Hacker News new | ask | show | jobs
by lights0123 2054 days ago
It's easy to make the core device indistinguishable. It's the additional hardware that becomes a problem: QEMU/libvirt hardcodes its hard drive model to include the word "QEMU" (although there is an unmerged patch to make that configurable), and although I don't know how graphics work in a VM, it's far easier to create a higher-level graphics device than e.g. emulating Intel graphics.
1 comments
ColanR 2054 days ago
I imagine a script could be used with qemu - given that patch you mentioned, which I would love a source for if you have it - to match the names of the virtual devices with names of devices on the physical host. Then there's no way for software to check the device names against a list of VM tools, since it always matches real, physical hardware.

At that point, it seems to me that there isn't much left to distinguish the virtual machine from the physical. Behavioral properties of the CPU? Anyway, that's what I meant when I said it seems like after a certain point, it becomes impossible to tell the difference.

EDIT: based on the link above, it looks like current state-of-the-art doesn't go far beyond making sure names and common virtualbox performance shortcuts aren't present. https://github.com/hfiref0x/VBoxHardenedLoader/blob/master/B...

link
cosmie 2054 days ago
One of the other telltale signs of a VM are "things VMs can do that physical devices can't" - such as weird screen resolutions (when running in windowed mode rather than full screen), weird CPU core counts, physical ram values that aren't cleanly divisible into DIMM slots, etc.
link
ColanR 2054 days ago
Good point. I guess that would be relatively easy to check for programmatically.

What else is there that could possibly indicate virtualization? Available instruction sets? Strange limitations of the given CPU? (e.g., the cpu presents itself as some Intel chip that's known to have 4 cores, but there's only 2 available)

link
WrtCdEvrydy 2054 days ago
This is a classic computer science question of whether the OS should be aware that it's being virtualized.
link
userbinator 2054 days ago
I know of malware long ago that would attempt to time how long CPU instructions take, based on the theory that a VM would be significantly slower, but more recently, especially with hardware-assisted virtualisation, the differences have become close to indistinguishable.
link
lights0123 2054 days ago
patch is https://lists.gnu.org/archive/html/qemu-devel/2012-03/msg021...
link
ColanR 2053 days ago
Thanks!
link