Detecting Hardware-Assisted Virtualization

  • Michael BrengelEmail author
  • Michael Backes
  • Christian Rossow
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


Virtualization has become an indispensable technique for scaling up the analysis of malicious code, such as for malware analysis or shellcode detection systems. Frameworks like Ether, ShellOS and an ever-increasing number of commercially-operated malware sandboxes rely on hardware-assisted virtualization. A core technology is Intel’s VT-x, which — compared to software-emulated virtulization — is believed to be stealthier, especially against evasive attackers that aim to detect virtualized systems to hide the malicious behavior of their code.

We propose and evaluate low-level timing-based mechanisms to detect hardware-virtualized systems. We build upon the observation that an adversary can invoke hypervisors and trigger context switches that are noticeable both in timing and in their side effects on caching. We have locally trained and then tested our detection methodology on a wide variety of systems, including 240 PlanetLab nodes, showing a high detection accuracy. As a real-world evaluation, we detected the virtualization technology of more than 30 malware sandboxes. Finally, we demonstrate how an adversary may even use these detections to evade multi-path exploration systems that aim to explore the full behavior of a program. Our results show that VT-x is not sufficiently stealthy for reliable analysis of malicious code.


  1. 1.
    Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: Proceedings of NDSS (2010)Google Scholar
  2. 2.
    Chen, X., Andersen, J., Morley, M.Z., Bailey, M., Nazario, J.: Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In: DSN (2008)Google Scholar
  3. 3.
    Chun, B., Culler, D., Roscoe, T., Bavier, A., Peterson, L., Wawrzoniak, M., Bowman, M.: PlanetLab: an overlay testbed for broad-coverage services. SIGCOMM Comput. Commun. Rev. 33(3), 3–12 (2003)CrossRefGoogle Scholar
  4. 4.
    Coogan, K., Lu, G., Debray, S.: Deobfuscation of virtualization-obfuscated software: a semantics-based approach. In: Proceedings of the CCS (2011)Google Scholar
  5. 5.
    Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: CCS (2008)Google Scholar
  6. 6.
    Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6:1–6:42 (2012)CrossRefGoogle Scholar
  7. 7.
    Egele, M., Woo, M., Chapman, P., Brumley, D.: Blanket execution: dynamic similarity testing for program binaries and components. In: USENIX Security (2014)Google Scholar
  8. 8.
    Ferrie, P.: Attacks on Virtual Machine Emulators. Technical report, Symantec (2006)Google Scholar
  9. 9.
    Franklin, J., Luk, M., McCune, J.M., Seshadri, A., Perrig, A., van Doorn, L.: Towards sound detection of virtual machines. In: Lee, W., Wang, C., Dagon, D. (eds.) Botnet Detection: Countering the Largest Security Threat, pp. 89–116. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  10. 10.
    Garfinkel, T., Adams, K., Warfield, A., Franklin, J.: Compatibility is not transparency: VMM detection myths and realities. In: Proceedings of USENIX HotOS (2007)Google Scholar
  11. 11.
    Kang, M.G., Poosankam, P., Yin, H.: Renovo: a hidden code extractor for packed executables. In: Proceedings of the 2007 ACM Workshop on Recurring Malcode (2007)Google Scholar
  12. 12.
    Kinder, J.: Towards static analysis of virtualization-obfuscated binaries. In: WCRE (2012)Google Scholar
  13. 13.
    Kirat, D., Vigna, G., Kruegel, C.: BareBox: efficient malware analysis on bare-metal. In: Proceedings of ACSAC (2011)Google Scholar
  14. 14.
    Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: Proceedings of the USENIX Security (2014)Google Scholar
  15. 15.
    Kwon, B.J., Mondal, J., Jang, J., Bilge, L., Dumitras, T.: The dropper effect: insights into malware distribution with downloader graph analytics. In: CCS (2015)Google Scholar
  16. 16.
    Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Sommer, R., Balzarotti, D., Maier, G. (eds.) RAID 2011. LNCS, vol. 6961, pp. 338–357. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  17. 17.
    Moser, A., Kruegel, C., Kirda, E.: Exploring multiple execution paths for malware analysis. In: Proceedings of the S&P (2007)Google Scholar
  18. 18.
    Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Proceedings of ACSAC (2007)Google Scholar
  19. 19.
    Oktavianto, D., Muhardianto, I.: Cuckoo Malware Analysis. Packt Publishing, Birmingham (2013)Google Scholar
  20. 20.
    Paleari, R., Martignoni, L., Roglia, G.F., Bruschi, D.: A fistful of Red-pills: how to automatically generate procedures to detect CPU emulators. In: Usenix WOOT (2009)Google Scholar
  21. 21.
    Ugarte Pedrero, X., Balzarotti, D., Santos, I., Bringas, P.G.: SoK: deep packer inspection: a longitudinal study of the complexity of run-time packers. In: S&P (2015)Google Scholar
  22. 22.
    Pék, G., Bencsáth, B., Buttyán, L.: nEther: in-guest detection of out-of-the-guest malware analyzers. In: CCS (2011)Google Scholar
  23. 23.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Comprehensive shellcode detection using runtime heuristics. In: Proceedings of ACSAC (2010)Google Scholar
  24. 24.
    Raffetseder, T., Kruegel, C., Kirda, E.: Detecting system emulators. In: ICISC (2007)Google Scholar
  25. 25.
    Rolles, R.: Unpacking virtualization obfuscators. In: Usenix WOOT (2009)Google Scholar
  26. 26.
    Rossow, C., Dietrich, C., Bos, H.: Large-scale analysis of malware downloaders. In: Proceedings of DIMVA (2013)Google Scholar
  27. 27.
    Royal, P., Halpin, M., Dagon, D., Edmonds, R., Lee, W.: PolyUnpack: automating the hidden-code extraction of unpack-executing malware. In: CCS (2006)Google Scholar
  28. 28.
    Sharif, M., Lanzi, A., Giffin, J., Lee, W.: Automatic reverse engineering of malware emulators. In: Proceedings of the 2009 30th IEEE Symposium on Security and Privacy (2009)Google Scholar
  29. 29.
    Snow, K.Z., Krishnan, S., Monrose, F., Provos, N.: ShellOS: enabling fast detection and forensic analysis of code injection attacks. In: Proceedings of USENIX Security (2011)Google Scholar
  30. 30.
    Willems, C., Hund, R., Holz, T.: CXPInspector: Hypervisor-based, hardware-assisted system monitoring. Technical report, Horst Görtz Institute for IT Security (2012)Google Scholar
  31. 31.
    You, I., Yim, K.: Malware obfuscation techniques: a brief survey. In: Proceedings of BWCCA (2010)Google Scholar
  32. 32.
    Zhao, X., Borders, K., Prakash, A.: Virtual machine security systems. In: Advances in Computer Science and Engineering. Springer (2009)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Michael Brengel
    • 1
    Email author
  • Michael Backes
    • 1
  • Christian Rossow
    • 1
  1. 1.CISPA, Saarland UniversitySaarbrückenGermany

Personalised recommendations