This paper reveals a new exploit and technique that can be used to remotely detect VMware Workstation, VMware Player and VirtualBox. The detection based on this technique can be done completely passively in that there is no need to have access to the remote machine and no network connections are initiated by the verifier. Using only information in the IP packet together with information sent in the user-agent string in an HTTP request, it is shown how to detect that the traffic originates from a guest in VMware Workstation, VMware Player or VirtualBox client. The limitation is that NAT has to be turned on and that the host and guest need to run different operating system families, e.g., Windows/Linux.

AB - The ability to detect a virtualized environment has both malicious and non-malicious uses. This paper reveals a new exploit and technique that can be used to remotely detect VMware Workstation, VMware Player and VirtualBox. The detection based on this technique can be done completely passively in that there is no need to have access to the remote machine and no network connections are initiated by the verifier. Using only information in the IP packet together with information sent in the user-agent string in an HTTP request, it is shown how to detect that the traffic originates from a guest in VMware Workstation, VMware Player or VirtualBox client. The limitation is that NAT has to be turned on and that the host and guest need to run different operating system families, e.g., Windows/Linux.

U2 - 10.1007/978-3-642-32298-3_9

DO - 10.1007/978-3-642-32298-3_9

M3 - Book chapter

SN - 978-3-642-32297-6

VL - 7222

T3 - Lecture Notes in Computer Science

SP - 129

EP - 137

BT - Trusted Systems

PB - Springer

T2 - The Third International Conference on Trusted Systems, INTRUST 2011

Y2 - 27 November 2011 through 29 November 2011

ER -

A Technique for Remote Detection of Certain Virtual Machine Monitors

Abstract

Publication series

Conference

Subject classification (UKÄ)

Access to Document

Fingerprint

Cite this