Malware vs Virtualization: The endless cat and mouse play

aurelien.wail.ly/publications/hip-2013-slides.html

Plan

Malwares today
Research environment
Detection
Reaction
Roadmap

Virtualization

Easy provisionning
Rollback
Consolidation
Resource control
Rarely used
Often the sign of an analysis

Virtualization usages

Bright side

Easy sandbox VMWare player
No traces
Debug kernels
Try other OSes

Dark Side

Intercept BluePilling see after
Ultimate obfuscation

Mainly for testing purposes!

Malware

Largely dissected Anubis, malwr, GFI
Adaptable behavior
Alex recommends VM Detection

On the bright side

Malwares may detect virtualized environments

Adopt clean behavior
Targeted attacks

On the bright side

Malwares may detect virtualized environments

Adopt clean behavior
Targeted attacks

On the dark side

Games may detect virtualized environments

Cheat detection
Protect against fake hardware

On the dark side

Games may detect virtualized environments

Cheat detection
Protect against fake hardware

Who is leading ?

How to detect Virtualized environments ?

Is it easier to hide or to detect ?

Targeted escape

Sandbox environments have to

Extract executable actions
Communicate results

Demo Cuckoo

Dark wizard

Going deeper

Virtualization
- CPU → vCPU
- Memory → Another MMU layer

CPU overview

Information tables
- Interrupt Descriptor Table IDT
- Local/Global Descriptor Table LDT/GDT

Each processor have its own IDT

Redpill

Where to put vCPU’s IDT ?

Table 1. Location differences
Physical	Virtual
0x80000000	0xc0000000

[2004, J.Rutkowska]

Processor features

CPU Informations

Processor brand string 0x80000002
IsHypervisorPresent!

Virtualization overhead

VM Entry example

VM Entry / VM Exit cost
Measurements

Translation Lookaside Buffer

TLB Illustrated
- Page Walking is expensive

Translation Lookaside Buffer

Virtual memory has pecularities
- Flush TLB while VMEXIT
How to test VMM presence ?
- Fill TLB ⇒ VM Exit
- Modification of at least one TLB entry
- Compare access times

TLB detection

How to benchmark

Processor facilities

Integrated instructions

Time Stamp Counter: RDTSC, RDTSCP
Real-Time Clock: ioctl(/dev/rtc0)
Periodic Interrupt Timer (PIT)

Not very accurate

[http://download.intel.com/embedded/software/IA/324264.pdf]

High precision Timers

Higher frequecy
64b resolution

Poor compatibility

External Timers

Rely on external protocol

NTP/SNTP: Not precise

No reference

Ratio

Compare counters

Discrepancies

Processors does not produce expected behavior

Wrong emulation f00f bug, smsw
Specific hypercalls, accelerated graphic/drag and drop Peter Ferrie
Typical attack: Oversized instruction more than 15B

Integrated facilities

Démo

WIN

Baremetal

dad@gambas ~/Projets/DetectHypervisor % ./detect2
000000: 50 65 6e 74                                      Pent
000000: 69 75 6d 28                                      ium(
000000: 52 29 20 44                                      R) D
000000: 75 61 6c 2d                                      ual-
[+] IDT base: 819da000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 0c00e3bd bit:0
MSW: 8005003b
Ratio: 207.865799

VWare Player

dad@debian:~$ ./detect2
000000: 50 65 6e 74                                      Pent
000000: 69 75 6d 28                                      ium(
000000: 52 29 20 44                                      R) D
000000: 75 61 6c 2d                                      ual-
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 8c202201 bit:1
MSW: 8005003b
Ratio: 1588.099243

ESXi

ubuntu@ubuntu:~$ ./detect2
000000: 49 6e 74 65                                      Inte
000000: 6c 28 52 29                                      l(R)
000000: 20 58 65 6f                                       Xeo
000000: 6e 28 52 29                                      n(R)
[+] IDT base: 81dd9000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 82982203 bit:1
MSW: 8005003b
Ratio: 615.849609

Thanks Pascal!

