SlideShare a Scribd company logo
Pitfalls and Limits
of Dynamic Malware
Analysis
Dr. Tamas K Lengyel
tamas@tklengyel.com
# whoami
Senior Security Researcher @ Intel
Chief Research Officer @ Honeynet.org
Maintainer of
- Xen
- LibVMI
- DRAKVUF
Disclaimer
I don’t speak for my employer. All opinions and
information here are my personal views.
Agenda
1. Why Dynamic Analysis
2. Assorted Problems and Pitfalls
3. Food for Thought
The Problem
New malware binaries are easy to create
- Same malware, different binary = can’t be fingerprinted
- Unpacked code itself is heavily obfuscated
- Writing “unpackers” is cumbersome and very fragile
- Polymorphic & metamorphic malware
- Not all packed binaries are malware
For more details read “SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers”
Dynamic Analysis v1
Observation: malware must run
- Code that doesn’t execute is not malicious
- Let’s execute the packed binary
- Dump its unpacked version from memory
- Fingerprint
- ...
- Profit!
Dynamic Analysis v2
Observation: malware must run
- Code that doesn’t execute is not malicious
- Let’s execute the packed binary
- Observe it’s execution
- Fingerprint it’s behavior
- ...
- Profit!
Desired abilities
Scalability
Isolation
Stealth
Interposition
Fidelity
Interpretation
How to “observe”?
Debuggers
- strace/gdb/windbg/valgrind/etc..
- Not designed to be stealthy
- NO security boundary
- Very easy to detect
- Observer effect
How to “observe”?
Emulators
- QEMU/TEMU/PANDA/Binee/Qiling Framework
- Very high (instruction level) visibility
- NO security boundary
- Easy to detect
- Observer effect
A Better way to Observe?
Use kernel-mode code to observe
- Hardware protected execution mode
- Most modern kernels require signed kernel modules
- You can disable enforcement but that’s detectable
- The OS will limit what you can observe
- Windows doesn’t like it if you just randomly hook stuff
- Tedious to clean-up after each analysis
A Better way to Observe?
Windows Sandbox
- Built-in feature since Windows 10 18305
- Easy to deploy
- Light-weight copy-on-write clone of the main OS
- Strong hypervisor-based isolation (as long as you don’t
enable GPU passthrough and writable shared folders)
- No API yet to monitor through the kernel/hypervisor
https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
Hypervisor Introspection
- Easy to detect virtualization
- Hard to detect introspection
- Strong isolation
- Good visibility
- Easy to cleanup after analysis
- Hard to develop
- Harder to develop it correctly
Pitfalls of introspection
What part of the VM do you trust?
- In-guest kernel data-structures can be unreliable
- Race-condition on multi-vCPU guests
- Stale data
- Tricky and unusual code-sequences
LibVMI pitfall: PID
The PID is an OS construct!
Can be recycled
Associated PT can change
Can be missing (DKOM)!
LibVMI pitfall: PID
Don’t use the PID, use the pagetable
address directly
Introspection pitfall: pagetables
It’s under the control of the guest
- Guest may change it at any time
- Hardware caches translations in the TLB
- TLB invalidation is also the guest’s responsibility
- The pagetable may not be authoritative if TLB is split
- PCID and VPID keeps entries in the TLB longer
- No instruction to translate in context of VM (on x86)
- Can cause serious issues for both hw* and sw**
*See XSA-304/CVE-2018-12207 “x86: Machine Check Error on Page Size Change DoS”
**Read “DKSM: Subverting Virtual Machine Introspection for Fun and Profit”
LibVMI pitfall: software TLB
Virtual-to-physical translation is costly
- LibVMI has a software TLB
- Two level-hashtable lookup: dtb vaddr
- LibVMI doesn’t perform TLB flushes automatically
- Cached translations can become stale
- Up to the user to implement flush policy
Introspection pitfalls: breakpoints
0xCC can be trapped to VMM
- Hypervisor-level debugging!
- External agent can patch-in the breakpoint
- Guest itself may be using them
- Can we make it stealthy?
Check out “Building a {Flexible} Hypervisor-Level Debugger” by Mathieu Tarral
