No Access

DETECTING EMULATED ENVIRONMENTS

TAUHIDA PARVEEN

Department of Engineering Systems, Florida Institute of Technology, Melbourne, FL, USA

Search for more papers by this author

SCOTT TILLEY

Department of Computer Sciences, Florida Institute of Technology Melbourne, FL, USA

Search for more papers by this author

WILLIAM ALLEN

Department of Computer Sciences, Florida Institute of Technology Melbourne, FL, USA

Search for more papers by this author

GERALD MARIN

Department of Computer Sciences, Florida Institute of Technology Melbourne, FL, USA

Search for more papers by this author

, and

RICHARD FORD

Department of Computer Sciences, Florida Institute of Technology Melbourne, FL, USA

Search for more papers by this author

https://doi.org/10.1142/S0218194012500258Cited by:1 (Source: Crossref)

Abstract

One of the most powerful tools in the hacker's reverse engineering arsenal is the virtual machine. These systems provide a simple mechanism for executing code in an environment in which the program can be carefully monitored and controlled, allowing attackers to subvert copy protection and access trade secrets. One of the challenges for anti-reverse engineering tools is how to protect software within such an untrustworthy environment. From the perspective of a running program, detecting an emulated environment is not trivial: the attacker can emulate the result of different operations with arbitrarily high fidelity. This paper demonstrates a mechanism that is able to detect even carefully constructed virtual environments by focusing on the stochastic variation of system call timings. A statistical technique for detecting emulated environments is presented, which uses a model of normal system call behavior to successfully identify two commonly used virtual environments under realistic conditions.

Keywords:

References

Adobe Systems Inc., URL: www.adobe.com, December 10, 2005 . Google Scholar
A. Arnold , Probability, Statistics and Queuing Theory with Computer Science Applications ( Academic Press , London , 1990 ) . Google Scholar
Atari Games Corp. vs. Nintendo of America, Inc., 975 F.2d 832, 836 (Fed. Cir. 1992), URL: http://digital-law-online.info/cases/24PQ2D1015.htm, July 24, 2005 . Google Scholar
K. Bennet and V. Rajlich, Software Maintenance and Evolution: A Roadmap, Proceedings of the 22nd International Conference on Software Engineering (2000) pp. 73–87. Google Scholar
W. Bullers , S. Burd and A. Seazzu , Virtual Machines — An Idea Whose Time has Returned: Application to Network, Security, and Database Courses , Proceedings of the 37th SIGCSE Technical Symposium on Computer Science Education ( 2006 ) . Google Scholar
C. Collberg and C. Thomborson, IEEE Transactions on Software Engineering 28(8), (2002). Crossref, Web of Science, Google Scholar
E. Chikofsy and J. Cross, IEEE Software 7(1), 13 (1990). Crossref, Web of Science, Google Scholar
Copyright Law of the United States of America and Related Laws Contained in Title 17 of the United States Code, URL: http://www.copyright.gov/title17, August 10, 2005 . Google Scholar
DeCSS, URL: http://web.lemuria.org/DeCSS/decss.html, November 18, 2005 . Google Scholar
Digital Millennium Copyright Act, Pub. L. No. 105-304, 112 Stat. 2860, 2887 (title IV amending §108, §112, §114, chapter 7 and chapter 8, title 17, United States Code), enacted October 28, 1998 . Google Scholar
E. Eilam , Reversing: Secrets of Reverse Engineering ( Wiley , 2005 ) . Google Scholar
ElcomSoft, URL: http://www.elcomsoft.com/, December 12, 2005 . Google Scholar
J. Franklin et al. , Botnet Detection: Countering the Largest Security Threat , eds. Wenke Lee , Cliff Wang and David Dagon ( Springer-Verlag , 2008 ) . Google Scholar
G. N. Griswold, License management system for information products located at user site periodically requesting usage authorization via communication network, Application for International PCT patent, 1992 . Google Scholar
Hyper-Threading Technology, URL: www.intel.com/technology/hyperthread, October 12, 2005 . Google Scholar
J. H. Ryder and S. R. Smith, Self-verifying receipt and acceptance system for electronically delivered data objects, United States Patent 4,953,209; August 28, 1990 . Google Scholar
P. Magnusson, IEEE Computer 38(5), 95 (2005). Crossref, Web of Science, Google Scholar
Microsoft Developer Network (MSDN), online at msdn.microsoft.com . Google Scholar
Microsoft Developer Network (MSDN). How to use queryPerformancecounter to time code. online at support.microsoft.com/kb/q172338 . Google Scholar
Microsoft Hyper-V Server, http://www.microsoft.com/hyper-v-server/en/us/default.aspx . Google Scholar
P. Olofsson , Probability, Statistics, and Stochastic Processes ( Wiley , 2005 ) . Crossref, Google Scholar
Public-Key Cryptography Standards, RSA Data Security, Inc., June 1991 . Google Scholar
S. T. King et al. , SubVirt: Implementing malware with virtual machines , Proceedings of the IEEE Symposium on Security and Privacy ( 2006 ) . Google Scholar
C. Sapuntzakis et al. , Virtual appliances for deploying and maintaining software , Proceedings of the 17th Large Installation Systems Administration Conference ( 2003 ) . Google Scholar
Sony BMG, URL: www.cnn.com/2005/TECH/internet/11/10/sony.hack.reut, November 18, 2005 . Google Scholar
Sony BMG, URL: www.sonybmg.com, November 18, 2005 . Google Scholar
Sony Computer Entertainment Inc. vs. Connectix Corp., U.S. Court of Appeals, Ninth Circuit, February 10, 2000, 203 F.3d 596, URL: http://bulk.resourece.org/courts.gov/c/F3/203/203.F3d.596.99-15852.html . Google Scholar
T. Garfinkel et al. , Compatibility is not transparency: VMM detection myths and realities , Proceedings of the 11th Workshop on Hot Topics in Operating Systems ( 2007 ) . Google Scholar
Technology, Education, and Copyright Harmonization Act of 2002, Division C, Title III, Subtitle C of the 21st Century Department of Justice Appropriations Authorization Act, Pub. L. No. 107-273, 116 Stat. 1758, 1910 . Google Scholar
The Elcomsoft case, URL: www.eff.org/IP/DMCA/US_v_Elcomsoft, December 2, 2005 . Google Scholar
T. Raffetseder , C. Kruegel and E. Kirda , Detecting system emulators , 10th Information Security Conference ( Chile , 2007 ) . Google Scholar
V. H. Shear, Database Usage metering and protection system and method, United States Patent 4,977,594, December 11, 1990 . Google Scholar
Virtual PC 2004. online at www.microsoft.com/windows/virtualpc/ . Google Scholar
VMware Inc. online at www.vmware.com . Google Scholar
VMWARE. Understanding full virtualization, paravirtualization, and hardware assist, URL: http://www.vmware.com/resources/techresources/1008. November 10, 2007 . Google Scholar
G. Heiser, The role of virtualization in embedded systems, Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems (2008) pp. 11–16. Google Scholar
P. Barhamet al., Xen and the art of virtualization, Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (2003) pp. 164–177. Google Scholar