Pitfalls and limits of dynamic malware analysis

Tamas K Lengyel
Tamas K LengyelSenior Security Researcher at Intel Corporation
Pitfalls and Limits of Dynamic Malware Analysis Dr. Tamas K Lengyel tamas@tklengyel.com
# whoami Senior Security Researcher @ Intel Chief Research Officer @ Honeynet.org Maintainer of - Xen - LibVMI - DRAKVUF
Disclaimer I don’t speak for my employer. All opinions and information here are my personal views.
Agenda 1. Why Dynamic Analysis 2. Assorted Problems and Pitfalls 3. Food for Thought
The Problem New malware binaries are easy to create - Same malware, different binary = can’t be fingerprinted - Unpacked code itself is heavily obfuscated - Writing “unpackers” is cumbersome and very fragile - Polymorphic & metamorphic malware - Not all packed binaries are malware For more details read “SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers”
Dynamic Analysis v1 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Dump its unpacked version from memory - Fingerprint - ... - Profit!
Dynamic Analysis v2 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Observe it’s execution - Fingerprint it’s behavior - ... - Profit!
Desired abilities Scalability Isolation Stealth Interposition Fidelity Interpretation
How to “observe”? Debuggers - strace/gdb/windbg/valgrind/etc.. - Not designed to be stealthy - NO security boundary - Very easy to detect - Observer effect
How to “observe”? Emulators - QEMU/TEMU/PANDA/Binee/Qiling Framework - Very high (instruction level) visibility - NO security boundary - Easy to detect - Observer effect
A Better way to Observe? Use kernel-mode code to observe - Hardware protected execution mode - Most modern kernels require signed kernel modules - You can disable enforcement but that’s detectable - The OS will limit what you can observe - Windows doesn’t like it if you just randomly hook stuff - Tedious to clean-up after each analysis
A Better way to Observe? Windows Sandbox - Built-in feature since Windows 10 18305 - Easy to deploy - Light-weight copy-on-write clone of the main OS - Strong hypervisor-based isolation (as long as you don’t enable GPU passthrough and writable shared folders) - No API yet to monitor through the kernel/hypervisor https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
Hypervisor Introspection - Easy to detect virtualization - Hard to detect introspection - Strong isolation - Good visibility - Easy to cleanup after analysis - Hard to develop - Harder to develop it correctly
Pitfalls of introspection What part of the VM do you trust? - In-guest kernel data-structures can be unreliable - Race-condition on multi-vCPU guests - Stale data - Tricky and unusual code-sequences
LibVMI pitfall: PID The PID is an OS construct! Can be recycled Associated PT can change Can be missing (DKOM)!
LibVMI pitfall: PID Don’t use the PID, use the pagetable address directly
Introspection pitfall: pagetables It’s under the control of the guest - Guest may change it at any time - Hardware caches translations in the TLB - TLB invalidation is also the guest’s responsibility - The pagetable may not be authoritative if TLB is split - PCID and VPID keeps entries in the TLB longer - No instruction to translate in context of VM (on x86) - Can cause serious issues for both hw* and sw** *See XSA-304/CVE-2018-12207 “x86: Machine Check Error on Page Size Change DoS” **Read “DKSM: Subverting Virtual Machine Introspection for Fun and Profit”
LibVMI pitfall: software TLB Virtual-to-physical translation is costly - LibVMI has a software TLB - Two level-hashtable lookup: dtb vaddr - LibVMI doesn’t perform TLB flushes automatically - Cached translations can become stale - Up to the user to implement flush policy
Introspection pitfalls: breakpoints 0xCC can be trapped to VMM - Hypervisor-level debugging! - External agent can patch-in the breakpoint - Guest itself may be using them - Can we make it stealthy? Check out “Building a {Flexible} Hypervisor-Level Debugger” by Mathieu Tarral
Introspection pitfalls: breakpoints Hiding 0xCC - Make page execute-only in EPT, lie about memory contents when something tries to read it - Remove 0xCC singlestep replace 0xCC - Racy on multi-vCPU systems - Can emulate faulting instruction and lie about memory contents - Shadow memory using EPT remapping!* *More details: https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m
Introspection pitfalls: breakpoints Read-modify-write instructions... https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/vmx/vmx.c;h=535e0384fe170450fe82442a500fab3b088e31cf;hb=HEAD
Introspection pitfalls: breakpoints What is the 0xCC instruction’s length? - … (including any instruction prefixes) ...
Introspection pitfalls: breakpoints Redundant prefixes
Introspection pitfalls: breakpoints Length was assumed to be always 1 - The CPU reports the correct length to Xen - Xen just didn’t send it to introspection apps - Malicious code could use it to detect introspection - Breakpoint would execute 15x within VM when incorrect length is used for reinjection - Fixed starting in Xen 4.8 - Found with the awesome Xen Test Framework Check out XTF at http://xenbits.xenproject.org/docs/xtf/
Introspection pitfalls: breakpoints MOV instructions.. - Can read execute only memory! - Copy “constant” to register - Can leak stealth breakpoints!
DRAKVUF pitfall: shadow pages Hiding shadow pages with a sink page - Shadow pages are at the very end of the VM physmap - DRAKVUF read-protects and remaps them to sink page - The sink page was just a page filled with 0’s - That turned out to be a wrong guess - Xen actually returns 1’s when accessing unmapped memory - Trivia: What happens if you access high physical memory addresses that are not physically present?
Introspection pitfall: hardware limits 100% stealth not feasible - Overhead of the monitoring is observable - Yes, you can manipulate RDTSC but that’s not enough - Thread-racing, network time, etc. - Accessing guest memory introduces CPU cache side-effects that are observable! See more details in “Who Watches The Watcher? Detecting Hypervisor Introspection from Unprivileged Guests”
Sandbox pitfall: is it realistic? We don’t know what malware checks for - We can guess - We can observe empirically and deploy counter-measures - “Malware can determine that a system is an artificial environment and not a real user device with an accuracy of 92.86%”* *Recommended read: “Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts”
Sandbox pitfall: timeouts Our assumption was that malware will run - Well, it doesn’t have to run right away - sleep(3 days) - OK, we hook sleep and return in 1s - There are infinite ways you can make your malware “sleep” - Thread racing, API hammering, CPU cache profiling*.. *See “ExSpectre: Hiding Malware in Speculative Execution”
Sandbox pitfall: false negatives Positive detections are great - But no detection doesn’t mean no malware - You just trust that the sandbox author is smarter then the malware author - Is that really the best we can do?
Sandbox pitfall: Turing machines Halting problem & Rice’s theorem - Non-trivial properties of programs are undecidable - “There isn’t (and never will be) a general test to decide whether a piece of software contains malicious code”. IEEE Security & Privacy magazine, 2005 - Do we really have Turing machines? Highly recommended read “Detecting Traditional Packers, Decisively”
No end in sight Cat-and-mouse game to continue - As long as we have a diverse detection ecosystem malware can’t hide from everything or risk getting extremely bloated - There are also some new angles being proposed - Requiring all code to be signed - Micro Execution based testing* - Fuzzing** *https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/microx.pdf **https://www.youtube.com/watch?v=bzc44WPxoxE
Thanks! Questions? Dr. Tamas K Lengyel tamas@tklengyel.com https://tklengyel.com @tklengyel Shout out to - Polish CERT: Michał Leszczyński, Krzysztof Stopczański - Sebastian Poeplau, Mathieu Tarral, Sergej Proskurin
1 of 33