Introspection pitfalls: breakpoints
Hiding 0xCC
- Make page execute-only in EPT, lie about memory
contents when something tries to read it
- Remove 0xCC singlestep replace 0xCC
- Racy on multi-vCPU systems
- Can emulate faulting instruction and lie about memory
contents
- Shadow memory using EPT remapping!*
*More details: https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m
Introspection pitfalls: breakpoints
Read-modify-write instructions...
https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/vmx/vmx.c;h=535e0384fe170450fe82442a500fab3b088e31cf;hb=HEAD
Introspection pitfalls: breakpoints
What is the 0xCC instruction’s length?
- … (including any instruction prefixes) ...
Introspection pitfalls: breakpoints
Redundant prefixes
Introspection pitfalls: breakpoints
Length was assumed to be always 1
- The CPU reports the correct length to Xen
- Xen just didn’t send it to introspection apps
- Malicious code could use it to detect introspection
- Breakpoint would execute 15x within VM when incorrect
length is used for reinjection
- Fixed starting in Xen 4.8
- Found with the awesome Xen Test Framework
Check out XTF at http://xenbits.xenproject.org/docs/xtf/
Introspection pitfalls: breakpoints
MOV instructions..
- Can read execute only memory!
- Copy “constant” to register
- Can leak stealth breakpoints!
DRAKVUF pitfall: shadow pages
Hiding shadow pages with a sink page
- Shadow pages are at the very end of the VM physmap
- DRAKVUF read-protects and remaps them to sink page
- The sink page was just a page filled with 0’s
- That turned out to be a wrong guess
- Xen actually returns 1’s when accessing unmapped
memory
- Trivia: What happens if you access high physical
memory addresses that are not physically present?
Introspection pitfall: hardware limits
100% stealth not feasible
- Overhead of the monitoring is observable
- Yes, you can manipulate RDTSC but that’s not enough
- Thread-racing, network time, etc.
- Accessing guest memory introduces CPU cache
side-effects that are observable!
See more details in “Who Watches The Watcher? Detecting Hypervisor Introspection from Unprivileged Guests”
Sandbox pitfall: is it realistic?
We don’t know what malware checks for
- We can guess
- We can observe empirically and deploy
counter-measures
- “Malware can determine that a system is an artificial
environment and not a real user device with an
accuracy of 92.86%”*
*Recommended read: “Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts”
Sandbox pitfall: timeouts
Our assumption was that malware will run
- Well, it doesn’t have to run right away
- sleep(3 days)
- OK, we hook sleep and return in 1s
- There are infinite ways you can make your malware
“sleep”
- Thread racing, API hammering, CPU cache profiling*..
*See “ExSpectre: Hiding Malware in Speculative Execution”
Sandbox pitfall: false negatives
Positive detections are great
- But no detection doesn’t mean no malware
- You just trust that the sandbox author is smarter then
the malware author
- Is that really the best we can do?
Sandbox pitfall: Turing machines
Halting problem & Rice’s theorem
- Non-trivial properties of programs are undecidable
- “There isn’t (and never will be) a general test to decide
whether a piece of software contains malicious code”.
IEEE Security & Privacy magazine, 2005
- Do we really have Turing machines?
Highly recommended read “Detecting Traditional Packers, Decisively”
No end in sight
Cat-and-mouse game to continue
- As long as we have a diverse detection ecosystem
malware can’t hide from everything or risk getting
extremely bloated
- There are also some new angles being proposed
- Requiring all code to be signed
- Micro Execution based testing*
- Fuzzing**
*https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/microx.pdf
**https://www.youtube.com/watch?v=bzc44WPxoxE
Thanks! Questions?
Dr. Tamas K Lengyel
tamas@tklengyel.com
https://tklengyel.com
@tklengyel
Shout out to
- Polish CERT: Michał Leszczyński, Krzysztof
Stopczański
- Sebastian Poeplau, Mathieu Tarral, Sergej Proskurin

