My Ticks Don't Lie: New Timing Attacks for Hypervisor Detection

The presentation discusses new methods for hypervisor detection in sandboxes using microarchitectural research. The speaker introduces two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling.

• Hypervisors are important for scalability and transparency in malware analysis, but they introduce discrepancies due to virtualization.
• The speaker presents two new methods for hypervisor detection: a high-resolution covert time source using a dedicated counter thread and a prime+probe attack on the last-level cache.
• These methods can detect hypervisors that are hiding discrepancies from classic time sources and current anti-evasion approaches.
• The speaker suggests that sandbox architects should explore code analysis and performance counters to detect counter threads and microarchitectural attacks.
• There is potential for further research in the intersection between microarchitectural research and malware analysis.

The speaker explains that hypervisors are important for scalability in malware analysis, but they introduce discrepancies that can be exploited by expert malware writers. The presentation introduces two new methods for hypervisor detection that can detect hypervisors that are hiding discrepancies from classic time sources and current anti-evasion approaches. The speaker suggests that sandbox architects should explore code analysis and performance counters to detect counter threads and microarchitectural attacks. There is potential for further research in this area.

Hypervisor detection is a pillar of sandbox evasion techniques. While hardware-assisted virtualization solutions are indispensable for scalable dynamic malware analysis, compared to bare-metal machines they all introduce timing discrepancies that expert malware writers may reveal using low-level measurement sequences. Today, the most advanced sandboxes fight such attempts by massaging the values malware can read from classic time sources.In this talk, we will see how this battle is far from over: by taking advantage of recent developments in microarchitectural research, we will build and exercise two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling. The first idea is to build a high-resolution covert time source using a dedicated counter thread that can tick just as accurately as an unpatched TSC counter, often with an even better resolution. We revisit well-known detections from evasive malware and academic works using this new source. The second idea is a prime+probe attack on the last-level cache to detect pollution caused by the execution of the virtual machine monitor from the hypervisor.An investigation conducted over real-world sandboxes showed that while several classic time evasions seem no longer effective, counter threads can immediately bring them back to life without raising alerts related to time query attempts. Also, microarchitectural attacks do not seem to be on their radars, and may thus be a promising addition to the malware realm.