For the various platforms, there are several vulnerabilities that may cause VM escape. A part of the vulnerabilities we have collected are listed in Table 1.
(i) Generally, a new process or thread is created to execute an illegitimate intent after VM escape behavior has been implemented.
(iii) By analyzing the memory content of the host machine and VMs mutually, VM escape can be detected by the abnormal behavior pattern in the host machine.
When VM escape is detected, the malicious VM can be identified.
Caption: Figure 10: Process relationship diagram before VM escape behavior.
Caption: Figure 11: Process relationship diagram after VM escape behavior.
Table 1: Vulnerabilities that may cause VM escape. Vulnerability name Affected platforms CVE-2007-1744 VMWare CVE-2008-0923 VMWare CVE-2009-1244 VMware CVE-2012-0217 Xen CVE-2014-0983 VirtualBox CVE-2015-5279 KVM CVE-2015-7504 Xen/KVM/VirtualBox CVE-2015-7835 Xen CVE-2015-6815 Xen/KVM CVE-2015-3247 Xen/KVM CVE-2016-7092 Xen CVE-2016-6258 Xen CVE-2016-4440 KVM CVE-2017-2615 Xen/KVM CVE-2017-0109 Hyper-V CVE-2017-4934 VMware CVE-2017-0075 Hyper-V CVE-2017-4903 VMWare CVE-2017-4936 VMware
Furthermore, according to the abnormal behavior pattern in the host machine, VM escapes may be detected.