(2016) Detecting Hardware-Assisted Virtualization.
Abstract
Virtualization has become an indispensable technique for scaling up the analysis of malicious code, such as for malware analysis or shellcode detection systems. Frameworks like Ether, ShellOS and an ever-increasing number of commercially-operated malware sandboxes rely on hardware-assisted virtualization. A core technology is Intel's VT-x, which --- compared to software-emulated virtulization --- is believed to be stealthier, especially against evasive attackers that aim to detect virtualized systems to hide the malicious behavior of their code. We propose and evaluate low-level timing-based mechanisms to detect hardware-virtualized systems. We build upon the observation that an adversary can invoke hypervisors and trigger context switches that are noticeable both in timing and in their side effects on caching. We have locally trained and then tested our detection methodology on a wide variety of systems, including 240 PlanetLab nodes, showing a high detection accuracy. As a real-world evaluation, we detected the virtualization technology of more than 30 malware sandboxes. Finally, we demonstrate how an adversary may even use these detections to evade multi-path exploration systems that aim to explore the full behavior of a program. Our results show that VT-x is not sufficiently stealthy for reliable analysis of malicious code.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Additional Information: | pub_id: 894 Bibtex: detecthwvt URL date: None |
| Uncontrolled Keywords: | detection,hardware-assisted,virtualization |
| Divisions: | Christian Rossow (System Security Group, SysSec) Michael Backes (InfSec) |
| Depositing User: | Sebastian Weisgerber |
| Date Deposited: | 26 Jul 2017 10:29 |
| Last Modified: | 18 Jul 2019 12:10 |
| Primary Research Area: | NRA3: Threat Detection and Defenses |
| URI: | https://publications.cispa.saarland/id/eprint/323 |
Actions
Actions (login required)
 |
View Item |