Mfcttrf

What are the pros and cons for the two possible "gear directions" when parking the car on a hill?

What is the meaning of "понаехать"?

Should I include an appendix for inessential, yet related worldbuilding to my story?

Why isn't my calculation that we should be able to see the sun well beyond the observable universe valid?

Has a life raft ever been successfully deployed on a modern commercial flight?

Explicit song lyrics checker

What triggered jesuits' ban on infinitesimals in 1632?

Boss wants someone else to lead a project based on the idea I presented to him

macOS: How to take a picture from camera after 1 minute

Are there any individual aliens that have gained superpowers in the Marvel universe?

Why does Linux list NVMe drives as /dev/nvme0 instead of /dev/sda?

Non-misogynistic way to say “asshole”?

Designing a magic-compatible polearm

Print one file per line using echo

Is there a name for the trope when there is a moments dialogue when someone pauses just before they leave the room?

Why is it easier to balance a non-moving bike standing up than sitting down?

How does join() produce different results depending on the arguments?

Is declining an undergraduate award which causes me discomfort appropriate?

How does DC work with natural 20?

Can Hunter's Mark be moved after Silence has been cast on a character?

Can the pre-order traversal of two different trees be the same even though they are different?

What are the current battlegrounds for people’s “rights” in the UK?

Is the specular reflection on a polished gold sphere white or gold in colour?

Is the continuity test limit resistance of a multimeter standard?

How hard is it to distinguish if I am given remote access to a virtual machine vs a piece of hardware?

Protection of Keys/Passwords on Virtual Hardware (XEN, KVM, VMWare, etc.)How can I protect content distributed on a linux virtual machine?How isolated are files on a VirtualBox virtual machine from the host filesystem?How does a root kit work inside a virtual machine?How long to re-seed /dev/urandom in a virtual machine?how to access freenet on a remote machine from androidHow to get IP address of a virtual box machine from hostmachine?How can I connect a USB device to a virtual machine while bypassing the host?What kind of access on the guest is required to break out of a virtual machine?How does testing on a Virtual Machine prevent the security tester from breaching the misuse act?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  5 mins ago
  
  

  
  
  
  

add a comment | 

3

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.
  
  – dwizum
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.
  
  – ffc
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?
  
  – aaaaaa
  5 mins ago
  
  

  
  
  
  

add a comment | 

Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?

Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.

Thanks in advance for references or any other information.

virtualization

share|improve this question

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

ffcffc

1163

New contributor

ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 8 hours ago

ffcffc

1163

1 Answer
1

active

oldest

votes

5

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 7 hours ago

vidarlovidarlo

5,0631327

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

ffc is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211991%2fhow-hard-is-it-to-distinguish-if-i-am-given-remote-access-to-a-virtual-machine-v%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

5

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 7 hours ago

vidarlovidarlo

5,0631327

add a comment | 

5

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 7 hours ago

vidarlovidarlo

5,0631327

add a comment | 

It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.

This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.

Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.

A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.

share|improve this answer

answered 7 hours ago

vidarlovidarlo

5,0631327

share|improve this answer

answered 7 hours ago

vidarlovidarlo

5,0631327

answered 7 hours ago

vidarlovidarlo

5,0631327

answered 7 hours ago

vidarlovidarlo

5,0631327