Hypervisor detection is a pillar of sandbox evasion techniques. While hardware-assisted virtualization solutions are indispensable for scalable dynamic malware analysis, compared to bare-metal machines they all introduce timing discrepancies that expert malware writers may reveal using low-level measurement sequences. Today, the most advanced sandboxes fight such attempts by massaging the values malware can read from classic time sources. In this talk, we will see how this battle is far from over: by taking advantage of recent developments in microarchitectural research, we will build and exercise two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling. The first idea is to build a high-resolution covert time source using a dedicated counter thread that can tick just as accurately as an unpatched TSC counter, often with an even better resolution. We revisit well-known detections from evasive malware and academic works using this new source. The second idea is a prime+probe attack on the last-level cache to detect pollution caused by the execution of the virtual machine monitor from the hypervisor. An investigation conducted over real-world sandboxes showed that while several classic time evasions seem no longer effective, counter threads can immediately bring them back to life without raising alerts related to time query attempts. Also, microarchitectural attacks do not seem to be on their radars, and may thus be a promising addition to the malware realm.

My Ticks Don't Lie: New Timing Attacks for Hypervisor Detection / D'Elia, DANIELE CONO. - (2020). (Intervento presentato al convegno Black Hat Europe tenutosi a Londra (virtuale)).

My Ticks Don't Lie: New Timing Attacks for Hypervisor Detection

Daniele Cono D'Elia
Primo
2020

Abstract

Hypervisor detection is a pillar of sandbox evasion techniques. While hardware-assisted virtualization solutions are indispensable for scalable dynamic malware analysis, compared to bare-metal machines they all introduce timing discrepancies that expert malware writers may reveal using low-level measurement sequences. Today, the most advanced sandboxes fight such attempts by massaging the values malware can read from classic time sources. In this talk, we will see how this battle is far from over: by taking advantage of recent developments in microarchitectural research, we will build and exercise two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling. The first idea is to build a high-resolution covert time source using a dedicated counter thread that can tick just as accurately as an unpatched TSC counter, often with an even better resolution. We revisit well-known detections from evasive malware and academic works using this new source. The second idea is a prime+probe attack on the last-level cache to detect pollution caused by the execution of the virtual machine monitor from the hypervisor. An investigation conducted over real-world sandboxes showed that while several classic time evasions seem no longer effective, counter threads can immediately bring them back to life without raising alerts related to time query attempts. Also, microarchitectural attacks do not seem to be on their radars, and may thus be a promising addition to the malware realm.
2020
File allegati a questo prodotto
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1499636
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact