Security has been touted as one of the benign by-products of virtualisation – but according to a recent study that’s no longer the case.
This is because technological developments mean that malware can detect that it's running inside a VM and so alter its approach. Hiding the existence of a VM is "fundamentally infeasible", says the report, in response to the mooting by some virtualisation and security developers of the desirability of developing undetectable VMs.
The white paper, called Compatibility is Not Transparency: Virtual Machine Management Detection Myths and Realities, is published by virtualisation vendors VMware and XenSource, as well as academics from Stanford and Carnegie Mellon Universities. It discusses the ability to use virtual machines (VMs) as a way of trapping rootkit attacks – a technique known as honeypotting – as well as worm detectors. This has relied on malware’s general inability to recognise that it’s not attacking a real, physical machine.
The paper reckons that "anti-virus vendors are eager to cloak their use of VMs in identifying newly released exploits for similar reasons. Others have proposed offensive uses of virtualisation in the form of VM-based rootkits hoping to leverage the transparency of VMMs to cloak their presence and provide an ideal attack platform."
However, continues the report: "We believe the transparency these proposals desire is not achievable today and will remain so."
The problem, according to the report, is that those developing security solutions start with the premise that, if the performance profile matches that of a real machine, its containment within a virtual environment is undetectable.
But there are big differences that betray the presence of a VM. The paper reports that "virtual implementations of this architecture differ substantially from physical implementations... Logical discrepancies are semantic differences in the interfaces of real and virtual hardware. Most current VMM detection methods exploit differences in the virtual CPU interface of VMMs such as VMware Player or Microsoft VirtualPC that violate x86 architecture."
It continues: "These and other discrepancies are unimportant to the vast majority of software, soVMMs make no effort to hide them." But software can detect discrepancies in the CPU, in storage devices and in device drivers, according to the report, largely because VMM developers are more concerned about compatibility and performance than about detectability – or about overall security.
As a result, the authors conclude: "the ease of imagining new detection methods suggests that VMM transparency is difficult to the point of impracticality."