Virtual Machine Monitors

On this site you can find some of my writings, codes, findings etc. regarding virtual machine monitors (VMMs).

What are VMMs?

A virtual machine monitor (VMM) is a piece of software that allows multiple operating systems to run concurrently on so called virtual machines (VMs) on a single hardware plattform. Therefore the VMM creates efficient, isolated environments. An example for a VMM is VMware. VMMs are widely used today, e.g. for Honeypots/nets, forensic purposes, server consolidation, etc.

There are several exciting issues regarding VMMs, e.g.:

(1) Can one reliably determine if she/he/it is inside a virtual machine or on a native system?
(2) Is it possible to escape from a VM (to reach the host OS or to manipulate other VMs)?

Can one reliably determine if she/he/it is inside a virtual machine or on a native system?

VMware is often used to provide a controlled environment to study worms, virii and exploits. Now think of exploits, worms and virii that automatically check, whether they are running on a native system or inside a VM:

IF inside_VM
THEN behave_this_way_to_cover_our_real_intent
ELSE
behave_as_normal

With this in mind forensics could be a bit harder to perform and would be more time consuming. Further could honeypotting loose some of its value (at least for the average honeypotter). Another field of application could be some sort of commercial product, that wants to assure that it doesn't run inside a VM.

There are several methods to accomplish this task. If you are interested in how to detect VMware have a look at ScoopyNG.

Is it possible to escape from a VM (to reach the host OS or to manipulate other VMs)?

Just think of a honeypot/net or server farm based on VMs. And now think of malicious code (virii, exploits, worms) that first checks whether it is running inside a VM and if so triggers some special escape code. The damage potential could be enourmous ...

My VMware detection tools

ScoopyNG - The VMware detection tool
scoopy doo - A VMware Fingerprint Suite (Outdated! See ScoopyNG)
jerry - A(nother) VMware Fingerprinter (Outdated! See ScoopyNG)

See also my blog for more information.