Pitfalls and limits of dynamic malware analysis

Download to read offline
Technology

Pitfalls and limits of dynamic malware analysis

Tamas K Lengyel
Tamas K LengyelSenior Security Researcher at Intel Corporation

Recommended

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System by
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemScalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis SystemTamas K Lengyel
97.7K views15 slides
CrySys guest-lecture: Virtual machine introspection on modern hardware by
CrySys guest-lecture: Virtual machine introspection on modern hardwareCrySys guest-lecture: Virtual machine introspection on modern hardware
CrySys guest-lecture: Virtual machine introspection on modern hardwareTamas K Lengyel
4.4K views36 slides
Virtual Machine Introspection with Xen by
Virtual Machine Introspection with XenVirtual Machine Introspection with Xen
Virtual Machine Introspection with XenTamas K Lengyel
3.3K views26 slides
Hacktivity2014: Virtual Machine Introspection to Detect and Protect by
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectHacktivity2014: Virtual Machine Introspection to Detect and Protect
Hacktivity2014: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
2.6K views25 slides
BSides Denver: Stealthy, hypervisor-based malware analysis by
BSides Denver: Stealthy, hypervisor-based malware analysisBSides Denver: Stealthy, hypervisor-based malware analysis
BSides Denver: Stealthy, hypervisor-based malware analysisTamas K Lengyel
390 views62 slides
Cloud Security with LibVMI by
Cloud Security with LibVMICloud Security with LibVMI
Cloud Security with LibVMITamas K Lengyel
3.4K views52 slides

More Related Content

What's hot

Malware Collection and Analysis via Hardware Virtualization by
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
4.7K views36 slides
OffensiveCon2022: Case Studies of Fuzzing with Xen by
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
1.6K views39 slides
31c3 Presentation - Virtual Machine Introspection by
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
4.1K views39 slides
Troopers15 Lightning talk: VMI & DRAKVUF by
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUFTamas K Lengyel
1.1K views10 slides
Virtual Machine Introspection in a Hyberid Honeypot Architecture by
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureTamas K Lengyel
3.7K views13 slides
VM Forking and Hypervisor-based Fuzzing with Xen by
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenTamas K Lengyel
1.6K views33 slides

What's hot(20)

Malware Collection and Analysis via Hardware Virtualization by Tamas K Lengyel
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
Tamas K Lengyel4.7K views
OffensiveCon2022: Case Studies of Fuzzing with Xen by Tamas K Lengyel
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
Tamas K Lengyel1.6K views
31c3 Presentation - Virtual Machine Introspection by Tamas K Lengyel
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Tamas K Lengyel4.1K views
Troopers15 Lightning talk: VMI & DRAKVUF by Tamas K Lengyel
Troopers15 Lightning talk: VMI & DRAKVUFTroopers15 Lightning talk: VMI & DRAKVUF
Troopers15 Lightning talk: VMI & DRAKVUF
Tamas K Lengyel1.1K views
Virtual Machine Introspection in a Hyberid Honeypot Architecture by Tamas K Lengyel
Virtual Machine Introspection in a Hyberid Honeypot ArchitectureVirtual Machine Introspection in a Hyberid Honeypot Architecture
Virtual Machine Introspection in a Hyberid Honeypot Architecture
Tamas K Lengyel3.7K views
VM Forking and Hypervisor-based Fuzzing with Xen by Tamas K Lengyel
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel1.6K views
VM Forking and Hypervisor-based fuzzing by Tamas K Lengyel
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel132 views
Virtual Machine Introspection with Xen on ARM by Tamas K Lengyel
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
Tamas K Lengyel3.8K views
Масштабируемый и эффективный фаззинг Google Chrome by Positive Hack Days
Масштабируемый и эффективный фаззинг Google ChromeМасштабируемый и эффективный фаззинг Google Chrome
Масштабируемый и эффективный фаззинг Google Chrome
Positive Hack Days4.7K views
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes by Peter Hlavaty
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Peter Hlavaty31.1K views
Practical Windows Kernel Exploitation by zeroSteiner
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
zeroSteiner2K views
Guardians of your CODE by Peter Hlavaty
Guardians of your CODEGuardians of your CODE
Guardians of your CODE
Peter Hlavaty3.4K views
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal) by Shota Shinogi
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi2.7K views
You didnt see it’s coming? "Dawn of hardened Windows Kernel" by Peter Hlavaty
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty9.4K views
Security research over Windows #defcon china by Peter Hlavaty
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty375 views
Is That A Penguin In My Windows? by zeroSteiner
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
zeroSteiner1.4K views
ShinoBOT Suite by Shota Shinogi
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi27.4K views
Применение виртуализации для динамического анализа by Positive Hack Days
Применение виртуализации для динамического анализаПрименение виртуализации для динамического анализа
Применение виртуализации для динамического анализа
Positive Hack Days1.5K views
How to Root 10 Million Phones with One Exploit by Jiahong Fang
How to Root 10 Million Phones with One ExploitHow to Root 10 Million Phones with One Exploit
How to Root 10 Million Phones with One Exploit
Jiahong Fang14.6K views
Fun With Dr Brown by zeroSteiner
Fun With Dr BrownFun With Dr Brown
Fun With Dr Brown
zeroSteiner846 views

Similar to Pitfalls and limits of dynamic malware analysis

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis by
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
1.8K views51 slides
EMBA Firmware analysis - TROOPERS22 by
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
100 views25 slides
Buffer overflows by
Buffer overflowsBuffer overflows
Buffer overflowsSandun Perera
404 views10 slides
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques by
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
1.6K views45 slides
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core by
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
844 views52 slides
Joanna Rutkowska Subverting Vista Kernel by
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernelguestf1a032
1.2K views53 slides

Similar to Pitfalls and limits of dynamic malware analysis(20)

Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis by Chong-Kuan Chen
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen1.8K views
EMBA Firmware analysis - TROOPERS22 by MichaelM85042
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042100 views
Buffer overflows by Sandun Perera
Buffer overflowsBuffer overflows
Buffer overflows
Sandun Perera404 views
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques by Scott K. Larson
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Scott K. Larson1.6K views
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core by NoSuchCon
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NSC #2 - D3 02 - Peter Hlavaty - Attack on the Core
NoSuchCon844 views
Joanna Rutkowska Subverting Vista Kernel by guestf1a032
Joanna Rutkowska Subverting Vista KernelJoanna Rutkowska Subverting Vista Kernel
Joanna Rutkowska Subverting Vista Kernel
guestf1a0321.2K views
Malware 101 by saurabh chaudhary by Saurav Chaudhary
Malware 101 by saurabh chaudharyMalware 101 by saurabh chaudhary
Malware 101 by saurabh chaudhary
Saurav Chaudhary356 views
Security & ethical hacking by Amanpreet Singh
Security & ethical hackingSecurity & ethical hacking
Security & ethical hacking
Amanpreet Singh407 views
LXC, Docker, security: is it safe to run applications in Linux Containers? by Jérôme Petazzoni
LXC, Docker, security: is it safe to run applications in Linux Containers?LXC, Docker, security: is it safe to run applications in Linux Containers?
LXC, Docker, security: is it safe to run applications in Linux Containers?
Jérôme Petazzoni22.7K views
Messing around avs by Shubham Mittal
Messing around avsMessing around avs
Messing around avs
Shubham Mittal839 views
How to hide your browser 0-day @ Disobey by Zoltan Balazs
How to hide your browser 0-day @ DisobeyHow to hide your browser 0-day @ Disobey
How to hide your browser 0-day @ Disobey
Zoltan Balazs465 views
How to hide your browser 0-days by Zoltan Balazs
How to hide your browser 0-daysHow to hide your browser 0-days
How to hide your browser 0-days
Zoltan Balazs2.3K views
Docker, Linux Containers, and Security: Does It Add Up? by Jérôme Petazzoni
Docker, Linux Containers, and Security: Does It Add Up?Docker, Linux Containers, and Security: Does It Add Up?
Docker, Linux Containers, and Security: Does It Add Up?
Jérôme Petazzoni9.3K views
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli by Priyanka Aash
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteliDefcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Defcon 22-zoltan-balazs-bypass-firewalls-application-whiteli
Priyanka Aash3.5K views
Hacking Highly Secured Enterprise Environments by Zoltan Balazs by Shakacon
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Shakacon1.2K views
Security & ethical hacking p2 by ratnalajaggu
Security & ethical hacking p2Security & ethical hacking p2
Security & ethical hacking p2
ratnalajaggu975 views
Docker, Linux Containers (LXC), and security by Jérôme Petazzoni
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni51.7K views
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ... by Zoltan Balazs
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
Zoltan Balazs10.1K views
AV Evasion with the Veil Framework by VeilFramework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework18.6K views
IoT exploitation: from memory corruption to code execution - Marco Romano - C... by Codemotion
IoT exploitation: from memory corruption to code execution - Marco Romano - C...IoT exploitation: from memory corruption to code execution - Marco Romano - C...
IoT exploitation: from memory corruption to code execution - Marco Romano - C...
Codemotion110 views

