Web-based virtual machine detection

My research:

DETECTING OPERATION OF A VIRTUAL MACHINE (US patent 9384034 B2 granted July 2016; inventor: Amit Klein; assignee: IBM; filed March 2014; published October 2015 under the designation US2015/0277950A1), text only version here. This patent application discloses a technique to extract Adobe Flash (requires AVM2 machine i.e. ActionScript3; tested with Adobe Flash version 10.x and 11.x) Math.random seed, using two consecutive readouts of Math.random(). Using two extracted seeds (from two movies played at two different times), it's possible to extract the Windows Performance Counter frequency. And by consulting the Auxiliary data, VM detection can be achieved.

Web-based virtual machine detection using the HTML5 Performance object by Amit Klein (2015).

Auxiliary data: a matrix summarizing the Windows Performance Counter Frequency in combinations of VM implementations and Windows operating system versions by Amit Klein (2015).

"Web-based virtual machine detection with HTML5 features" by Amit Klein (2015).

"Detecting virtualization over the web with IE9 (platform preview) and Semi-permanent computer fingerprinting and user tracking in IE9 (platform preview)" by Amit Klein (2010).

NOTE: several of the empirical results regarding various timers' behavior that were undocumented back in 2010 are now officially documented (MSDN article "Acquiring high-resolution time stamps", circa 2014). Moreover, it looks like Hyper-V's counter frequency of 10MHz can be used to detect it.

 

Other people's research:

"Tick Tock: Building Browser Red Pills from Timing Side Channels" by Grant Ho, Dan Boneh, Lucas Ballard and Neils Provos (2014).

"A Technique for Remote Detection of Certain Virtual Machine Monitors" by Christopher Jämthagen, Martin Hell and Ben Smeets (2012). Though this one is more concerned with the IP protocol TTL and ID anomalies (combined with HTTP's User-Agent field).