Virtual machine halt

Abstract

DETIboot is an over-the-air, file distribution system that allows a teacher to gain control over students' personal laptops during exams, by distributing a properly hardened Linux operating system image. In this scenario, a student could boot the hardened image over a Virtual Machine, being able to explore the hosting system while doing the exam on the hosted one. In this paper we present Virtual Machine Halt (VMHalt), a solution conceived for the detection of unknown, uncooperative x86_64 Virtual Machines and system emulators. For that purpose, VMHalt uses several strategies to classify an underlying layer as virtual. Our results shows that: although individual strategies have their own weaknesses, leading to a wrong decision, by excluding the ones that could classify a physical system incorrectly as a virtual one, a weighted decision from all strategies correctly detects an underlying virtualization engine with increased probability, while true hardware is always recognised as such.

DOI: 10.1145/2851613.2851948

Extracted Key Phrases

3 Figures and Tables

Cite this paper

@inproceedings{Reis2016VirtualMH, title={Virtual machine halt}, author={Sim{\~a}o Reis and Andr{\'e} Z{\'u}quete and Jos{\'e} M. N. Vieira}, booktitle={SAC}, year={2016} }