310 Int. J. Communication Networks and Distributed Systems, Vol. 11, No. 3, 2013 Copyright © 2013 Inderscience Enterprises Ltd. VMM detection using privilege rings and benchmark execution times Mohsen Sharifi*, Hadi Salimi, Alireza Saberi and Joobin Gharibshah Distributed Systems Laboratory, School of Computer Engineering, Iran University of Science and Technology, University Road, Hengam Street, Resalat Square, Narmak, Tehran, Iran Fax: + 98-21-7322-8307 E-mail: msharifi@iust.ac.ir E-mail: hsalimi@iust.ac.ir E-mail: a_saberi@iust.ac.ir E-mail: joobin@comp.iust.ac.ir *Corresponding author Abstract: This paper proposes two complementary virtual machine monitor (VMM) detection methods. These methods can be used to detect any VMM that is designed for ×86 architecture. The first method works by finding probable discrepancies in hardware privilege levels of the guest operating system’s kernel on which user applications run. The second method works by measuring the execution times of a set of benchmark programmes and comparing them with the stored execution times of the same programmes previously ran on a trusted physical machine. Unlike other methods, our proportional execution time technique could not be easily thwarted by VMMs. In addition, using proportional execution times, there is no need for a trusted external source of time during detection. It is shown experimentally that the deployment of both methods together can detect the existence of four renowned VMMs, namely, Xen, VirtualBox, VMware, and Parallels, on both types of processors that support virtualisation technology (VT-enabled) or do not support it (VT-disabled). Keywords: VMM detection; virtualisation technology; VT; security; malware detection; cloud; distributed system; operating system; kernel. Reference to this paper should be made as follows: Sharifi, M., Salimi, H., Saberi, A. and Gharibshah, J. (2013) ‘VMM detection using privilege rings and benchmark execution times’, Int. J. Communication Networks and Distributed Systems, Vol. 11, No. 3, pp.310–326. Biographical notes: Mohsen Sharifi is an Associate Professor of Software Engineering currently in the School of Computer Engineering of Iran University of Science and Technology. He directs a Distributed System Software research group and laboratory. His main interest is in the development of distributed systems, solutions, and applications, particularly for use in various fields of science. The development of a true distributed operating system is on top of his wish list. He received his BSc, MSc and PhD in Computer Science from the University of Manchester in UK.