Skip to main content
SpringerLink
Log in
SpringerLink
Log in

Detecting Hardware-Assisted Virtualization

  • Conference paper
  • First Online:
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9721))

Abstract

Virtualization has become an indispensable technique for scaling up the analysis of malicious code, such as for malware analysis or shellcode detection systems. Frameworks like Ether, ShellOS and an ever-increasing number of commercially-operated malware sandboxes rely on hardware-assisted virtualization. A core technology is Intel’s VT-x, which — compared to software-emulated virtulization — is believed to be stealthier, especially against evasive attackers that aim to detect virtualized systems to hide the malicious behavior of their code.

We propose and evaluate low-level timing-based mechanisms to detect hardware-virtualized systems. We build upon the observation that an adversary can invoke hypervisors and trigger context switches that are noticeable both in timing and in their side effects on caching. We have locally trained and then tested our detection methodology on a wide variety of systems, including 240 PlanetLab nodes, showing a high detection accuracy. As a real-world evaluation, we detected the virtualization technology of more than 30 malware sandboxes. Finally, we demonstrate how an adversary may even use these detections to evade multi-path exploration systems that aim to explore the full behavior of a program. Our results show that VT-x is not sufficiently stealthy for reliable analysis of malicious code.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.vmray.com/back-to-the-past-using-intels-processor-trace-for-enhanced-analysis/.

  2. 2.

    http://theinvisiblethings.blogspot.com/2006/06/introducing-blue-pill.html.

References

  1. Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of NDSS (2010)

    Google Scholar 

  2. Chen, X., Andersen, J., Morley, M.Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: DSN (2008)

    Google Scholar 

  3. Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: PlanetLab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33(3), 3–12 (2003)

    Article  Google Scholar 

  4. Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the CCS (2011)

    Google Scholar 

  5. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS (2008)

    Google Scholar 

  6. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2012)

    Article  Google Scholar 

  7. Egele, M., Woo, M., Chapman, P., Brumley, D.: Blanket execution: dynamic similarity testing for program binaries and components. In: USENIX Security (2014)

    Google Scholar 

  8. Ferrie, P.: Attacks on Virtual Machine Emulators. Technical report, Symantec (2006)

    Google Scholar 

  9. Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., van Doorn, L.: Towards sound detection of virtual machines. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection: Countering the Largest Security Threat, pp. 89–116. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  10. Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of USENIX HotOS (2007)

    Google Scholar 

  11. Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode (2007)

    Google Scholar 

  12. Kinder, J.: Towards static analysis of virtualization-obfuscated binaries. In: WCRE (2012)

    Google Scholar 

  13. Kirat, D., Vigna, G., Kruegel, C.: BareBox: efficient malware analysis on bare-metal. In: Proceedings of ACSAC (2011)

    Google Scholar 

  14. Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the USENIX Security (2014)

    Google Scholar 

  15. Kwon, B.J., Mondal, J., Jang, J., Bilge, L., Dumitras, T.: The dropper effect: insights into malware distribution with downloader graph analytics. In: CCS (2015)

    Google Scholar 

  16. Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  17. Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the S&P (2007)

    Google Scholar 

  18. Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of ACSAC (2007)

    Google Scholar 

  19. Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing, Birmingham (2013)

    Google Scholar 

  20. Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of Red-pills: how to automatically generate procedures to detect CPU emulators. In: Usenix WOOT (2009)

    Google Scholar 

  21. Ugarte Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: S&P (2015)

    Google Scholar 

  22. Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: CCS (2011)

    Google Scholar 

  23. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of ACSAC (2010)

    Google Scholar 

  24. Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: ICISC (2007)

    Google Scholar 

  25. Rolles, R.: Unpacking virtualization obfuscators. In: Usenix WOOT (2009)

    Google Scholar 

  26. Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Proceedings of DIMVA (2013)

    Google Scholar 

  27. Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: CCS (2006)

    Google Scholar 

  28. Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (2009)

    Google Scholar 

  29. Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: ShellOS: enabling fast detection and forensic analysis of code injection attacks. In: Proceedings of USENIX Security (2011)

    Google Scholar 

  30. Willems, C., Hund, R., Holz, T.: CXPInspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Horst Görtz Institute for IT Security (2012)

    Google Scholar 

  31. You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: Proceedings of BWCCA (2010)

    Google Scholar 

  32. Zhao, X., Borders, K., Prakash, A.: Virtual machine security systems. In: Advances in Computer Science and Engineering. Springer (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CISPA, Saarland University, Saarbrücken, Germany

    Michael Brengel, Michael Backes & Christian Rossow

Authors
  1. Michael Brengel
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michael Backes
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Brengel .

Editor information

Editors and Affiliations

  1. IMDEA Software Institute, Pozuelo de Alarcón, Madrid, Spain

    Juan Caballero

  2. Mondragon University, Arrasate, Guipúzcoa, Spain

    Urko Zurutuza

  3. Universidad de Zaragoza, Zaragoza, Spain

    Ricardo J. Rodríguez

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Brengel, M., Backes, M., Rossow, C. (2016). Detecting Hardware-Assisted Virtualization. In: Caballero, J., Zurutuza, U., Rodríguez, R. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2016. Lecture Notes in Computer Science(), vol 9721. Springer, Cham. https://doi.org/10.1007/978-3-319-40667-1_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-40667-1_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-40666-4

  • Online ISBN: 978-3-319-40667-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation