MEDA: A Machine Emulation Detection Algorithm

Valerio Selis, Alan Marshall


Security in the Internet of Things (IoT) is now considered a priority, and trust in machine-to-machine (M2M) communications is expected to play a key role. This paper presents a mechanism to detect an emerging threat in M2M systems whereby an attacker may create multiple fake embedded machines using virtualized or emulated systems, in order to compromise either a targeted IoT device, or the M2M network. A new trust method is presented that is based on a characterisation of the behaviours of real embedded machines, and operates independently of their architectures and operating systems, in order to detect virtual and emulated systems. A range of tests designed to characterise embedded and virtual devices are presented, and the results underline the efficiency of the proposed solution for detecting these systems easily and quickly.


  1. 8devices (2012). Carambola. [Online] Available from: [Accessed: 24 February 2015].
  2. Android Developers (2014). SDK Tools - Android Emulator. [Online] Available from: http://developer. [Accessed: 24 February 2015].
  3. Arduino (2013). Arduino Board Y ún. [Online] Available from: [Accessed: 24 February 2015].
  4. Atzori, L., Iera, A., and Morabito, G. (2010). The internet of things: A survey. Computer Networks, 54(15):2787 - 2805.
  5. Bao, F. and Chen, I.-R. (2012). Dynamic trust management for Internet of Things applications. In Proceedings of the 2012 international workshop on Self-aware internet of things, pages 1-6. ACM.
  6. Bellard, F. (2005). Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, pages 41-46.
  7. Celeda, P., Krejci, R., Vykopal, J., and Drasar, M. (2010). Embedded malware-an analysis of the Chuck Norris botnet. In Computer Network Defense (EC2ND), 2010 European Conference on, pages 3-10. IEEE.
  8. Chen, M., Wan, J., and Li, F. (2012). Machine-to-machine communications. KSII Transactions on Internet and Information Systems (TIIS), 6(2):480-497.
  9. Chen, X., Andersen, J., Mao, Z. M., Bailey, M., and Nazario, J. (2008). Towards an understanding of antivirtualization and anti-debugging behavior in modern malware. In Dependable Systems and Networks With FTCS and DCC, 2008. DSN 2008. IEEE International Conference on, pages 177-186. IEEE.
  10. Gavare, A. (2014). GXemul. [Online] Available from: [Accessed: 24 February 2015].
  11. Genymobile (2014). Genymotion. [Online] Available from: [Accessed: 24 February 2015].
  12. Google and Asus (2012). Nexus 7 (2012) Tech Specs (32GB + Mobile Data). [Online] Available from: 2841846?hl=en. [Accessed: 24 February 2015].
  13. Google and LG Electronics (2013). Nexus 5 Tech Specs. [Online] Available from: https://support. [Accessed: 24 February 2015].
  14. Jacobson, V., Braden, R., and Borman, D. (1992). TCP extensions for high performance. RFC 1323.
  15. Jia-Bin, W., Yi-Feng, L., and Kai, C. (2012). Virtualization detection based on data fusion. In Computer Science and Information Processing (CSIP), 2012 International Conference on, pages 393-396. IEEE.
  16. Jing, Y., Zhao, Z., Ahn, G.-J., and Hu, H. (2014). Morpheus: automatically generating heuristics to detect android emulators. In Proceedings of the 30th Annual Computer Security Applications Conference, pages 216-225. ACM.
  17. Kohno, T., Broido, A., and Claffy, K. C. (2005). Remote physical device fingerprinting. Dependable and Secure Computing, IEEE Transactions on, 2(2):93-108.
  18. Lee, G. M., Crespi, N., Choi, J. K., and Boussard, M. (2013). Internet of Things. In Evolution of Telecommunication Services, pages 257-282. Springer.
  19. Martignoni, L., Paleari, R., Roglia, G. F., and Bruschi, D. (2009). Testing CPU emulators. In Proceedings of the eighteenth international symposium on Software testing and analysis, pages 261-272. ACM.
  20. Milliken, J., Selis, V., and Marshall, A. (2013). Detection and analysis of the Chameleon WiFi access point virus. EURASIP Journal on Information Security, 2013(1):1-14.
  21. Nitti, M., Girau, R., and Atzori, L. (2014). Trustworthiness management in the social Internet of Things. Knowledge and Data Engineering, IEEE Transactions on, 26(5):1253-1266.
  22. Open Virtual Platform (2014). OVPsim. [Online] Available from: technology ovpsim.php. [Accessed: 24 February 2015].
  23. Oracle Corporation (2014). VirtualBox. [Online] Available from: [Accessed: 24 February 2015].
  24. Ortega, A. L. (2013). MAC Changer. [Online] Available from: [Accessed: 24 February 2015].
  25. PC Engines GmbH (2007). ALIX 6F2 System Board. [Online] Available from: alix6f2.htm. [Accessed: 24 February 2015].
  26. Polcák, L. and Franková, B. (2014). On reliability of clockskew-based remote computer identification. In International Conference on Security and Cryptography. SciTePress-Science and Technology Publications.
  27. Polcák, L., Jirásek, J., and Matousek, P. (2014). Comment on remote physical device fingerprinting. IEEE Transactions on Dependable and Secure Computing, (5):494-496.
  28. Quist, D. and Smith, V. (2006). Further down the VM spiral-detection of full and partial emulation for IA32 virtual machines. Proceedings of the Defcon, 14.
  29. Raffetseder, T., Kruegel, C., and Kirda, E. (2007). Detecting system emulators. In Information Security, pages 1- 18. Springer.
  30. Raspberry Pi Foundation (2012). Early versions of the Raspberry Pi Model B. [Online] Available from: raspberrypi/models/ [Accessed: 24 February 2015].
  31. Rutkowska, J. (2004). Red pill: Detect VMM using (almost) one CPU instruction. [Online] Available from: [Accessed: 24 February 2015].
  32. Saied, Y. B., Olivereau, A., Zeghlache, D., and Laurent, M. (2013). Trust management system design for the Internet of Things: A context-aware and multi-service approach. Computers & Security, 39:351-365.
  33. Shi, H., Alwabel, A., and Mirkovic, J. (2014). Cardinal pill testing of system virtual machines. In Proceedings of the 23rd USENIX conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, pages 271-285.
  34. Vidas, T. and Christin, N. (2014). Evading android runtime analysis via sandbox detection. In Proceedings of the 9th ACM symposium on Information, computer and communications security, pages 447-458. ACM.
  35. VMware Inc (2015). VMware Player. [Online] Available from: [Accessed: 24 February 2015].

Paper Citation

in Harvard Style

Selis V. and Marshall A. (2015). MEDA: A Machine Emulation Detection Algorithm . In Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015) ISBN 978-989-758-117-5, pages 228-235. DOI: 10.5220/0005535202280235

in Bibtex Style

author={Valerio Selis and Alan Marshall},
title={MEDA: A Machine Emulation Detection Algorithm},
booktitle={Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)},

in EndNote Style

JO - Proceedings of the 12th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2015)
TI - MEDA: A Machine Emulation Detection Algorithm
SN - 978-989-758-117-5
AU - Selis V.
AU - Marshall A.
PY - 2015
SP - 228
EP - 235
DO - 10.5220/0005535202280235