Web-based virtual machine detection using the HTML5 Performance object

amit — Mon, 05 Oct 2015 20:37:33 +0000

Multiple browsers (Microsoft Edge, Microsoft Internet Explorer, Mozilla Firefox) Performance object leaks the Windows performance counter frequency (equivalent to physical CPU clock speed or virtual machine detection)

Advisory

Amit Klein

In three browser families researched (Edge, Internet Explorer and Firefox), it is possible to extract the frequency of the Windows performance counter frequency, using standard HTML and Javascript. In all 3 browsers, window.performance.now() yields a time measurement in milliseconds (not necessarily an integral number), which is actually an integral number of the Windows performance counter ticks (i.e. 1/f where f is the Windows performance counter frequency). With multiple samples of window.performance.now() it is possible to extract this underlying time unit (e.g. using the real number version of the GCD algorithm).

With the Windows performance counter frequency, it is possible to (see details at the author’s “Detecting virtualization over the web with IE9 (platform preview) and Semi-permanent computer fingerprinting and user tracking in IE9 (platform preview)” sections 5 and 6 - http://landing2.trusteer.com/sites/default/files/VM_Detection_and_Temporary_User_Tracking_in_IE9_Platform_Preview.pdf, mirror: http://dl.packetstormsecurity.net/1012-advisories/ie9-tracking.pdf)

Remotely detect some virtual machines – by detecting two specific frequencies typically used in VM implementations, but rarely in physical machines – 10000000 Hz (synthetic HPET-based counter) and 3579545 Hz (ACPI-based counter). Physical machines typically use TSC-based counter, whose frequency is proportional to the nominal clock frequency. This strongly depends on the host OS, guest OS and VM implementation. Results on Windows host OS are summarized here. Results on non-Windows host OS may be drastically different.
Coarse-grain fingerprint the machine – when the performance counter is TSC-based, the CPU frequency is roughly 1024 times the Windows performance counter frequency. But it also seems that different machines with the same CPU clock frequency may exhibit slightly different performance counter frequencies, thus extending the fingerprint beyond simply the CPU clock speed. For example, one machine with Intel i7-3770 CPU (3.40GHz) yielded performance counter values around 3323580Hz, while another machine with Intel i7-2600 CPU (3.40GHz) yielded values around 3312805Hz (over 10000Hz apart, way beyond the measurement fluctuations). Another important feature of this fingerprinting method is that it works across the three browsers (Edge, Internet Explorer and Firefox), i.e. all 3 browsers will produce the same fingerprint for the same machine.

Visit the demo page to see the data extracted from your browser.

The windows.performance object is supported starting Internet Explorer 10 (https://msdn.microsoft.com/en-us/library/ie/hh973355(v=vs.85).aspx) and Firefox 34 (https://developer.mozilla.org/en-US/docs/Web/API/Performance).

Proof of concept code (extracting the performance counter frequency):

<html>

function gcd(a,b)

{

if (a<0.00000001)

{

return b;

}

if (a<b)

{

return gcd(b-Math.floor(b/a)*a,a);

}

else if (a==b)

{

return a;

}

else

{

return gcd(b,a);

}

var x_init=performance.now()/1000;

var g=performance.now()/1000-x_init;

for (var i=0;i<10;i++)

{

g=gcd(g,performance.now()/1000-x_init);

}

alert("Performance Counter Frequency: "+Math.round(1/g)+" Hz");</script>

</body>

</html>

Notes about the code:

The GCD algorithm yields stable results when the initial numbers fed to it are “small”. Therefore, a baseline measurement is taken and subtracted from further measurements before being fed to the GCD algorithm.
The counter frequency seems to be a bit unstable right after restart, and after CPU idleness. A deviation of up to 5ppm (few dozen Hz) was observed.
Affected browsers: Microsfot Edge, Microsoft Internet Explorer 10 - 11, Mozilla Firefox 34.0 (probably) - 40.0.3. The attack code was successfully tested with Edge (v20.10240.16384.0), Internet Explorer 11 (11.0.9600.18036, update version 11.0.23 - latest at the time this advisory is written), Internet Explorer 10, Firefox 40.0.3 (ditto) and Firefox 39.0 and 38.0.x and 34.0, on Windows 10 64 bit, Windows 8.1 64 bit (two machines) and Windows 7 SP1 64 bit (one machine). The attack succeeded for both Desktop and Metro styles of Internet Explorer (11).

Vendor/fix status

Mozilla Firefox – fixed in Firefox version 41.0 (released September 22^nd, 2015). See Mozilla Foundation Security Advisory 2015-114. This is documented as part of Bugtraq BID 76815.
Microsoft Internet Explorer and Edge – MSRC tracks this issue as [21897mp] and informed me that they do not plan to fix this issue.

On Windows Performance Counter Frequency, VMs and guest OSes

amit — Mon, 05 Oct 2015 19:59:23 +0000

The following table summarizes the values of Windows Performance Counter Frequency in various Windows guest OS and VM implementations. In all cases, Windows (8.x/10) was the host OS - do note that very different results may be obtained on non-Windows host OS. Data was gathered in Q3 2015 with current versions at that time.

Guest OS and VM implementation (with Windows 8.x/10 as host OS)
	VMware player 7.0.0 build-2305329	Oracle VirtualBox 4.3.28 r100309	Microsoft Hyper-V 6.3.9600.16384
Win 10 64-bit	3579545 (PMtimer)	Nominal speed / 1024 (TSC)	10000000 (synthetic HPET)
Win 8.1/8.0 Ent. 32-bit	Turbo speed / 1024 (TSC-like)	Nominal speed / 1024 (TSC)	10000000 (synthetic HPET)
Win 7 Ent. SP1 32-bit	10000000 (synthetic HPET)	3579545 (PMtimer)	10000000 (synthetic HPET)

In green - entries (combinations) that are detectable (as VM) using Windows Performance Counter Frequency.

In red - entries (combinations) that are undetectable (as VM) using Windows Performance Counter Frequency.

ADDITION (January 2016): tested with Microsoft Azure hypervisor (host), guest operating system Windows Server 2012 R2 Datacenter, IE11 browser - the performance counter frequenct is close to 10000000 (synthetic HPET) - the observed deviation was few dozen Hz. So Microsoft Azure is detectable. Not a big surprise since Microsoft Azure hypervisor is said to be a customized version of Microsoft Hyper-V.

Amit Klein's security corner - windows performance counter

Web-based virtual machine detection using the HTML5 Performance object

Tags:

On Windows Performance Counter Frequency, VMs and guest OSes

Tags: