How hard is it to distinguish if I am given remote access to a virtual machine vs a piece of hardware?Protection of Keys/Passwords on Virtual Hardware (XEN, KVM, VMWare, etc.)How can I protect content distributed on a linux virtual machine?How isolated are files on a VirtualBox virtual machine from the host filesystem?How does a root kit work inside a virtual machine?How long to re-seed /dev/urandom in a virtual machine?how to access freenet on a remote machine from androidHow to get IP address of a virtual box machine from hostmachine?How can I connect a USB device to a virtual machine while bypassing the host?What kind of access on the guest is required to break out of a virtual machine?How does testing on a Virtual Machine prevent the security tester from breaching the misuse act?

What are the pros and cons for the two possible "gear directions" when parking the car on a hill?

What is the meaning of "понаехать"?

Should I include an appendix for inessential, yet related worldbuilding to my story?

Why isn't my calculation that we should be able to see the sun well beyond the observable universe valid?

Has a life raft ever been successfully deployed on a modern commercial flight?

Explicit song lyrics checker

What triggered jesuits' ban on infinitesimals in 1632?

Boss wants someone else to lead a project based on the idea I presented to him

macOS: How to take a picture from camera after 1 minute

Are there any individual aliens that have gained superpowers in the Marvel universe?

Why does Linux list NVMe drives as /dev/nvme0 instead of /dev/sda?

Non-misogynistic way to say “asshole”?

Designing a magic-compatible polearm

Print one file per line using echo

Is there a name for the trope when there is a moments dialogue when someone pauses just before they leave the room?

Why is it easier to balance a non-moving bike standing up than sitting down?

How does join() produce different results depending on the arguments?

Is declining an undergraduate award which causes me discomfort appropriate?

How does DC work with natural 20?

Can Hunter's Mark be moved after Silence has been cast on a character?

Can the pre-order traversal of two different trees be the same even though they are different?

What are the current battlegrounds for people’s “rights” in the UK?

Is the specular reflection on a polished gold sphere white or gold in colour?

Is the continuity test limit resistance of a multimeter standard?



How hard is it to distinguish if I am given remote access to a virtual machine vs a piece of hardware?


Protection of Keys/Passwords on Virtual Hardware (XEN, KVM, VMWare, etc.)How can I protect content distributed on a linux virtual machine?How isolated are files on a VirtualBox virtual machine from the host filesystem?How does a root kit work inside a virtual machine?How long to re-seed /dev/urandom in a virtual machine?how to access freenet on a remote machine from androidHow to get IP address of a virtual box machine from hostmachine?How can I connect a USB device to a virtual machine while bypassing the host?What kind of access on the guest is required to break out of a virtual machine?How does testing on a Virtual Machine prevent the security tester from breaching the misuse act?






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








3















Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?



Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.



Thanks in advance for references or any other information.










share|improve this question







New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • 3





    I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

    – dwizum
    8 hours ago











  • @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

    – ffc
    7 hours ago











  • @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

    – aaaaaa
    5 mins ago


















3















Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?



Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.



Thanks in advance for references or any other information.










share|improve this question







New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.














  • 3





    I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

    – dwizum
    8 hours ago











  • @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

    – ffc
    7 hours ago











  • @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

    – aaaaaa
    5 mins ago














3












3








3








Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?



Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.



Thanks in advance for references or any other information.










share|improve this question







New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Let's say I have full access to a remote machine (root on a Linux for definiteness). What is the best method to check if this is a real piece of hardware versus a virtual machine?



Most of the methods that I have seen rely on looking at various hardware-related identifiers using tools such as lshw. It seems to me that these methods are prone to some sort of man-in-the-middle attacks.



Thanks in advance for references or any other information.







virtualization






share|improve this question







New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.










share|improve this question







New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








share|improve this question




share|improve this question






New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.








asked 8 hours ago









ffcffc

1163




1163




New contributor



ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




New contributor




ffc is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









  • 3





    I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

    – dwizum
    8 hours ago











  • @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

    – ffc
    7 hours ago











  • @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

    – aaaaaa
    5 mins ago













  • 3





    I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

    – dwizum
    8 hours ago











  • @dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

    – ffc
    7 hours ago











  • @ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

    – aaaaaa
    5 mins ago








3




3





I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

– dwizum
8 hours ago





I am not in a position to answer, but how about turning the question around: why does it matter to you? If there's some specific function or impact to your intended use of the machine, that is probably a good place to start in terms of making this determination.

– dwizum
8 hours ago













@dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

– ffc
7 hours ago





@dwizum thanks for the constructive comment. I wanted to keep the question narrow and could not come up with a way of writing up the context in more detail without distracting from this point.

– ffc
7 hours ago













@ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

– aaaaaa
5 mins ago






@ffc consider adding this info, or people might start "this is an XY-problem"-ing your question. Also, how do you know that you have access to a remote machine you have access to?

– aaaaaa
5 mins ago











1 Answer
1






active

oldest

votes


















5














It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.



This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.



Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.



A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.






share|improve this answer























    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "162"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    noCode: true, onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );






    ffc is a new contributor. Be nice, and check out our Code of Conduct.









    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211991%2fhow-hard-is-it-to-distinguish-if-i-am-given-remote-access-to-a-virtual-machine-v%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    5














    It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.



    This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.



    Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.



    A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.






    share|improve this answer



























      5














      It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.



      This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.



      Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.



      A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.






      share|improve this answer

























        5












        5








        5







        It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.



        This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.



        Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.



        A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.






        share|improve this answer













        It depends. If it attempts to hide that it's an VM, it can be hard. This can be the case with for instance VM's used for analyzing malware.



        This paper from Symantec goes into some detail. In short, it's usually possible to detect, even if the VM, is trying to hide it, by running instructions to put the CPU in a specific state, and then run some instruction that forces the hypervizor to execute, and check the state of the CPU afterwards.



        Timing attacks can also detect a hypervizor, but may be difficult if you have no baseline.



        A stock VM from for instance Azure will not attempt to hide that it's an VM, and it will be obvious that it is a VM, from descriptors as you say.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered 7 hours ago









        vidarlovidarlo

        5,0631327




        5,0631327




















            ffc is a new contributor. Be nice, and check out our Code of Conduct.









            draft saved

            draft discarded


















            ffc is a new contributor. Be nice, and check out our Code of Conduct.












            ffc is a new contributor. Be nice, and check out our Code of Conduct.











            ffc is a new contributor. Be nice, and check out our Code of Conduct.














            Thanks for contributing an answer to Information Security Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f211991%2fhow-hard-is-it-to-distinguish-if-i-am-given-remote-access-to-a-virtual-machine-v%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

            Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

            199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單