Cardinal Pill Testing of System Virtual Machines



Malware analysis relies heavily on the use of virtual machines for functionality and for safety. There are subtle differences in operation between virtual machines and physical machines. Contemporary malware checks for these differences to detect that it is being run in a virtual machine, and modifies its behavior to thwart being analyzed by the defenders. Existing approaches to uncover these differences use randomized testing, or malware analysis, and cannot guarantee completeness.

We propose Cardinal Pill Testing - a modification of Red Pill Testing that aims to enumerate the differences between a given VM an a physical machine, through carefully designed tests.

Testing Architecture

Software & Code




This material is based upon work supported by the Department of Homeland Security, and Space and Naval Warfare Systems Center, San Diego, under Contract No. N66001-10-C-2018. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the Department of Homeland Security for the Space and Naval Warfare Systems Center, San Diego.