More from Tamas K Lengyel

Estimating Security Risk Through Repository Mining by
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository MiningTamas K Lengyel
49 views34 slides
Anti-evil maid with UEFI and Xen by
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and XenTamas K Lengyel
202 views41 slides
Stealthy, Hypervisor-based Malware Analysis by
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
13.1K views58 slides
CyberSEED: Virtual Machine Introspection to Detect and Protect by
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and ProtectTamas K Lengyel
3.8K views19 slides
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning by
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningTamas K Lengyel
2.9K views13 slides
Dfrws eu 2014 rekall workshop by
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshopTamas K Lengyel
3.3K views121 slides

More from Tamas K Lengyel(6)

Estimating Security Risk Through Repository Mining by Tamas K Lengyel
Estimating Security Risk Through Repository MiningEstimating Security Risk Through Repository Mining
Estimating Security Risk Through Repository Mining
Tamas K Lengyel49 views
Anti-evil maid with UEFI and Xen by Tamas K Lengyel
Anti-evil maid with UEFI and XenAnti-evil maid with UEFI and Xen
Anti-evil maid with UEFI and Xen
Tamas K Lengyel202 views
Stealthy, Hypervisor-based Malware Analysis by Tamas K Lengyel
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel13.1K views
CyberSEED: Virtual Machine Introspection to Detect and Protect by Tamas K Lengyel
CyberSEED: Virtual Machine Introspection to Detect and ProtectCyberSEED: Virtual Machine Introspection to Detect and Protect
CyberSEED: Virtual Machine Introspection to Detect and Protect
Tamas K Lengyel3.8K views
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning by Tamas K Lengyel
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and CloningNSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
NSS 2013: Towards Hybrid Honeynets via Virtual Machine Introspection and Cloning
Tamas K Lengyel2.9K views
Dfrws eu 2014 rekall workshop by Tamas K Lengyel
Dfrws eu 2014 rekall workshopDfrws eu 2014 rekall workshop
Dfrws eu 2014 rekall workshop
Tamas K Lengyel3.3K views

Recently uploaded

MVP and prioritization.pdf by
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdfrahuldharwal141
39 views8 slides
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
178 views15 slides
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...ShapeBlue
114 views12 slides
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveNetwork Automation Forum
49 views35 slides
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Safe Software
373 views86 slides
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericShapeBlue
58 views9 slides

Recently uploaded(20)

MVP and prioritization.pdf by rahuldharwal141
MVP and prioritization.pdfMVP and prioritization.pdf
MVP and prioritization.pdf
rahuldharwal14139 views
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue178 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue114 views
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive by Network Automation Forum
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLiveAutomating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Automating a World-Class Technology Conference; Behind the Scenes of CiscoLive
Network Automation Forum49 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software373 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue58 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by ShapeBlue
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue56 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue93 views
State of the Union - Rohit Yadav - Apache CloudStack by ShapeBlue
State of the Union - Rohit Yadav - Apache CloudStackState of the Union - Rohit Yadav - Apache CloudStack
State of the Union - Rohit Yadav - Apache CloudStack
ShapeBlue218 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue97 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue138 views
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online by ShapeBlue
KVM Security Groups Under the Hood - Wido den Hollander - Your.OnlineKVM Security Groups Under the Hood - Wido den Hollander - Your.Online
KVM Security Groups Under the Hood - Wido den Hollander - Your.Online
ShapeBlue154 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue68 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely76 views
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha... by ShapeBlue
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
Mitigating Common CloudStack Instance Deployment Failures - Jithin Raju - Sha...
ShapeBlue113 views
Business Analyst Series 2023 - Week 4 Session 7 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 7Business Analyst Series 2023 - Week 4 Session 7
Business Analyst Series 2023 - Week 4 Session 7
DianaGray10110 views
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ... by ShapeBlue
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
Import Export Virtual Machine for KVM Hypervisor - Ayush Pandey - University ...
ShapeBlue48 views
DRBD Deep Dive - Philipp Reisner - LINBIT by ShapeBlue
DRBD Deep Dive - Philipp Reisner - LINBITDRBD Deep Dive - Philipp Reisner - LINBIT
DRBD Deep Dive - Philipp Reisner - LINBIT
ShapeBlue110 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.74 views
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue by ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlueMigrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
Migrating VMware Infra to KVM Using CloudStack - Nicolas Vazquez - ShapeBlue
ShapeBlue147 views

