[Qemu-devel] Making Qemu/KVM more undetectable to malwares

[Qemu-devel] Making Qemu/KVM more undetectable to malwares

[Yang Luo]

[-- Attachment #1: Type: text/plain, Size: 771 bytes --]

Hi list,

I'm a phd student, majoring in System Security. I'm looking for a research
idea about Qemu/KVM security. What do think are the most important security
problems for Qemu/KVM needed to be addressed or studied?

And how about this idea. I found out that lots of malware will detect the
presence of hypervisors and refuse to refuse to execute their real code in
a VM. The malwares do this to prevent security engineers from analyzing
their code under a VM. Lots of detection methods have been proposed for
many years. But hypervisors seem to not care about this issue.

So what do you think about making Qemu/KVM more undetectable to malwares?
Is this idea viable?

Also any other thoughts about Qemu/KVM security you are interested in are
welcome:)


Cheers,
Yang

[-- Attachment #2: Type: text/html, Size: 945 bytes --]

Re: [Qemu-devel] Making Qemu/KVM more undetectable to malwares

[Paolo Bonzini]

On 02/03/2016 04:07, Yang Luo wrote:
> And how about this idea. I found out that lots of malware will detect
> the presence of hypervisors and refuse to refuse to execute their real
> code in a VM. The malwares do this to prevent security engineers from
> analyzing their code under a VM. Lots of detection methods have been
> proposed for many years. But hypervisors seem to not care about this issue.
> 
> So what do you think about making Qemu/KVM more undetectable to
> malwares? Is this idea viable?

KVM already allows you to disable CPUID leaves specific to hypervisors.
 As you said, other detection methods for hypervisors exist, and patches
are welcome to thwart them. :)

However, while it is definitely a nice project and we would appreciate
it, it doesn't sound like the kind of research that you would publish in
academic venues.

Paolo