From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1Fydvb-0000yF-Mz for qemu-devel@nongnu.org; Thu, 06 Jul 2006 20:10:39 -0400 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1FydvZ-0000xz-S7 for qemu-devel@nongnu.org; Thu, 06 Jul 2006 20:10:38 -0400 Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1FydvZ-0000xw-L5 for qemu-devel@nongnu.org; Thu, 06 Jul 2006 20:10:37 -0400 Received: from [80.91.229.2] (helo=ciao.gmane.org) by monty-python.gnu.org with esmtps (TLS-1.0:RSA_AES_256_CBC_SHA:32) (Exim 4.52) id 1Fydvr-0002pJ-Tk for qemu-devel@nongnu.org; Thu, 06 Jul 2006 20:10:56 -0400 Received: from list by ciao.gmane.org with local (Exim 4.43) id 1FydvO-0007a2-5L for qemu-devel@nongnu.org; Fri, 07 Jul 2006 02:10:26 +0200 Received: from cpe-70-116-9-243.austin.res.rr.com ([70.116.9.243]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 07 Jul 2006 02:10:26 +0200 Received: from anthony by cpe-70-116-9-243.austin.res.rr.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Fri, 07 Jul 2006 02:10:26 +0200 From: Anthony Liguori Date: Thu, 06 Jul 2006 19:06:31 -0500 Message-ID: References: <1152168950.6324.302.camel@aragorn> <20060706204640.GA28903@aplik.cl> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: news Subject: [Qemu-devel] Re: Have any ideas about how to detect whether a program is running inside QEMU? Reply-To: qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org On Thu, 06 Jul 2006 16:46:40 -0400, Daniel Serpell wrote: > Hi! > > El Thu, Jul 06, 2006 at 03:18:14PM +0800, James Lau escribio: >> My program is a utility for internet payment. It takes an important role >> in the payment process to ensure security. One of the key functions is >> that the program should detect which machine is paying. So while virtual >> machine (like QEMU) is present, it can cheat the program. Checking the >> hard disk model, cpu type, and other hardward informations makes little >> sense. Because the users or the hackers can easily modify these >> informations. So I need a QEMU internal checking method that hackers >> can't easily bypass. >> >> > Well, as others have argued, this is probably worthless. > > But there is a way to detect virtual machines under x86, see > http://invisiblethings.org/papers/redpill.html This is an utterly silly way of doing this. For starters, it depends on your OS and where the monitor hides itself. There is no reason the monitor couldn't choose a lower address (assuming user-mode emulation). Also, it's totally useless when QEMU is doing full emulation (or if hardware virtualization is present). The only general way of doing this is to exploit timing differences between the host and guest. Pioneer[1] is a good example of this although it only works on non-VT/SVM systems. If you were exhaustive about timing all possible exits, you could extend this to a VT/SVM system. If hardware is available, static or dynamic attestation also addresses this problem. [1] http://portal.acm.org/affiliated/citation.cfm?id=1095810.1095812&coll=ACM&dl=ACM&type=series&idx=1095810&part=Proceedings&WantType=Proceedings&title=ACM%20Symposium%20on%20Operating%20Systems%20Principles&CFID=15151515&CFTOKEN=6184618 Regards, Anthony Liguori > But if you run qemu without direct instruction copying, it won't work (and > qemu will run slower), because qemu will correctly emulate the > unprivileged instructions. > > Daniel.