Machine emulation detection algorithm 

Contexts in source publication

Context 1

... as previ- ously described, are not applicable, considering that embedded systems based on Linux can use NTP to update their date and time. Additionally, we postulate that the fingerprinting detection method can be easily faked, in particular in fully emulated environments; nevertheless, as we describe, during some tests this may be a valid detection method. Finally, we believe that adopting our method it will be difficult for a virtual or emulated system to fake the behaviour results, because this uses the network stack in order to perform the characterization. In this case, the virtual or emulated system needs to check when a socket is created and handle it every time, because it can’t know a priori that it was called by our method. This would lead to an increasing in the overall delay time and de- crease in system performance. Additionally, there is a necessity to modify part of the kernel, which is not always possible. In order to perform the characterisation an algorithm was developed to collect information from real, virtualised and emulated environments. This consists pinging the localhost (127.0.0.1) in the system under consideration 1000 times, and for every ping collect- ing the ping response time (ms), the system timestamp (s) and the CPU/MCU usage (%), as shown in Figure 2. The timestamp information was collected using the “date”. The CPU/MCU usage was collected from “/proc/stat” or “iostat”, depending on the OS used. We tested virtualized and emulated systems including: Android Emulator (Android Developers, 2014), Genymotion (Genymobile, 2014), GXemul (Gavare, 2014), OVPsim (Open Virtual Platform, 2014), QEMU (Bellard, 2005), VirtualBox (Oracle Corporation, 2014) and VMware Player (VMware Inc, 2015). All these were used with default configu- rations, along with a real machine used as reference (termed RM), which had the following characteristics: • OS : Linux Mint 17 (qiana) with kernel 3.13.0-24- generic • CPU : Intel(R) Core(TM) i3-4130 CPU @ 3.40GHz (4 cores) • RAM : 7897 MiB Next, we used as comparison, real embedded devices including: ALIX 6F2 (PC Engines GmbH, 2007), Google Nexus 5 and 7 (Google and LG Electronics, 2013; Google and Asus, 2012), Carambola (8devices, 2012), Arduino Yún (Arduino, 2013) and Raspberry Pi (Raspberry Pi Foundation, 2012). For each device, eight tests comprising the characterisation algorithm were performed by tuning the ping command with different options and stressing the CPU/MCU (whereby the CPU usage levels is main- tained at 100%) as shown in Table 1. In order to stress the CPU/MCU the “dd” command was used, with input data from urandom, if=/dev/urandom, and writing this data to the null device, of=/dev/null. In some characterisations, multiple instances of this program were executed to over- load the CPU/MCU in multi-core devices. In these cases the information collected was analysed using different characterisation metrics for ping response times, timestamps and CPU/MCU usage levels as shown in Tables 2 and 3. The results obtained show the same behaviours for the real embedded devices in tests 1 to 4, however it was decided to exclude tests 5 to 8 as they do not give reliable results to identify virtual or embedded systems. The issues in identifying virtual or embedded systems in tests 5 to 8 were related to the ping packet size, whereby large-sized ping packets consume high computational resources which can cause problems in embedded devices with low processing power. Table 2 shows the range of behaviours concerning ping response times and timestamps for RM used during the tests. Information about the CPU/MCU levels are not shown for tests 2 and 4, because the CPU/MCU was under stress and its usage levels were always at 100%. Table 3 shows characterisation results for all real embedded devices (termed EM). In the rest of this paper we use the notations listed in Table 4 for the tests as well as the following notations: ping response time “P.”; timestamp “T.”; CPU/MCU level “C.”; standard deviation “SD”; simulation “Sim.”. The detection method is based on the behaviours of RM and embedded machines as characterised in Tables 2 and 3. These ranges were used as thresh- old values to detect virtual or emulated systems. Let TMin X (CM i ) and TMax X (CM i ) be the minimum and maximum value in the range for the characterisation metric CM i of X (RM or EM). Let T(CM i ) be the CM i value obtained from the target system. By considering RM, the virtual or embedded system is considered detected if T(CM i ) < TMin RM (CM i ). Moreover, it is considered better than RM if T(CM i ) TMin RM (CM i ), this means that in some cases it is faster than the RM and/or the measurements obtained have a low error, i.e. P.SD close to 0, P.Total re- duced by half or C.Mean less than 1% during tests 1 and 3. The machine emulation detection algorithm is based on the detection of illegitimate embedded devices. It uses the characterisation metrics based on EM and it is described in Figure 3. Considering EM, an illegitimate embedded device is considered detected if T(CM i ) < TMin EM (CM i ) or T(CM i ) > TMax (CM ). Figures 4 and 5 show the results of the behaviour characterisations. These were obtained by combining the information gathered from the tests of the virtual and emulated systems using the RM as reference. Figures 6 and 7 show the same results as Figures 4 and 5, but using the behaviours of embedded machines as reference. It can clearly be seen that when adopting the EM behaviours, the detection of virtual or emulated systems is significantly higher than when adopting the RM behaviours. It may also be observed that by considering all tests for the EM, the AE is more detectable than the GX2. From these results it is possible to observe that our solution detects every virtual and emulated system. Furthermore, it is possible to detect them by using only behaviours obtained from P.Total, P.Mean ± SD and T.Total. These results show that at least six virtual and emulated systems can be detected only considering RM behaviours and in particular by using P.Mean ± SD. We observed that the Genymotion, OVPsim, VirtualBox and VMware behave close to, and in some cases better than RM. Moreover, Genymotion, VirtualBox and VMware are detectable using the fingerprinting test as shown in Table 5. This test was applied using detection values such as vbox, virtualbox, virtualized, oracle, innotek, intel, genuineintel, ...

Context 2

... machine emulation detection algorithm is based on the detection of illegitimate embedded devices. It uses the characterisation metrics based on EM and it is described in Figure 3. Considering EM, an illegitimate embedded device is considered detected if T( Figures 6 and 7 show the same results as Figures 4 and 5, but using the behaviours of embedded ma- chines as reference. ...