Pitfalls and limits of dynamic malware analysis

  • 1. Pitfalls and Limits of Dynamic Malware Analysis Dr. Tamas K Lengyel tamas@tklengyel.com
  • 2. # whoami Senior Security Researcher @ Intel Chief Research Officer @ Honeynet.org Maintainer of - Xen - LibVMI - DRAKVUF
  • 3. Disclaimer I don’t speak for my employer. All opinions and information here are my personal views.
  • 4. Agenda 1. Why Dynamic Analysis 2. Assorted Problems and Pitfalls 3. Food for Thought
  • 5. The Problem New malware binaries are easy to create - Same malware, different binary = can’t be fingerprinted - Unpacked code itself is heavily obfuscated - Writing “unpackers” is cumbersome and very fragile - Polymorphic & metamorphic malware - Not all packed binaries are malware For more details read “SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers”
  • 6. Dynamic Analysis v1 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Dump its unpacked version from memory - Fingerprint - ... - Profit!
  • 7. Dynamic Analysis v2 Observation: malware must run - Code that doesn’t execute is not malicious - Let’s execute the packed binary - Observe it’s execution - Fingerprint it’s behavior - ... - Profit!
  • 9. How to “observe”? Debuggers - strace/gdb/windbg/valgrind/etc.. - Not designed to be stealthy - NO security boundary - Very easy to detect - Observer effect
  • 10. How to “observe”? Emulators - QEMU/TEMU/PANDA/Binee/Qiling Framework - Very high (instruction level) visibility - NO security boundary - Easy to detect - Observer effect
  • 11. A Better way to Observe? Use kernel-mode code to observe - Hardware protected execution mode - Most modern kernels require signed kernel modules - You can disable enforcement but that’s detectable - The OS will limit what you can observe - Windows doesn’t like it if you just randomly hook stuff - Tedious to clean-up after each analysis
  • 12. A Better way to Observe? Windows Sandbox - Built-in feature since Windows 10 18305 - Easy to deploy - Light-weight copy-on-write clone of the main OS - Strong hypervisor-based isolation (as long as you don’t enable GPU passthrough and writable shared folders) - No API yet to monitor through the kernel/hypervisor https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
  • 13. Hypervisor Introspection - Easy to detect virtualization - Hard to detect introspection - Strong isolation - Good visibility - Easy to cleanup after analysis - Hard to develop - Harder to develop it correctly
  • 14. Pitfalls of introspection What part of the VM do you trust? - In-guest kernel data-structures can be unreliable - Race-condition on multi-vCPU guests - Stale data - Tricky and unusual code-sequences
  • 15. LibVMI pitfall: PID The PID is an OS construct! Can be recycled Associated PT can change Can be missing (DKOM)!
  • 16. LibVMI pitfall: PID Don’t use the PID, use the pagetable address directly
  • 17. Introspection pitfall: pagetables It’s under the control of the guest - Guest may change it at any time - Hardware caches translations in the TLB - TLB invalidation is also the guest’s responsibility - The pagetable may not be authoritative if TLB is split - PCID and VPID keeps entries in the TLB longer - No instruction to translate in context of VM (on x86) - Can cause serious issues for both hw* and sw** *See XSA-304/CVE-2018-12207 “x86: Machine Check Error on Page Size Change DoS” **Read “DKSM: Subverting Virtual Machine Introspection for Fun and Profit”
  • 18. LibVMI pitfall: software TLB Virtual-to-physical translation is costly - LibVMI has a software TLB - Two level-hashtable lookup: dtb vaddr - LibVMI doesn’t perform TLB flushes automatically - Cached translations can become stale - Up to the user to implement flush policy
  • 19. Introspection pitfalls: breakpoints 0xCC can be trapped to VMM - Hypervisor-level debugging! - External agent can patch-in the breakpoint - Guest itself may be using them - Can we make it stealthy? Check out “Building a {Flexible} Hypervisor-Level Debugger” by Mathieu Tarral
