Int. J. of Communication Networks and Distributed Systems, 2013, Vol 11 Issue 3, pp 310 - 326
This paper proposes two complementary virtual machine monitor (VMM) detection methods. These methods can be used to detect any VMM that is designed for ×86 architecture. The first method works by finding probable discrepancies in hardware privilege levels of the guest operating system's kernel on which user applications run. The second method works by measuring the execution times of a set of benchmark programs and comparing them with the stored execution times of the same programmes previously ran on a trusted physical machine. Unlike other methods, our proportional execution time technique could not be easily thwarted by VMMs. In addition, using proportional execution times, there is no need for a trusted external source of time during detection. It is shown experimentally that the deployment of both methods together can detect the existence of four renowned VMMs, namely, Xen, VirtualBox, VMware, and Parallels, on both types of processors that support virtualisation technology (VT-enabled) or do not support it (VT-disabled).
VMM detection; virtual machine monitor; virtualisation technology; security; malware detection; cloud computing; distributed systems; operating systems; kernel; hardware privilege levels; execution times; benchmark programs.
View record in Inderscience