More Related Content

What's hot

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner
 

What's hot (20)

Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
Troopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
 
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 
Масштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Guardians of your CODE
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Применение виртуализации для динамического анализа
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
 
How to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
 
Fun With Dr Brown
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
 

Similar to Pitfalls and limits of dynamic malware analysis

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
Sandun Perera
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a032
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
Amanpreet Singh
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
Shubham Mittal
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
Codemotion
 

Similar to Pitfalls and limits of dynamic malware analysis (20)

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Buffer overflows
Buffer overflowsBuffer overflows
Buffer overflows
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
 
Joanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska   Subverting Vista KernelJoanna Rutkowska   Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
 
Malware 101 by saurabh chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
 
Security & ethical hacking
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
 
Messing around avs
Messing around avsMessing around avs
Messing around avs
 
How to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
 
How to hide your browser 0-days
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
 
Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
 
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Security & ethical hacking p2
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
IoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco RomanoIoT exploitation: from memory corruption to code execution by Marco Romano
IoT exploitation: from memory corruption to code execution by Marco Romano
 

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
Tamas K Lengyel
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
Tamas K Lengyel
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
Tamas K Lengyel
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel
 

More from Tamas K Lengyel (6)

Estimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
 
Anti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
CyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
 
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
 
Dfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
 

Recently uploaded

Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
Google Developer Group - Harare
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
SynapseIndia
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
Bhajan Mehta
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
313mohammedarshad
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
maigasapphire
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
Priyanka Aash
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
aslasdfmkhan4750
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
Ivanti
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
Priyanka Aash
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
Matthias Neugebauer
 

Recently uploaded (20)

Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
Google I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged SlidesGoogle I/O Extended Harare Merged Slides
Google I/O Extended Harare Merged Slides
 
Tailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer InsightsTailored CRM Software Development for Enhanced Customer Insights
Tailored CRM Software Development for Enhanced Customer Insights
 
Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17Mule Experience Hub and Release Channel with Java 17
Mule Experience Hub and Release Channel with Java 17
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptxIntroduction-to-the-IAM-Platform-Implementation-Plan.pptx
Introduction-to-the-IAM-Platform-Implementation-Plan.pptx
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
Girls Call Churchgate 9910780858 Provide Best And Top Girl Service And No1 in...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
(CISOPlatform Summit & SACON 2024) Workshop _ Most Dangerous Attack Technique...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
High Profile Girls Call ServiCe Hyderabad 0000000000 Tanisha Best High Class ...
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
Patch Tuesday de julio
Patch Tuesday de julioPatch Tuesday de julio
Patch Tuesday de julio
 
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
(CISOPlatform Summit & SACON 2024) Gen AI & Deepfake In Overall Security.pdf
 
Opencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of MünsterOpencast Summit 2024 — Opencast @ University of Münster
Opencast Summit 2024 — Opencast @ University of Münster
 

Pitfalls and limits of dynamic malware analysis

  • 1. Pitfalls and Limits of Dynamic Malware Analysis Dr. Tamas K Lengyel tamas@tklengyel.com
  • 2. # whoami Senior Security Researcher @ Intel Chief Research Officer @ Honeynet.org Maintainer of - Xen - LibVMI - DRAKVUF
  • 3. Disclaimer I don’t speak for my employer. All opinions and information here are my personal views.
  • 4. Agenda 1. Why Dynamic Analysis 2. Assorted Problems and Pitfalls 3. Food for Thought
  • 5. The Problem New malware binaries are easy to create - Same malware, different binary = can’t be fingerprinted - Unpacked code itself is heavily obfuscated - Writing “unpackers” is cumbersome and very fragile - Polymorphic & metamorphic malware - Not all packed binaries are malware For more details read “SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers”
  • 6. Dynamic Analysis v1 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Dump its unpacked version from memory - Fingerprint - ... - Profit!
  • 7. Dynamic Analysis v2 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Observe it’s execution - Fingerprint it’s behavior - ... - Profit!
  • 9. How to “observe”? Debuggers - strace/gdb/windbg/valgrind/etc.. - Not designed to be stealthy - NO security boundary - Very easy to detect - Observer effect
  • 10. How to “observe”? Emulators - QEMU/TEMU/PANDA/Binee/Qiling Framework - Very high (instruction level) visibility - NO security boundary - Easy to detect - Observer effect
  • 11. A Better way to Observe? Use kernel-mode code to observe - Hardware protected execution mode - Most modern kernels require signed kernel modules - You can disable enforcement but that’s detectable - The OS will limit what you can observe - Windows doesn’t like it if you just randomly hook stuff - Tedious to clean-up after each analysis
  • 12. A Better way to Observe? Windows Sandbox - Built-in feature since Windows 10 18305 - Easy to deploy - Light-weight copy-on-write clone of the main OS - Strong hypervisor-based isolation (as long as you don’t enable GPU passthrough and writable shared folders) - No API yet to monitor through the kernel/hypervisor https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
  • 13. Hypervisor Introspection - Easy to detect virtualization - Hard to detect introspection - Strong isolation - Good visibility - Easy to cleanup after analysis - Hard to develop - Harder to develop it correctly
  • 14. Pitfalls of introspection What part of the VM do you trust? - In-guest kernel data-structures can be unreliable - Race-condition on multi-vCPU guests - Stale data - Tricky and unusual code-sequences
  • 15. LibVMI pitfall: PID The PID is an OS construct! Can be recycled Associated PT can change Can be missing (DKOM)!
  • 16. LibVMI pitfall: PID Don’t use the PID, use the pagetable address directly
  • 17. Introspection pitfall: pagetables It’s under the control of the guest - Guest may change it at any time - Hardware caches translations in the TLB - TLB invalidation is also the guest’s responsibility - The pagetable may not be authoritative if TLB is split - PCID and VPID keeps entries in the TLB longer - No instruction to translate in context of VM (on x86) - Can cause serious issues for both hw* and sw** *See XSA-304/CVE-2018-12207 “x86: Machine Check Error on Page Size Change DoS” **Read “DKSM: Subverting Virtual Machine Introspection for Fun and Profit”
  • 18. LibVMI pitfall: software TLB Virtual-to-physical translation is costly - LibVMI has a software TLB - Two level-hashtable lookup: dtb vaddr - LibVMI doesn’t perform TLB flushes automatically - Cached translations can become stale - Up to the user to implement flush policy
  • 19. Introspection pitfalls: breakpoints 0xCC can be trapped to VMM - Hypervisor-level debugging! - External agent can patch-in the breakpoint - Guest itself may be using them - Can we make it stealthy? Check out “Building a {Flexible} Hypervisor-Level Debugger” by Mathieu Tarral
  • 20. Introspection pitfalls: breakpoints Hiding 0xCC - Make page execute-only in EPT, lie about memory contents when something tries to read it - Remove 0xCC singlestep replace 0xCC - Racy on multi-vCPU systems - Can emulate faulting instruction and lie about memory contents - Shadow memory using EPT remapping!* *More details: https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m
  • 21. Introspection pitfalls: breakpoints Read-modify-write instructions... https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/vmx/vmx.c;h=535e0384fe170450fe82442a500fab3b088e31cf;hb=HEAD
  • 22. Introspection pitfalls: breakpoints What is the 0xCC instruction’s length? - … (including any instruction prefixes) ...
  • 24. Introspection pitfalls: breakpoints Length was assumed to be always 1 - The CPU reports the correct length to Xen - Xen just didn’t send it to introspection apps - Malicious code could use it to detect introspection - Breakpoint would execute 15x within VM when incorrect length is used for reinjection - Fixed starting in Xen 4.8 - Found with the awesome Xen Test Framework Check out XTF at http://xenbits.xenproject.org/docs/xtf/
  • 25. Introspection pitfalls: breakpoints MOV instructions.. - Can read execute only memory! - Copy “constant” to register - Can leak stealth breakpoints!
  • 26. DRAKVUF pitfall: shadow pages Hiding shadow pages with a sink page - Shadow pages are at the very end of the VM physmap - DRAKVUF read-protects and remaps them to sink page - The sink page was just a page filled with 0’s - That turned out to be a wrong guess - Xen actually returns 1’s when accessing unmapped memory - Trivia: What happens if you access high physical memory addresses that are not physically present?
  • 27. Introspection pitfall: hardware limits 100% stealth not feasible - Overhead of the monitoring is observable - Yes, you can manipulate RDTSC but that’s not enough - Thread-racing, network time, etc. - Accessing guest memory introduces CPU cache side-effects that are observable! See more details in “Who Watches The Watcher? Detecting Hypervisor Introspection from Unprivileged Guests”
  • 28. Sandbox pitfall: is it realistic? We don’t know what malware checks for - We can guess - We can observe empirically and deploy counter-measures - “Malware can determine that a system is an artificial environment and not a real user device with an accuracy of 92.86%”* *Recommended read: “Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts”
  • 29. Sandbox pitfall: timeouts Our assumption was that malware will run - Well, it doesn’t have to run right away - sleep(3 days) - OK, we hook sleep and return in 1s - There are infinite ways you can make your malware “sleep” - Thread racing, API hammering, CPU cache profiling*.. *See “ExSpectre: Hiding Malware in Speculative Execution”
  • 30. Sandbox pitfall: false negatives Positive detections are great - But no detection doesn’t mean no malware - You just trust that the sandbox author is smarter then the malware author - Is that really the best we can do?
  • 31. Sandbox pitfall: Turing machines Halting problem & Rice’s theorem - Non-trivial properties of programs are undecidable - “There isn’t (and never will be) a general test to decide whether a piece of software contains malicious code”. IEEE Security & Privacy magazine, 2005 - Do we really have Turing machines? Highly recommended read “Detecting Traditional Packers, Decisively”
  • 32. No end in sight Cat-and-mouse game to continue - As long as we have a diverse detection ecosystem malware can’t hide from everything or risk getting extremely bloated - There are also some new angles being proposed - Requiring all code to be signed - Micro Execution based testing* - Fuzzing** *https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/microx.pdf **https://www.youtube.com/watch?v=bzc44WPxoxE
  • 33. Thanks! Questions? Dr. Tamas K Lengyel tamas@tklengyel.com https://tklengyel.com @tklengyel Shout out to - Polish CERT: Michał Leszczyński, Krzysztof Stopczański - Sebastian Poeplau, Mathieu Tarral, Sergej Proskurin