lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <E345C809C68668438936E25DB7EBF7FF014CD6BA@seaex01.180solutions.com>
Date: Mon, 20 Mar 2006 11:44:02 -0800
From: "Thomas Guyot-Sionnest" <Thomas@...go.com>
To: "Jeff Epler" <jepler@...ythonic.net>
Cc: <bugtraq@...urityfocus.com>
Subject: RE: Generically Determining the Prescence of Virtual Machines

I suggest you make sure you're using the accelerator mode, which should put
qemu in "Virtualization" mode.

If you're doing full CPU emulation then the result you get was correct: you
weren't doing any virtualization inside qemu.

Thomas

> -----Original Message-----
> From: Jeff Epler [mailto:jepler@...ythonic.net] 
> Sent: March 18, 2006 12:01
> To: valsmith@...asploit.com
> Cc: bugtraq@...urityfocus.com
> Subject: Re: Generically Determining the Prescence of Virtual Machines
> 
> I ran the code at the end of 'vm.pdf' inside qemu 0.8.0 
> running a debian
> linux system.  The host system was a single core amd64 machine running
> fedora linux.  I believe that 'kqemu' acceleration may be in use, but
> I'm not sure.
> 
> I modified the source code to use gcc-style inline assembly, e.g.,
>     asm("sidt %0" : "=m" (m));
> 
> Over 1000 runs, it consistently reported a native system, 
> even though it
> is running under emulation.
> 
> I don't feel that I was able to follow the paper, but I don't 
> understand
> why this is claimed to detect (any) virtualization, as opposed to
> detecting some detail of vmware and virtual pc's emulation software.
> The results I got with qemu reinforce this impression.
> 
> Jeff
> PS here's the output from the last run of the detection program:
> (transcribed, so there may be errors)
> (none):/mnt# ./a.out
> IDTR: ff 07 00 c0 44 c0
> GDTR: ff 00 80 d9 48 c0
> LDTR: 88 00 80 d9 48 c0
> Native machine detected.
> 

Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (3022 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