On 28 April 2014 14:41, Dmitry Poletaev <poletaev-q...@yandex.ru> wrote: > Let's imagine we analyse a program(may be a malware) and so > run it in emulator. Malware can execute that test and understand > that it run in an emulator. After that malware can make decision, > that someone analyse it and alter its behavior with a view to > make analysis more complicated.
I understand this theory. I think it's misguided to think that it's possible to avoid the problem. > So it makes sense to apply that patch. I disagree with this, because we can never make QEMU behave exactly identically to the hardware (timing effects, weird choices of QEMU devices, etc). We cannot offer this guarantee, so there is no point in attempting to make changes purely to try to provide the guarantee in some areas. (Just to pick a fairly easy way guest malware can detect QEMU TCG, it can run timing tests that probe for the size of L1 cache by looking for the point where memory access time falls off a cliff. QEMU will never be able to emulate caches with the same sort of memory timing profile.) thanks -- PMM
