{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,2,21]],"date-time":"2025-02-21T13:26:24Z","timestamp":1740144384814,"version":"3.37.3"},"reference-count":52,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans.Inform.Forensic Secur."],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/tifs.2020.3004264","type":"journal-article","created":{"date-parts":[[2020,6,22]],"date-time":"2020-06-22T21:36:26Z","timestamp":1592861786000},"page":"16-27","source":"Crossref","is-referenced-by-count":12,"title":["Detecting Hardware-Assisted Virtualization With Inconspicuous Features"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-3604-5369","authenticated-orcid":false,"given":"Zhi","family":"Zhang","sequence":"first","affiliation":[]},{"given":"Yueqiang","family":"Cheng","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5783-2172","authenticated-orcid":false,"given":"Yansong","family":"Gao","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3289-6599","authenticated-orcid":false,"given":"Surya","family":"Nepal","sequence":"additional","affiliation":[]},{"given":"Dongxi","family":"Liu","sequence":"additional","affiliation":[]},{"given":"Yi","family":"Zou","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"journal-title":"Qemu","year":"2010","author":"bellard","key":"ref39"},{"key":"ref38","first-page":"1196","article-title":"MASCAT: Stopping microarchitectural attacks before execution","volume":"2016","author":"irazoqui","year":"2016","journal-title":"IACR Cryptology ePrint"},{"key":"ref33","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2019.00002"},{"journal-title":"Taskset-Retrieve or Set a Process&#x2019;s Cpu Affinity","year":"2019","key":"ref32"},{"journal-title":"Microsoft Azure Cloud Computing Platform & Services","year":"2010","key":"ref31"},{"journal-title":"Google Cloud Cloud Computing Services","year":"2008","key":"ref30"},{"key":"ref37","doi-asserted-by":"publisher","DOI":"10.1109\/HPCA.2016.7446102"},{"journal-title":"Intel 64 and IA-32 Architectures Optimization Reference Manual","year":"2014","key":"ref36"},{"key":"ref35","article-title":"These are not your grand Daddys cpu performance counters&#x2013;CPU hardware performance counters for security","author":"herath","year":"2015","journal-title":"Proc Black Hat"},{"key":"ref34","doi-asserted-by":"publisher","DOI":"10.1016\/j.asoc.2016.09.014"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813708"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.42"},{"journal-title":"Amazon Elastic Compute Cloud","year":"2006","key":"ref29"},{"key":"ref2","first-page":"225","article-title":"KVM: The Linux virtual machine monitor","volume":"1","author":"qumranet","year":"2007","journal-title":"Proc Linux Symp"},{"key":"ref1","doi-asserted-by":"publisher","DOI":"10.1145\/1165389.945462"},{"key":"ref20","first-page":"955","article-title":"Translation leak-aside buffer: Defeating cache side-channel protections with TLB attacks","author":"gras","year":"2018","journal-title":"Proc Usenix Secur Symp"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/2954679.2872390"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2015.43"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2016.63"},{"key":"ref23","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_15"},{"key":"ref26","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2018.00022"},{"key":"ref25","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23294"},{"key":"ref50","first-page":"3","article-title":"NEther: In-guest detection of out-of-the-guest malware analyzers","author":"p\u00e9k","year":"2011","journal-title":"Proceedings of the 4th ACM European Workshop on System Security (EUROSEC)"},{"journal-title":"Introducing Blue Pill","year":"2006","author":"rutkowska","key":"ref51"},{"key":"ref52","first-page":"1","article-title":"Compatibility is not transparency: VMM detection myths and realities","author":"garfinkel","year":"2007","journal-title":"Proc Workshop on Hot Topics in Operating Syst"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-40667-1_11"},{"key":"ref11","first-page":"369","article-title":"Attacks on more virtual machine emulators","volume":"55","author":"ferrie","year":"2007","journal-title":"Symantec Technology Exchange"},{"journal-title":"HydraWeb","year":"2005","author":"ferrie","key":"ref40"},{"key":"ref12","article-title":"Detecting bluepill","author":"barbosa","year":"2007","journal-title":"Proc Presentation SyScan Conf"},{"journal-title":"Crypto","year":"2014","key":"ref13"},{"journal-title":"Shifu","year":"2015","key":"ref14"},{"journal-title":"KRONOS","year":"2014","key":"ref15"},{"journal-title":"Intel 64 and IA-32 Architectures Software Developer's Manual Combined Volumes 1 2A 2B 2C 3A 3B and 3C","year":"2011","key":"ref16"},{"journal-title":"Secure Virtual Machine Architecture Reference Manual","year":"2005","key":"ref17"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1145\/1455770.1455779"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1145\/1816038.1816010"},{"key":"ref4","first-page":"1","article-title":"Where am I? Operating system and virtualization identification without system calls","author":"wright","year":"2017","journal-title":"Proc Cyber Secur Symp"},{"journal-title":"Defeating Malware&#x2019;s Anti-Vm Techniques (Cpuid-Based Instructions)","year":"2018","key":"ref3"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/PRIMEASIA.2017.8280360"},{"key":"ref5","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2019.01.013"},{"journal-title":"BluePill Detection in Two Easy Steps","year":"2007","author":"adams","key":"ref8"},{"key":"ref7","first-page":"1","article-title":"Don&#x2019;t tell Joanna, the virtualized rootkit is dead","author":"ptacek","year":"2007","journal-title":"Proc Black Hat"},{"key":"ref49","first-page":"1","article-title":"Efficient detection of split personalities in malware","author":"balzarotti","year":"2010","journal-title":"Proc Symp Network and Distributed System Security"},{"key":"ref9","article-title":"Cpu side-channels vs. virtualization malware: The good, the bad, or the ugly","author":"bulygin","year":"2008","journal-title":"Proc ToorCon"},{"journal-title":"Para Virtualization","year":"1999","key":"ref46"},{"journal-title":"Windows Virtual PC","year":"2009","key":"ref45"},{"key":"ref48","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-23644-0_18"},{"journal-title":"Detect VMM using (almost) One CPU Instruction","year":"2004","author":"rutkowska","key":"ref47"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-75496-1_1"},{"journal-title":"Bochs","year":"1994","author":"lawton","key":"ref41"},{"journal-title":"VMware Virtualization","year":"1998","key":"ref44"},{"key":"ref43","first-page":"86","article-title":"A fistful of red-pills: How to automatically generate procedures to detect cpu emulators","author":"paleari","year":"2009","journal-title":"Proc USENIX Workshop Offensive Technol"}],"container-title":["IEEE Transactions on Information Forensics and Security"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/10206\/9151439\/09122497.pdf?arnumber=9122497","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:39Z","timestamp":1652194359000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9122497\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":52,"URL":"https:\/\/doi.org\/10.1109\/tifs.2020.3004264","relation":{},"ISSN":["1556-6013","1556-6021"],"issn-type":[{"type":"print","value":"1556-6013"},{"type":"electronic","value":"1556-6021"}],"subject":[],"published":{"date-parts":[[2021]]}}}