[Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[James Lau]

[-- Attachment #1: Type: text/plain, Size: 151 bytes --]

hi everybody,
For some security issues, I want to detect whether my Windows program is
running inside qemu.  Have any ideas?

Best Regards,

James Lau

[-- Attachment #2: Type: text/html, Size: 234 bytes --]

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Natalia Portillo]

Hard disk model is QEMU.


El 06/07/2006, a las 7:04, James Lau escribió:

> hi everybody,
> For some security issues, I want to detect whether my Windows  
> program is running inside qemu.  Have any ideas?
>
> Best Regards,
>
> James Lau
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[John R. Hogerhuis]

On Thu, 2006-07-06 at 13:04 +0800, James Lau wrote:
> hi everybody,
> For some security issues, I want to detect whether my Windows program
> is running inside qemu.  Have any ideas?
>  

Security issues? That's a bit vague.

More information about what you're attempting to do would be helpful.

There are probably lots of ways to do this, but which ones make sense
for your situation depends on various factors.

-- John.

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[James Lau]

[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]

My program is a utility for internet payment. It takes an important role in
the payment process to ensure security.  One of the key functions is that
the program should detect which machine is paying. So while virtual machine
(like QEMU) is present, it can cheat the program.
Checking the hard disk model, cpu type, and other hardward informations
makes little sense.  Because the users or the hackers can easily modify
these informations. So I need a QEMU internal checking method that hackers
can't easily bypass.

Thanks

--James


2006/7/6, John R. Hogerhuis <jhoger@pobox.com>:
>
> On Thu, 2006-07-06 at 13:04 +0800, James Lau wrote:
> > hi everybody,
> > For some security issues, I want to detect whether my Windows program
> > is running inside qemu.  Have any ideas?
> >
>
> Security issues? That's a bit vague.
>
> More information about what you're attempting to do would be helpful.
>
> There are probably lots of ways to do this, but which ones make sense
> for your situation depends on various factors.
>
> -- John.
>
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>

[-- Attachment #2: Type: text/html, Size: 1684 bytes --]

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Kevin F. Quinn]

On Thu, 6 Jul 2006 15:18:14 +0800
"James Lau" <ljamestk@gmail.com> wrote:

> My program is a utility for internet payment. It takes an important
> role in the payment process to ensure security.  One of the key
> functions is that the program should detect which machine is paying.

Why does this matter?  Why do you care which machine the user is
using when they pay?  What about people using internet cafes?  Surely
it's the user who is paying, and you need to securely authenticate the
user.  I don't see that whether they're using a virtual machine or not
is relevant.

> So while virtual machine (like QEMU) is present, it can cheat the
> program. Checking the hard disk model, cpu type, and other hardward
> informations makes little sense.  Because the users or the hackers
> can easily modify these informations. So I need a QEMU internal
> checking method that hackers can't easily bypass.

I think you're wasting your time.  Any "internel checking method" will
be easily bypassed anyway.

Kev.

> Thanks
> 
> --James
> 
> 
> 2006/7/6, John R. Hogerhuis <jhoger@pobox.com>:
> >
> > On Thu, 2006-07-06 at 13:04 +0800, James Lau wrote:
> > > hi everybody,
> > > For some security issues, I want to detect whether my Windows
> > > program is running inside qemu.  Have any ideas?
> > >
> >
> > Security issues? That's a bit vague.
> >
> > More information about what you're attempting to do would be
> > helpful.
> >
> > There are probably lots of ways to do this, but which ones make
> > sense for your situation depends on various factors.
> >
> > -- John.
> >
> >
> >
> >
> > _______________________________________________
> > Qemu-devel mailing list
> > Qemu-devel@nongnu.org
> > http://lists.nongnu.org/mailman/listinfo/qemu-devel
> >


-- 
Kevin F. Quinn

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Jan Marten Simons]

James Lau wrote:
> My program is a utility for internet payment. It takes an important
> role in the payment process to ensure security.  One of the key
> functions is that the program should detect which machine is paying.
> So while virtual machine (like QEMU) is present, it can cheat the
> program.
Well, to say it bluntly: Your security concept is flawed, as you cannot
assume a client to be trusted. Rethink your concept. A Kerberos 5 like
model might help you here.
> Checking the hard disk model, cpu type, and other hardward
> informations makes little sense.  Because the users or the hackers can
> easily modify these informations. So I need a QEMU internal checking
> method that hackers can't easily bypass.
Just for your information: There's a project derived from qemu named
'argos' which tries to setup a high interaction honeypot to fool hackers
into revealing their techniques and tools. If they can fool skilled
hackers to take the vm for a real system, then your programm can be
fooled as well.

With regards,
Jan

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[James Lau]

[-- Attachment #1: Type: text/plain, Size: 1459 bytes --]

I know it's flawed. This is a legacy solution, and the new security model is
ongoing. But as you know, it costs time. Before this, I must maintain the
program.


