Detecting Hardware-Assisted Virtualization

@inproceedings{Brengel2016DetectingHV,
  title={Detecting Hardware-Assisted Virtualization},
  author={Michael Brengel and M. Backes and C. Rossow},
  booktitle={DIMVA},
  year={2016}
}
Virtualization has become an indispensable technique for scaling up the analysis of malicious code, such as for malware analysis or shellcode detection systems. [...] Key Method We build upon the observation that an adversary can invoke hypervisors and trigger context switches that are noticeable both in timing and in their side effects on caching. We have locally trained and then tested our detection methodology on a wide variety of systems, including 240 PlanetLab nodes, showing a high detection accuracy. As…Expand
Detecting Hardware-Assisted Virtualization With Inconspicuous Features
TLDR
Three new identified low-level inconspicuous features are showcased, which can be leveraged by an unprivileged adversary to effectively and stealthily detect the hardware-assisted virtualization. Expand
Sandbox Detection Using Hardware Side Channels
TLDR
It is shown that it is possible to detect even sandboxes that were properly configured and so far considered to be detection-proof, and proposed and implemented the first attack which leverage side channels leakage between sibling logical cores to determine the execution environment. Expand
Who Watches the Watchmen
TLDR
A survey on state-of-the-art techniques that detect, mitigate, and analyze malware attacks, as well as approaches based on Hardware Virtual Machines introspection, System Management Mode instrumentation, Hardware Performance Counters, isolated rings, and others based on external hardware. Expand
POW-HOW: An enduring timing side-channel to evadeonline malware sandboxes
Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented andExpand
“VANILLA” malware: vanishing antiviruses by interleaving layers and layers of attacks
TLDR
A technique for distributing the malware functions in several distinct “vanilla” processes to show that AVs can be easily evaded and exposed a real menace, which showed that current AVs are not fully able to detect multi-core malware. Expand
Virtualization detection strategies and their outcomes in public clouds
  • B. Asvija, R. Eswari, M. B. Bijoy
  • Computer Science
  • 2017 IEEE Asia Pacific Conference on Postgraduate Research in Microelectronics and Electronics (PrimeAsia)
  • 2017
TLDR
This paper shows how the three popular public clouds namely the Amazon EC2, Google Computing Engine and the Microsoft Azure clouds are vulnerable to virtualization detection and proposes and demonstrates a new approach for detecting virtualization, based on the location and size of the descriptor tables. Expand
Analysis of Agent-Based and Agent-Less Sandboxing for Dynamic Malware Analysis
TLDR
Dynamic analysis will be performed, specifically agent-based using Cuckoo open-source sandbox and agent-less using DRAKVUF by hypervisor and virtualization extension, ultimately proving which technique is appropriate and reliable for prominent malware analysis. Expand
A Kernel Rootkit Detection Approach Based on Virtualization and Machine Learning
TLDR
VKRD, a kernel rootkit detection system based on the hardware assisted virtualization technology, can provide a transparent and an efficient execution environment for the target kernel module to reveal its run-time behavior. Expand
Research in Attacks, Intrusions, and Defenses
TLDR
GRIM is an external memory monitor that is built on commodity, off-the-shelf, graphics hardware, and is able to verify OS kernel integrity at a speed that outperforms all so-far published snapshot-based systems. Expand
SoK: Using Dynamic Binary Instrumentation for Security (And How You May Get Caught Red Handed)
TLDR
This work presents the abstraction and inner workings of DBI frameworks, how DBI assisted prominent security research works, and alternative solutions, and makes available to the community a library of detection patterns and stopgap measures that could be of interest to DBI users. Expand
...
1
2
3
...

References

SHOWING 1-10 OF 33 REFERENCES
nEther: in-guest detection of out-of-the-guest malware analyzers
TLDR
Novel approaches are introduced that make the detection of hardware assisted virtualization platforms and out-of-the-guest malware analysis frameworks possible and an application framework called nEther is implemented that is capable of detecting the out- of- the-guests malware analysis framework Ether. Expand
Ether: malware analysis via hardware virtualization extensions
TLDR
Ether, a transparent and external approach to malware analysis, is proposed, which is motivated by the intuition that for a malware analyzer to be transparent, it must not induce any side-effects that are unconditionally detectable by malware. Expand
BareBox: efficient malware analysis on bare-metal
TLDR
This paper presents the design, implementation, and evaluation of a malware analysis framework for bare-metal systems that is based on a fast and rebootless system restore technique, which was able to perform a rebootless restore of a live Windows system within four seconds. Expand
SHELLOS: Enabling Fast Detection and Forensic Analysis of Code Injection Attacks
TLDR
It is argued that the use of software-based emulation techniques are not necessary, and instead a new framework that leverages hardware virtualization to better enable the detection of code injection attacks is proposed. Expand
Detecting Environment-Sensitive Malware
TLDR
Novel techniques for detecting malware samples that exhibit semantically different behavior across different analysis sandboxes are proposed, compatible with any monitoring technology that can be used for dynamic analysis, and completely agnostic to the way that malware achieves evasion. Expand
Deobfuscation of virtualization-obfuscated software: a semantics-based approach
TLDR
This paper proposes a different approach to the problem that focuses on identifying instructions that affect the observable behavior of the obfuscated code, and aims to complement existing techniques by broadening the domain of obfuscated programs eligible for automated analysis. Expand
Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware
TLDR
This work has undertaken a robust analysis of current malware and developed a detailed taxonomy of malware defender fingerprinting methods, which is used to characterize the prevalence of these avoidance methods, to generate a novel fingerprinting method that can assist malware propagation, and to create an effective new technique to protect production systems. Expand
Limits of Static Analysis for Malware Detection
TLDR
A binary obfuscation scheme that relies on opaque constants, which are primitives that allow us to load a constant into a register such that an analysis tool cannot determine its value, demonstrates that static analysis techniques alone might no longer be sufficient to identify malware. Expand
Detecting System Emulators
TLDR
A number of possibilities to detect system emulators are analyzed and it is shown that emulation can be successfully detected, mainly because the task of perfectly emulating real hardware is complex. Expand
Efficient Detection of Split Personalities in Malware
TLDR
This paper presents a technique that efficiently detects when a malware program behaves differently in an emulated analysis environment and on an uninstrumented reference host, and demonstrates that one can efficiently detect malware samples that use a variety of techniques to identify emulatedAnalysis environments. Expand
...
1
2
3
4
...