* [Qemu-devel] Making Qemu/KVM more undetectable to malwares
@ 2016-03-02 3:07 Yang Luo
2016-03-02 9:22 ` Paolo Bonzini
0 siblings, 1 reply; 2+ messages in thread
From: Yang Luo @ 2016-03-02 3:07 UTC (permalink / raw)
To: qemu-devel
[-- Attachment #1: Type: text/plain, Size: 771 bytes --]
Hi list,
I'm a phd student, majoring in System Security. I'm looking for a research
idea about Qemu/KVM security. What do think are the most important security
problems for Qemu/KVM needed to be addressed or studied?
And how about this idea. I found out that lots of malware will detect the
presence of hypervisors and refuse to refuse to execute their real code in
a VM. The malwares do this to prevent security engineers from analyzing
their code under a VM. Lots of detection methods have been proposed for
many years. But hypervisors seem to not care about this issue.
So what do you think about making Qemu/KVM more undetectable to malwares?
Is this idea viable?
Also any other thoughts about Qemu/KVM security you are interested in are
welcome:)
Cheers,
Yang
[-- Attachment #2: Type: text/html, Size: 945 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares
2016-03-02 3:07 [Qemu-devel] Making Qemu/KVM more undetectable to malwares Yang Luo
@ 2016-03-02 9:22 ` Paolo Bonzini
0 siblings, 0 replies; 2+ messages in thread
From: Paolo Bonzini @ 2016-03-02 9:22 UTC (permalink / raw)
To: Yang Luo, qemu-devel
On 02/03/2016 04:07, Yang Luo wrote:
> And how about this idea. I found out that lots of malware will detect
> the presence of hypervisors and refuse to refuse to execute their real
> code in a VM. The malwares do this to prevent security engineers from
> analyzing their code under a VM. Lots of detection methods have been
> proposed for many years. But hypervisors seem to not care about this issue.
>
> So what do you think about making Qemu/KVM more undetectable to
> malwares? Is this idea viable?
KVM already allows you to disable CPUID leaves specific to hypervisors.
As you said, other detection methods for hypervisors exist, and patches
are welcome to thwart them. :)
However, while it is definitely a nice project and we would appreciate
it, it doesn't sound like the kind of research that you would publish in
academic venues.
Paolo
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-03-02 9:22 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-02 3:07 [Qemu-devel] Making Qemu/KVM more undetectable to malwares Yang Luo
2016-03-02 9:22 ` Paolo Bonzini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.