Comments on: VMM Detection Myths and Realities from a Simics and Embedded Perspective http://jakob.engbloms.se/archives/97?&owa_medium=feed&owa_sid= Computer Technology: Simulation, Virtualization, Virtual Platforms, Embedded, Multicore and Multiprocessing (by Jakob Engblom) Thu, 12 Jan 2012 21:54:16 -0800 hourly 1 http://wordpress.org/?v=3.3.1 By: Observations from Uppsala » Reverse History Part Three – Products http://jakob.engbloms.se/archives/97/comment-page-1#comment-3336 Observations from Uppsala » Reverse History Part Three – Products Sun, 08 Jan 2012 19:53:44 +0000 http://jakob.engbloms.se/?p=97#comment-3336 [...] an intrusion effect from running on a simulator rather than on a physical machine. This affects the timing of events, even with a software stack that is not modified. Still, the fact that you can run a complete real [...] [...] an intrusion effect from running on a simulator rather than on a physical machine. This affects the timing of events, even with a software stack that is not modified. Still, the fact that you can run a complete real [...]

]]> By: Jakob http://jakob.engbloms.se/archives/97/comment-page-1#comment-2099 Jakob Sat, 17 Jan 2009 20:51:27 +0000 http://jakob.engbloms.se/?p=97#comment-2099 The Biondi presentation was quite interesting. Skype goes to a very long length to protect itself, but from what I could see it would be pretty well defeated by an enclosed virtual machine. Since Skype cannot reasonably crash itself when lacking a network connection, it cannot defend itself against being stepped by a system that does not change its code and that has complete control over timing. The debugger detection that Skype contains is limited to a debugger running within the same OS as Skype, it will not stop a virtual machine used as a debugger. The Biondi presentation was quite interesting. Skype goes to a very long length to protect itself, but from what I could see it would be pretty well defeated by an enclosed virtual machine. Since Skype cannot reasonably crash itself when lacking a network connection, it cannot defend itself against being stepped by a system that does not change its code and that has complete control over timing. The debugger detection that Skype contains is limited to a debugger running within the same OS as Skype, it will not stop a virtual machine used as a debugger.

]]> By: JoachimS http://jakob.engbloms.se/archives/97/comment-page-1#comment-2093 JoachimS Thu, 15 Jan 2009 20:46:40 +0000 http://jakob.engbloms.se/?p=97#comment-2093 Aloha! Very interesting, and a good example of how hard it is to create a virtual environment that can't be distiguished from the real system. It might be worth mentioning that Skype (the application) does a very good job at figuring out if it is running in a virtual machine (actually under a debugger). For some scary code-hiding and env-detection, see: http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf Also in a discussion like this I would like to point at Rutkowskas Blue Pill, which is trying to sneak a trojan *under* the system by introducing a hypervisor and placing the target system in it. http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html Old but still very good. Aloha!

Very interesting, and a good example of how hard it is to create a virtual environment that can’t be distiguished from the real system.

It might be worth mentioning that Skype (the application) does a very good job at figuring out if it is running in a virtual machine (actually under a debugger). For some scary code-hiding and env-detection, see:

http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf

Also in a discussion like this I would like to point at Rutkowskas Blue Pill, which is trying to sneak a trojan *under* the system by introducing a hypervisor and placing the target system in it.

http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html

Old but still very good.

]]>