2006/7/6, Jan Marten Simons <marten@xtal.rwth-aachen.de>:
>
> James Lau wrote:
> > My program is a utility for internet payment. It takes an important
> > role in the payment process to ensure security.  One of the key
> > functions is that the program should detect which machine is paying.
> > So while virtual machine (like QEMU) is present, it can cheat the
> > program.
> Well, to say it bluntly: Your security concept is flawed, as you cannot
> assume a client to be trusted. Rethink your concept. A Kerberos 5 like
> model might help you here.
> > Checking the hard disk model, cpu type, and other hardward
> > informations makes little sense.  Because the users or the hackers can
> > easily modify these informations. So I need a QEMU internal checking
> > method that hackers can't easily bypass.
> Just for your information: There's a project derived from qemu named
> 'argos' which tries to setup a high interaction honeypot to fool hackers
> into revealing their techniques and tools. If they can fool skilled
> hackers to take the vm for a real system, then your programm can be
> fooled as well.
>
> With regards,
> Jan
>
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>

[-- Attachment #2: Type: text/html, Size: 1907 bytes --]

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Jamie Lokier]

James Lau wrote:
>    My  program  is  a utility for internet payment. It takes an important
>    role  in  the  payment  process  to  ensure  security.  One of the key
>    functions  is  that the program should detect which machine is paying.
>    So  while  virtual  machine  (like  QEMU) is present, it can cheat the
>    program.
> 
>    Checking   the   hard   disk  model,  cpu  type,  and  other  hardward
>    informations makes little sense.  Because the users or the hackers can
>    easily  modify  these informations. So I need a QEMU internal checking
>    method that hackers can't easily bypass.

But hackers can easily modify QEMU source.  So how can you depend on
any feature of QEMU for your security checks?

-- Jamie

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Daniel Serpell]

Hi!

El Thu, Jul 06, 2006 at 03:18:14PM +0800, James Lau escribio:
> My program is a utility for internet payment. It takes an important role in
> the payment process to ensure security.  One of the key functions is that
> the program should detect which machine is paying. So while virtual machine
> (like QEMU) is present, it can cheat the program.
> Checking the hard disk model, cpu type, and other hardward informations
> makes little sense.  Because the users or the hackers can easily modify
> these informations. So I need a QEMU internal checking method that hackers
> can't easily bypass.
> 

Well, as others have argued, this is probably worthless.

But there is a way to detect virtual machines under x86, see
http://invisiblethings.org/papers/redpill.html

But if you run qemu without direct instruction copying, it won't
work (and qemu will run slower), because qemu will correctly
emulate the unprivileged instructions.

        Daniel.

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[Kevin F. Quinn]

[-- Attachment #1: Type: text/plain, Size: 1054 bytes --]

On Thu, 6 Jul 2006 16:46:40 -0400
Daniel Serpell <daniel_serpell@yahoo.com> wrote:

> But there is a way to detect virtual machines under x86, see
> http://invisiblethings.org/papers/redpill.html
> 
> But if you run qemu without direct instruction copying, it won't
> work (and qemu will run slower), because qemu will correctly
> emulate the unprivileged instructions.

Out of interest, sidt returns limit:base 07ff:c0372000 on my
host, and 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000
on the same linux guest without kqemu, which illustrates the point.

I used the following code:

#include <stdio.h>
int main(int argc, char **argv) {
        unsigned char idtr[6];
        __asm__ ("sidt %0" : "=m" (*&idtr));
        fprintf(stdout,
                "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
                idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
}

which doesn't need executable heap (my kernel is PaX-enabled), unlike
the redpill version, but is gcc-specific.

-- 
Kevin F. Quinn

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [Qemu-devel] Have any ideas about how to detect whether a program is running inside QEMU?

[G Portokalidis]

Actually, i have also noticed this.
It implies that an exploit might not succeed (this usually the case
with most exploits), since the attacker supplied shellcode will not be
at the "expected" location.

My question is, does anybody know why this happens? Why this
difference when running qemu with kqemu and without...
I wonder if there is way to override this behaviour.

Cheers,
G.

PS: I'm also responsible for the qemu derivative Argos. We make sure
that the attacker will never get to run his code to determine whether
he is running withing a VM. Of course there always some type of
attacks that we would not be able to detect.

On 07/07/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
> On Thu, 6 Jul 2006 16:46:40 -0400
> Daniel Serpell <daniel_serpell@yahoo.com> wrote:
>
> > But there is a way to detect virtual machines under x86, see
> > http://invisiblethings.org/papers/redpill.html
> >
> > But if you run qemu without direct instruction copying, it won't
> > work (and qemu will run slower), because qemu will correctly
> > emulate the unprivileged instructions.
>
> Out of interest, sidt returns limit:base 07ff:c0372000 on my
> host, and 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000
> on the same linux guest without kqemu, which illustrates the point.
>
> I used the following code:
>
> #include <stdio.h>
> int main(int argc, char **argv) {
>         unsigned char idtr[6];
>         __asm__ ("sidt %0" : "=m" (*&idtr));
>         fprintf(stdout,
>                 "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
>                 idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
> }
>
> which doesn't need executable heap (my kernel is PaX-enabled), unlike
> the redpill version, but is gcc-specific.
>
> --
> Kevin F. Quinn
>
>
> _______________________________________________
> Qemu-devel mailing list
> Qemu-devel@nongnu.org
> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>
>
>
>

[Qemu-devel] Re: Have any ideas about how to detect whether a program is running inside QEMU?

