My Ticks Don't Lie: New Timing Attacks for Hypervisor Detection

Presented at Black Hat Europe 2020 Virtual, Dec. 10, 2020, 11:20 a.m. (40 minutes)

Hypervisor detection is a pillar of sandbox evasion techniques. While hardware-assisted virtualization solutions are indispensable for scalable dynamic malware analysis, compared to bare-metal machines they all introduce timing discrepancies that expert malware writers may reveal using low-level measurement sequences. Today, the most advanced sandboxes fight such attempts by massaging the values malware can read from classic time sources.

In this talk, we will see how this battle is far from over: by taking advantage of recent developments in microarchitectural research, we will build and exercise two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling. The first idea is to build a high-resolution covert time source using a dedicated counter thread that can tick just as accurately as an unpatched TSC counter, often with an even better resolution. We revisit well-known detections from evasive malware and academic works using this new source. The second idea is a prime+probe attack on the last-level cache to detect pollution caused by the execution of the virtual machine monitor from the hypervisor.

An investigation conducted over real-world sandboxes showed that while several classic time evasions seem no longer effective, counter threads can immediately bring them back to life without raising alerts related to time query attempts. Also, microarchitectural attacks do not seem to be on their radars, and may thus be a promising addition to the malware realm.


Presenters:

  • Daniele Cono D'Elia - Postdoctoral researcher, Sapienza University of Rome
    Daniele Cono D'Elia is a postdoctoral researcher at Sapienza University of Rome. His research involves software and systems security. He plays with malware, code reuse attacks, monitoring solutions resistant to adversarial behavior, and program analyses and transformations to make programs more secure. In a past life, he tackled programming language research problems, working on low-overhead profilers, dynamic compilers for managed runtimes, and code transformation techniques.

Links:

Similar Presentations: