Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection Pauses
Pages 1 - 7
Abstract
Virtual Machine Introspection (VMI) is used by sandbox-based dynamic malware detection and analysis frameworks to observe malware samples while staying isolated and stealthy. Sandbox detection and evasion techniques based on hypervisor introspection are becoming less of an issue since running server and workstation environments on hypervisors is becoming standard and high-end sandboxes manipulate virtual clocks to mask VM execution pauses caused by VMI. However, the fake network environment around a sandbox VM offers opportunities similar to hypervisor introspection for malware to evade. Malware can evaluate the discrepancy between observed performances and a real, presumed network environment of infected targets. VMI pauses also cause visible network performance glitches. To solve this issue we propose to extend virtual clock manipulation to synchronize hardware-accelerated virtual machines with a discrete-event network simulator. The experimental evaluation shows that our proposal can counter attempts to infer VMI activity from network timing observations.
References
[1]
2015. Intel Xeon Processor 5500 Series Specification Update (Errata AAK139). https://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/xeon-5500-specification-update.pdf
[2]
2018. KVM: LAPIC: Tune lapic_timer_advance_ns automatically. https://patchwork.kernel.org/project/kvm/patch/[email protected]/
[3]
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. In Proceedings of the 19th ACM Symposium on Operating Systems Principles 2003, SOSP 2003 (Bolton Landing, NY, USA, October 19-22, 2003), Michael L. Scott and Larry L. Peterson (Eds.). ACM, 164--177. https://doi.org/10.1145/945445.945462
[4]
Fabrice Bellard. 2005. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the FREENIX Track: 2005 USENIX Annual Technical Conference (Anaheim, CA, USA). USENIX, 41--46.
[5]
Pierre-Victor Besson, Valérie Viet Triem Tong, Gilles Guette, Guillaume Piolle, and Erwann Abgrall. 2023. URSID: Automatically Refining a Single Attack Scenario into Multiple Cyber Range Architectures. In FPS 2023 - 16th International Symposium on Foundations & Practice of Security. Bordeaux, France, 1--16. https://inria.hal.science/hal-04317073
[6]
Henri Casanova, Arnaud Giersch, Arnaud Legrand, Martin Quinson, and Frédéric Suter. 2014. Versatile, scalable, and accurate simulation of distributed applications and platforms. J. Parallel Distributed Comput. 74, 10 (2014), 2899--2917. https://doi.org/10.1016/j.jpdc.2014.06.008
[7]
TANSIV contributors. 2018. TANSIV. https://gitlab.inria.fr/tansiv/tansiv.
[8]
Massimiliano d'Angelo, Alberto Ferrari, Ommund Ogaard, Claudio Pinello, and Alessandro Ulisse. 2012. A Simulator based on QEMU and SystemC for Robustness Testing of a Networked Linux-based Fire Detection and Alarm System. In Embedded Real Time Software and Systems (ERTS2012). Toulouse, France. https://hal.science/hal-02192275
[9]
Artem Dinaburg, Paul Royal, Monirul I. Sharif, and Wenke Lee. 2008. Ether: malware analysis via hardware virtualization extensions. In Proceedings of the 2008 ACM Conference on Computer and Communications Security, CCS 2008 (Alexandria, Virginia, USA), Peng Ning, Paul F. Syverson, and Somesh Jha (Eds.). ACM, 51--62. https://doi.org/10.1145/1455770.1455779
[10]
Tal Garfinkel, Keith Adams, Andrew Warfield, and Jason Franklin. 2007. Compatibility Is Not Transparency: VMM Detection Myths and Realities. In Proceedings of HotOS'07: 11th Workshop on Hot Topics in Operating Systems (San Diego, California, USA), Galen C. Hunt (Ed.). USENIX Association.
[11]
Tal Garfinkel and Mendel Rosenblum. 2003. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2003 (San Diego, California, USA). The Internet Society.
[12]
Stephen Hemminger. 2005. Network emulation with NetEm. In Linux conf au.
[13]
Intel. 2021. Intel® 64 and IA-32 Architectures Software Developer's Manual Volume 3 (3A, 3B, 3C & 3D): System Programming Guide. https://www.intel.com/content/www/us/en/developer/articles/technical/intel-sdm.html
[14]
Mohammad Sina Karvandi, MohammadHosein Gholamrezaei, Saleh Khalaj Monfared, Soroush Meghdadi Zanjani, Behrooz Abbassi, Ali Amini, Reza Mortazavi, Saeid Gorgin, Dara Rahmati, and Michael Schwarz. 2022. HyperDbg: Reinventing Hardware-Assisted Debugging. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, CCS 2022, Los Angeles, CA, USA, November 7-11, 2022, Heng Yin, Angelos Stavrou, Cas Cremers, and Elaine Shi (Eds.). ACM, 1709--1723. https://doi.org/10.1145/3548606.3560649
[15]
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. Ottawa, Ontorio, Canada, 225--230.
[16]
David Kushner. 2013. The real story of Stuxnet. IEEE Spectrum 50, 3 (2013), 48--53. https://doi.org/10.1109/MSPEC.2013.6471059
[17]
Tamas K. Lengyel, Steve Maresca, Bryan D. Payne, George D. Webster, Sebastian Vogl, and Aggelos Kiayias. 2014. Scalability, fidelity and stealth in the DRAKVUF dynamic malware analysis system. In Proceedings of the 30th Annual Computer Security Applications Conference, ACSAC 2014 (New Orleans, LA, USA), Charles N. Payne Jr., Adam Hahn, Kevin R. B. Butler, and Micah Sherr (Eds.). ACM, 386--395. https://doi.org/10.1145/2664243.2664252
[18]
Peng Li, Debin Gao, and Michael K. Reiter. 2013. Mitigating access-driven timing channels in clouds using StopWatch. In 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN) (Budapest, Hungary). IEEE Computer Society, 1--12. https://doi.org/10.1109/DSN.2013.6575299
[19]
Robert Martin, John Demme, and Simha Sethumadhavan. 2012. TimeWarp: Rethinking timekeeping and performance monitoring mechanisms to mitigate side-channel attacks. In 39th International Symposium on Computer Architecture (ISCA 2012) (Portland, OR, USA). IEEE Computer Society, 118--129. https://doi.org/10.1109/ISCA.2012.6237011
[20]
Preeti Mishra, Emmanuel S. Pilli, Vijay Varadharajan, and Udaya Kiran Tupakula. 2017. Intrusion detection techniques in cloud environment: A survey. J. Netw. Comput. Appl. 77 (2017), 18--47. https://doi.org/10.1016/J.JNCA.2016.10.015
[21]
Bryan D Payne. 2012. Simplifying virtual machine introspection using LibVMI. Technical Report. Sandia National Laboratories (SNL), Albuquerque, NM, and Livermore, CA.
[22]
Gábor Pék, Boldizsár Bencsáth, and Levente Buttyán. 2011. nEther: in-guest detection of out-of-the-guest malware analyzers. In Proceedings of the Fourth European Workshop on System Security, EUROSEC'11, April 10, 2011, Salzburg, Austria, Engin Kirda and Steven Hand (Eds.). ACM, 3. https://doi.org/10.1145/1972551.1972554
[23]
Jonas Pfoh, Christian A. Schneider, and Claudia Eckert. 2011. Nitro: Hardware-Based System Call Tracing for Virtual Machines. In Advances in Information and Computer Security - 6th International Workshop, IWSEC 2011, Tokyo, Japan, November 8-10, 2011. Proceedings (Lecture Notes in Computer Science, Vol. 7038), Tetsu Iwata and Masakatsu Nishigaki (Eds.). Springer, 96--112. https://doi.org/10.1007/978-3-642-25141-2_7
[24]
George F. Riley and Thomas R. Henderson. 2010. The ns-3 Network Simulator. In Modeling and Tools for Network Simulation, Klaus Wehrle, Mesut Günes, and James Gross (Eds.). Springer, 15--34. https://doi.org/10.1007/978-3-642-12331-3_2
[25]
L. Spitzner. 2003. The Honeynet Project: trapping the hackers. IEEE Security & Privacy 1, 2 (2003), 15--23. https://doi.org/10.1109/MSECP.2003.1193207
[26]
Tomasz Tuzel, Mark P. Bridgman, Joshua Zepf, Tamas K. Lengyel, and Kyle J. Temkin. 2018. Who watches the watcher? Detecting hypervisor introspection from unprivileged guests. Digit. Investig. 26 Supplement (2018), S98-S106. https://doi.org/10.1016/j.diin.2018.04.015
[27]
Bhanu Chandra Vattikonda, Sambit Das, and Hovav Shacham. 2011. Eliminating fine grained timers in Xen. In Proceedings of the 3rd ACM Cloud Computing Security Workshop, CCSW 2011 (Chicago, IL, USA), Christian Cachin and Thomas Ristenpart (Eds.). ACM, 41--46. https://doi.org/10.1145/2046660.2046671
[28]
Gary Wang, Zachary John Estrada, Cuong Manh Pham, Zbigniew T. Kalbarczyk, and Ravishankar K. Iyer. 2015. Hypervisor Introspection: A Technique for Evading Passive Virtual Machine Monitoring. In 9th USENIX Workshop on Offensive Technologies, WOOT'15 (Washington, DC, USA), Aurélien Francillon and Thomas Ptacek (Eds.). USENIX Association.
[29]
Elias Weingärtner, Florian Schmidt, Hendrik vom Lehn, Tobias Heer, and Klaus Wehrle. 2011. SliceTime: A Platform for Scalable and Accurate Network Emulation. In Proceedings of the 8th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2011 (Boston, MA, USA), David G. Andersen and Sylvia Ratnasamy (Eds.). USENIX Association.
[30]
Muhammad Mudassar Yamin and Basel Katt. 2022. Modeling and executing cyber security exercise scenarios in cyber ranges. Computers & Security 116 (2022), 102635. https://doi.org/10.1016/j.cose.2022.102635
[31]
Muhammad Mudassar Yamin, Basel Katt, and Vasileios Gkioulos. 2020. Cyber ranges and security testbeds: Scenarios, functions, tools and architecture. Computers & Security 88 (2020), 101636. https://doi.org/10.1016/j.cose.2019.101636
[32]
Miuyin Yong Wong, Matthew Landen, Manos Antonakakis, Douglas M. Blough, Elissa M. Redmiles, and Mustaque Ahamad. 2021. An Inside Look into the Practice of Malware Analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (Virtual Event, Republic of Korea) (CCS '21). Association for Computing Machinery, New York, NY, USA, 3053--3069. https://doi.org/10.1145/3460120.3484759
Index Terms
- Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection Pauses
Recommendations
Virtual Machine Introspection
SIN '14: Proceedings of the 7th International Conference on Security of Information and NetworksDue to exposure to the Internet, virtual machines (VMs) as forms of delivering virtualized infrastructures and resources represent a first point-of-target for security attackers who want to gain access into the virtualization environment. In-VM ...
Performance Analysis of Virtual Machine Introspection Tools in Cloud Environment
ICIA-16: Proceedings of the International Conference on Informatics and AnalyticsVirtual Machine (VM) security is one of the biggest issues with a cloud environment. This issue could be solved with the help of Virtual Machine Introspection (VMI) tools. VMI tools monitor the state of Virtual machine running in the cloud environment. ...
Introspection-Based Memory Pruning for Live VM Migration
Virtual Machine (VM) migration is an appealing technique on nowadays cloud platforms to achieve high availability, load balancing and power saving. Unfortunately, migration of VM involves transferring a large amount of data, thereby imposing high ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
April 2024
60 pages
ISBN:9798400705427
DOI:10.1145/3642974
Copyright © 2024 ACM.
Publication rights licensed to ACM. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 22 April 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EuroSys '24
Sponsor:
Acceptance Rates
Overall Acceptance Rate 47 of 113 submissions, 42%
Upcoming Conference
EuroSys '25
- Sponsor:
- sigops
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 47Total Downloads
- Downloads (Last 12 months)47
- Downloads (Last 6 weeks)2
Reflects downloads up to 19 Dec 2024
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in