9

Let's say I have full access to a remote machine (specifically, root on a Linux). What is the best method to check whether this is a real piece of hardware or a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

RonJohn
  • 105
  • 3
jarm
  • 186
  • 4
  • 6
    I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination. – dwizum Jun 17 '19 at 15:21
  • @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point. – jarm Jun 17 '19 at 15:56
  • 2
    @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to? – aaaaa says reinstate Monica Jun 17 '19 at 23:41
  • 2
    Often asked in the context of vm rootkits and breakout: red pill blue pill detect vm. Be sure to read the first one, which is Joanna Rutkowska blog. –  Jun 18 '19 at 00:24
  • If it was a Windows guest, you could just look for VMWare tools. Presumably other VM technologies have similar tools that run within the guest OS for similar reasons. – YetAnotherRandomUser Jun 18 '19 at 01:23
  • 1
    I do think you need to add more context to the question. If you just want to not be fooled by scammy hosting companies that claim to sell you a dedi but really give you a crappy VM, it's pretty damn easy. If you're given a VM that's using a large number of state-of-the-art techniques to hide its existence, complete with custom hardware drivers that mimic all sorts of (possibly undefined) behavior unique to genuine hardware, then the answer will be quite different. It will still be possible, but now it takes advanced or novel attacks. – forest Jun 18 '19 at 03:18
  • The case in question is kind of in-between the two scenarios that @forest has suggested. It is about doing some due dilligence before deploying a piece of software that contains sensitive IP in a datacenter controlled by a client. – jarm Jun 18 '19 at 06:29
  • @jww thanks for the comment, I have looked at the J.R.'s blog https://blog.invisiblethings.org and also found the following paper to contain a bunch of useful references https://link.springer.com/chapter/10.1007/978-3-319-99828-2_19 . From what I understand, cardinal pills is the most advanced stuff in the pill land, and there is an implementation of that available, https://github.com/moyix/cardinal (disclaimer: I do not fully understand that pill stuff so not sure if this is legit or not). – jarm Jun 18 '19 at 06:35

1 Answers1

11

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

vidarlo
  • 16,078
  • 2
  • 46
  • 59
  • 1
    Turn off kptl and try the kaiser vulnerability path. If it works it's not a VM. – Joshua Jun 18 '19 at 02:55
  • 2
    Timing attacks can be very effective if you're using more than just the TSC (e.g. perf counters). It's easy enough to spoof the cycle counter (VM Exit on RDTSC/RDTSCP), but not all performance metrics. Also, if you can load kernel drivers, you can interact directly with hardware which makes detection trivial. It's close to impossible to have cycle-accurate emulation of all the components of a modern x86 system. – forest Jun 18 '19 at 03:15
  • @forest excellent comment, thank you very much! Are you aware of any implementations of the said stuff? Are they available off-the-shelf, or do I have to write my own assembler code? Thanks again. – jarm Jun 18 '19 at 06:27
  • 1
    @ffc You'd have to write it yourself. Maybe there's a limited PoC or two around... – forest Jun 18 '19 at 07:14