DETECTING EMULATED ENVIRONMENTS

摘要

One of the most powerful tools in the hacker's reverse engineering arsenal is the virtual machine. These systems provide a simple mechanism for executing code in an environment in which the program can be carefully monitored and controlled, allowing attackers to subvert copy protection and access trade secrets. One of the challenges for anti-reverse engineering tools is how to protect software within such an untrustworthy environment. From the perspective of a running program, detecting an emulated environment is not trivial: the attacker can emulate the result of different operations with arbitrarily high fidelity. This paper demonstrates a mechanism that is able to detect even carefully constructed virtual environments by focusing on the stochastic variation of system call timings. A statistical technique for detecting emulated environments is presented, which uses a model of normal system call behavior to successfully identify two commonly used virtual environments under realistic conditions.