  • 20. Introspection pitfalls: breakpoints Hiding 0xCC - Make page execute-only in EPT, lie about memory contents when something tries to read it - Remove 0xCC singlestep replace 0xCC - Racy on multi-vCPU systems - Can emulate faulting instruction and lie about memory contents - Shadow memory using EPT remapping!* *More details: https://xenproject.org/2016/04/13/stealthy-monitoring-with-xen-altp2m
  • 21. Introspection pitfalls: breakpoints Read-modify-write instructions... https://xenbits.xen.org/gitweb/?p=xen.git;a=blob;f=xen/arch/x86/hvm/vmx/vmx.c;h=535e0384fe170450fe82442a500fab3b088e31cf;hb=HEAD
  • 22. Introspection pitfalls: breakpoints What is the 0xCC instruction’s length? - … (including any instruction prefixes) ...
  • 24. Introspection pitfalls: breakpoints Length was assumed to be always 1 - The CPU reports the correct length to Xen - Xen just didn’t send it to introspection apps - Malicious code could use it to detect introspection - Breakpoint would execute 15x within VM when incorrect length is used for reinjection - Fixed starting in Xen 4.8 - Found with the awesome Xen Test Framework Check out XTF at http://xenbits.xenproject.org/docs/xtf/
  • 25. Introspection pitfalls: breakpoints MOV instructions.. - Can read execute only memory! - Copy “constant” to register - Can leak stealth breakpoints!
  • 26. DRAKVUF pitfall: shadow pages Hiding shadow pages with a sink page - Shadow pages are at the very end of the VM physmap - DRAKVUF read-protects and remaps them to sink page - The sink page was just a page filled with 0’s - That turned out to be a wrong guess - Xen actually returns 1’s when accessing unmapped memory - Trivia: What happens if you access high physical memory addresses that are not physically present?
  • 27. Introspection pitfall: hardware limits 100% stealth not feasible - Overhead of the monitoring is observable - Yes, you can manipulate RDTSC but that’s not enough - Thread-racing, network time, etc. - Accessing guest memory introduces CPU cache side-effects that are observable! See more details in “Who Watches The Watcher? Detecting Hypervisor Introspection from Unprivileged Guests”
  • 28. Sandbox pitfall: is it realistic? We don’t know what malware checks for - We can guess - We can observe empirically and deploy counter-measures - “Malware can determine that a system is an artificial environment and not a real user device with an accuracy of 92.86%”* *Recommended read: “Spotless Sandboxes: Evading Malware Analysis Systems using Wear-and-Tear Artifacts”
  • 29. Sandbox pitfall: timeouts Our assumption was that malware will run - Well, it doesn’t have to run right away - sleep(3 days) - OK, we hook sleep and return in 1s - There are infinite ways you can make your malware “sleep” - Thread racing, API hammering, CPU cache profiling*.. *See “ExSpectre: Hiding Malware in Speculative Execution”
  • 30. Sandbox pitfall: false negatives Positive detections are great - But no detection doesn’t mean no malware - You just trust that the sandbox author is smarter then the malware author - Is that really the best we can do?
  • 31. Sandbox pitfall: Turing machines Halting problem & Rice’s theorem - Non-trivial properties of programs are undecidable - “There isn’t (and never will be) a general test to decide whether a piece of software contains malicious code”. IEEE Security & Privacy magazine, 2005 - Do we really have Turing machines? Highly recommended read “Detecting Traditional Packers, Decisively”
  • 32. No end in sight Cat-and-mouse game to continue - As long as we have a diverse detection ecosystem malware can’t hide from everything or risk getting extremely bloated - There are also some new angles being proposed - Requiring all code to be signed - Micro Execution based testing* - Fuzzing** *https://www.microsoft.com/en-us/research/wp-content/uploads/2016/02/microx.pdf **https://www.youtube.com/watch?v=bzc44WPxoxE
  • 33. Thanks! Questions? Dr. Tamas K Lengyel tamas@tklengyel.com https://tklengyel.com @tklengyel Shout out to - Polish CERT: Michał Leszczyński, Krzysztof Stopczański - Sebastian Poeplau, Mathieu Tarral, Sergej Proskurin