Investigating Linux Random Number Generator for Virtualization Detection from the Non Privileged User Space

Abstract

Abstract The detection of virtualization presence is a critical problem in malware analysis, where malicious software may attempt to identify if it is being tested within a virtual environment. Existing methods often require special privileges, creating a gap for non privileged approaches. This study investigates the feasibility of detecting virtualization presence from the non privileged user space by analyzing the behaviour of the Linux Random Number Generator (LRNG), a component not previously used for this purpose. A series of experiments were conducted across bare metal and virtual environments under varying impact levels to assess differences in random number generation rates and quality. The evaluation included both single and multiple VM setups, across desktop, private, and public cloud infrastructures. Results revealed measurable distinctions in LRNG behaviour between bare metal and virtual environments through distinct timing distributions, where early peaks were observed. These early peaks refer to instances where random number generation took significantly longer in virtual environments in the beginning compared to bare metal systems. Additionally, differences in dispersion patterns across bare metal and virtual environments were identified, which were collectively used for the detection of virtualization environments through derived thresholds, achieving a detection accuracy of up to 94.44%. The study also examined the role of entropy enhancing tools designed to improve the randomness of generated data, in obscuring virtualization presence. The results proved approach is ineffective, suggesting the need for further research into obscure such detection. The influence of the operating system on LRNG behaviour was identified as a significant factor, with notable differences observed between Debian and Red Hat based Linux systems. These findings demonstrate the potential of LRNG characteristics for non privileged virtualization detection with a novel direction. Unlike traditional detection methods that rely on privileged access, this approach operates entirely from the user space, demonstrating the feasibility of using user space behaviours to address virtualization detection challenges and opening possibilities for further research in this domain. Future work should focus on extending the scope of these findings, addressing the limitations identified, and exploring additional methods to enhance the robustness of detection and obfuscation techniques.