Qemu

root@debian:~# ./detect2
000000: 51 45 4d 55                                      QEMU
000000: 20 56 69 72                                       Vir
000000: 74 75 61 6c                                      tual
000000: 20 43 50 55                                       CPU
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 80802001 bit:1
MSW: cccc003b
Ratio: 3.352355

KVM

root@debby:~# ./detect2
000000: 51 45 4d 55                                      QEMU
000000: 20 56 69 72                                       Vir
000000: 74 75 61 6c                                      tual
000000: 20 43 50 55                                       CPU
[+] IDT base: 81738000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 80802001 bit:1
MSW: 8005003b
Ratio: 901.177551

Xen

root@Xenny:~# ./detect2
000000: 49 6e 74 65                                      Inte
000000: 6c 28 52 29                                      l(R)
000000: 20 58 65 6f                                       Xeo
000000: 6e 28 52 29                                      n(R)
[+] IDT base: 8172d000
[+] SIDT[5] : 0x81
[+] SIDT[5] : 0x81
cpuid 1 ecx: 81b82221 bit:1
MSW: 8005003b
Ratio: 681.817383

Thanks Alex!

P. Ferrie: status

in progress

Formalization

VM detection categories

Logical discrepancies
- Unexpected CPU behavior
Resources discrepancies
- Qemu hard drive
- "VMware" in windows registry
Timing discrepancies
- VMM overhead

[T.Garfinkel]

How to find discrepancies

Random tests
Learn from won’t fix (think tuesday patch) !

[T.Raffetserder]

What about using network

TCP RTT differs for virtualized environments
Mimic virtualization to evade malware infection
Taxonomy, extended by M. Lindorfer

[X.Chen, and M.Lindorfer]

Automatization

Fistful of redpills
Create similar context and compare results

20 000 in few hours

Are malwares using detection ?

Tool to analyze malware behaviour through differential analysis
Less than 2% tries to detect virtualization
Only used by worsts

Shark avion

Hiding

Anti-detection

Mechanisms formalization
First architecture and implementation (Ether)
Consider unexpected behaviors (f00f)
Setup several counter measures
- Modify CPU registers
- Use shadow page tables
- Prevent timing with TSC_OFFSET

Least virtualization

To hinder virtualization effects, only vital components are virtualized
Mostly passthrough, few VMEXITs but only support 1 VM
Reduce hypervisor footprint

[A.Nguyen and E.Keller]

Going deeper

Physical virtualization

Example: Barebox

Support snapshots
Volatile memory with RAID mirroring
Save machine state (registers and interrupts) when OS boots
Allows quick rollback (reboot on clean machine < 4s)

Patching defects

MAVMM avoid TLB flushing with new VT-d

Awesome part: Free code available! (!Ether)

New architectures

Virtualize without Hypervisors

Physicalization
Ether
NoHype
DeHype

Protection

Slow CPUs

Need 25000 times slower to hide VMEXITs overhead

Behaviors

Calling thousands of VMEXITs is doubious

…Set up a threshold, and hide VMM when hit

Intel Haswell

Less VMEXITs

www.pcworld.fr
Reducing ratio and time-based attack reliance

Roadmap

toward hypervisor into the CPU

Counter counter measure

Nether

Formally correct
Practically: weaknesses

Detect ether!

PDF

Conclusion

Should we need detection ?
New challenges of physical hypervisor

Malware vs Virtualization The endless cat and mouse play

aurelien.wail.ly/publications/hip-2013-slides.html

Plan

Virtualization

Virtualization usages

Mainly for testing purposes!

Malware

On the bright side

On the bright side

On the dark side

On the dark side

Who is leading ?

How to detect Virtualized environments ?

Targeted escape

Demo Cuckoo

Demo Cuckoo

Dark wizard

Going deeper

CPU overview

Redpill

Processor features

Virtualization overhead

Translation Lookaside Buffer

Translation Lookaside Buffer

TLB detection

TLB detection

TLB detection

TLB detection

How to benchmark

Processor facilities

High precision Timers

External Timers

No reference

Discrepancies

Integrated facilities

Baremetal

VWare Player

ESXi

Qemu

KVM

Xen

P. Ferrie: status

Formalization

How to find discrepancies

What about using network

Automatization

Are malwares using detection ?

Shark avion

Hiding

Anti-detection

Least virtualization

Going deeper

Example: Barebox

Patching defects

New architectures

Protection

Behaviors

Intel Haswell

Roadmap

Counter counter measure

Nether

Conclusion

Merci!