Whitepaper: Compatibility Is Not Transparency: VMM Detection Myths and Realities

Detection of a Virtual Machine Monitor (VMM) is still a hot topic since appearance of Blue Pill prototype.

Despite many authoritative opinions against its feasibility, security and virtualization communities are still debating around the topic.

Joining their efforts, VMware, XenSource and universities of Stanford and Carnegie Mellon produced a paper to better clarify why achieving VMM invisibility is impossible.

Compatibility Is Not Transparency: VMM Detection Myths and Realities was presented in May 2007 at HotOS 11, a Usenix workshop about hot topics in operating systems:

Recent work on applications ranging from realistic honeypots to stealthier rootkits has speculated about building transparent VMMs – VMMs that are indistinguishable from native hardware, even to a dedicated adversary. We survey anomalies between real and virtual hardware and consider methods for detecting such anomalies, as well as possible countermeasures. We conclude that building a transparent VMM is fundamentally infeasible, as well as impractical from a performance and engineering standpoint.

Read the whole paper at source.