[Anthony Liguori]

On Fri, 07 Jul 2006 10:07:47 +0200, G Portokalidis wrote:

> Actually, i have also noticed this.
> It implies that an exploit might not succeed (this usually the case with
> most exploits), since the attacker supplied shellcode will not be at the
> "expected" location.
> 
> My question is, does anybody know why this happens? Why this difference
> when running qemu with kqemu and without... I wonder if there is way to
> override this behaviour.

It's because kqemu is shadowing the IDT.  kqemu happens to be using high
vaddr space to do this.

kqemu needs to shadow the IDT so that traps are delivered to it (instead
of directly to the guest).

Regards,

Anthony Liguori

> 
> Cheers,
> G.
> 
> PS: I'm also responsible for the qemu derivative Argos. We make sure that
> the attacker will never get to run his code to determine whether he is
> running withing a VM. Of course there always some type of attacks that we
> would not be able to detect.
> 
> On 07/07/06, Kevin F. Quinn <ml@kevquinn.com> wrote:
>> On Thu, 6 Jul 2006 16:46:40 -0400
>> Daniel Serpell <daniel_serpell@yahoo.com> wrote:
>>
>> > But there is a way to detect virtual machines under x86, see
>> > http://invisiblethings.org/papers/redpill.html
>> >
>> > But if you run qemu without direct instruction copying, it won't work
>> > (and qemu will run slower), because qemu will correctly emulate the
>> > unprivileged instructions.
>>
>> Out of interest, sidt returns limit:base 07ff:c0372000 on my host, and
>> 07ff:f0050000 on a linux guest with kqemu, and 07ff:c04b5000 on the same
>> linux guest without kqemu, which illustrates the point.
>>
>> I used the following code:
>>
>> #include <stdio.h>
>> int main(int argc, char **argv) {
>>         unsigned char idtr[6];
>>         __asm__ ("sidt %0" : "=m" (*&idtr));
>>         fprintf(stdout,
>>                 "IDTR: limit %2.2x%2.2x base %2.2x%2.2x%2.2x%2.2x\n",
>>                 idtr[1],idtr[0],idtr[5],idtr[4],idtr[3],idtr[2]);
>> }
>> }
>> which doesn't need executable heap (my kernel is PaX-enabled), unlike
>> the redpill version, but is gcc-specific.
>>
>> --
>> Kevin F. Quinn
>>
>>
>> _______________________________________________ Qemu-devel mailing list
>> Qemu-devel@nongnu.org
>> http://lists.nongnu.org/mailman/listinfo/qemu-devel
>>
>>
>>
>>

[Qemu-devel] Re: Have any ideas about how to detect whether a program is running inside QEMU?

[Anthony Liguori]

On Thu, 06 Jul 2006 16:46:40 -0400, Daniel Serpell wrote:

> Hi!
> 
> El Thu, Jul 06, 2006 at 03:18:14PM +0800, James Lau escribio:
>> My program is a utility for internet payment. It takes an important role
>> in the payment process to ensure security.  One of the key functions is
>> that the program should detect which machine is paying. So while virtual
>> machine (like QEMU) is present, it can cheat the program. Checking the
>> hard disk model, cpu type, and other hardward informations makes little
>> sense.  Because the users or the hackers can easily modify these
>> informations. So I need a QEMU internal checking method that hackers
>> can't easily bypass.
>> 
>> 
> Well, as others have argued, this is probably worthless.
> 
> But there is a way to detect virtual machines under x86, see
> http://invisiblethings.org/papers/redpill.html

This is an utterly silly way of doing this.  For starters, it depends on
your OS and where the monitor hides itself.  There is no reason the
monitor couldn't choose a lower address (assuming user-mode emulation). 
Also, it's totally useless when QEMU is doing full emulation (or if
hardware virtualization is present).

The only general way of doing this is to exploit timing differences
between the host and guest.  Pioneer[1] is a good example of this although
it only works on non-VT/SVM systems.  If you were exhaustive about timing
all possible exits, you could extend this to a VT/SVM system.

If hardware is available, static or dynamic attestation also addresses
this problem.

[1]
http://portal.acm.org/affiliated/citation.cfm?id=1095810.1095812&coll=ACM&dl=ACM&type=series&idx=1095810&part=Proceedings&WantType=Proceedings&title=ACM%20Symposium%20on%20Operating%20Systems%20Principles&CFID=15151515&CFTOKEN=6184618

Regards,

Anthony Liguori

> But if you run qemu without direct instruction copying, it won't work (and
> qemu will run slower), because qemu will correctly emulate the
> unprivileged instructions.
> 
>         Daniel.