Tuesday, June 20, 2017

Level Up: Introducing Hypervisor based Inspection in Joe Sandbox




At Joe Security, innovation is in our genes. We have been working on an awesome new component which takes advantage of hardware virtualization to analyze and detect malware. We call this new product Joe Sandbox Hypervisor.

What is hardware virtualization? What technology do we use for introspection? How do we implement it and what are its benefits? Read this blog post to get answers to these questions.

Hardware Virtualization

Hardware virtualization is a general term for an instruction set, introduced by Intel (VT-x) and AMD (AMD-V) in 2005/2006. The instruction set supports running several operating systems simultaneously on the same CPU. To achieve that, it adds an additional feature for memory separation (e.g. via extended paging tables) as well as a new CPU ring/mode (often referred to as root mode or ring -1). The transition from the normal modes (ring 0-3) to root mode can be visualized like this:


For malware analysis, this transition is very interesting since it intercepts execution of the malware at specific events, extracts additional information and then returns/continues execution. This enables fine grained interception as well as tracking detailed runtime information. Another great benefit of hardware virtualization is stealthiness, making it very difficult for malware to detect. 

Kernel mode Hooking

Since hardware virtualization is relatively new, Joe Sandbox currently uses a pure kernel mode (ring 0) driver which intercepts various system events such as system calls, kernel calls, memory events etc. So is there something to fear of? Not really: Using hooking/function interception in kernel mode works perfectly for 99% of all malware out there. The only problem are rootkits which run  in kernel mode themselves. However, rootkits have all but disappeared during the last years:

AV-Test Statistics


There are multiple reasons for this. First, Microsoft introduced driver signing, so only signed drivers are allowed to be loaded into kernel space. Second, additional features have been introduced to Windows which make abusing and exploiting kernel mode more tricky (PatchGuard is a good example).

Besides rootkits, a much bigger issue for kernel mode introspection is the inability to intercept events from user mode. A good example is the API GetSystemTime. This API does not reach kernel mode and therefore cannot be tracked from the.

Here is where hardware virtualization has its benefit as it can also intercept any user mode function.

Derived and Custom Hypervisor


So how does Joe Sandbox use hardware virtualization and how is it implemented? 
If you implement hardware virtualization there are two options:

Implement introspection in an existing type 1 or 2 hypervisor (KVM and XEN are two good examples). In both cases, you would modify and extend the existing GPL code to get callbacks on the interesting guest to host transitions. The introspection code will be always part of the virtualization solution and therefore the malware is always run inside a VM. Analysis on a bare metal machine is not possible. 


A second option for the Type 1 model is to develop your own custom hypervisor. The custom hypervisor is a full implementation which does not derive from existing hypervisor code and just provides the inspection functionality.  With this architecture, malware can be run directly on physical machines (laptops, PCs, servers etc), and no VM is required. Alternatively, it can also run nested, inside a VM (hypervisor in hypervisor).


It is very important to note that, exactly the same introspection capabilities exist for custom and derived hypervisors. However, one of the biggest differences is the flexibility of the analysis target. With a custom hypervisor, analysis is not bound to the virtualization solutions. Introspection can be done on real as well as virtual hardware. Why is this so important? Analyzing on real devices is king since it is _ the _ target for malware. A virtual machine is very different compared to a real device and those differences are trivial to spot by malware. Thus by detecting those differences malware can easily evade analysis.


Since the custom hypervisor runs on real hardware, there are no dissimilarities for malware to exploit. Thus the custom hypervisor has a big advantage over the derived hypervisor since it is harder to detect. 



Some may argue that in the next five years all our operating systems will run on virtual machines. However, for Joe Security, it is important to protect our customers right now and not eventually in five years.

Joe Sandbox Hypervisor has been implemented as a custom hypervisor to benefit from the outlined advantages.

Deep and stealthy Introspection

Joe Sandbox Hypervisor captures and extracts the following data:

  • System calls
  • Kernel calls
  • User mode calls
  • Access to user mode memory areas (e.g. PEB)
  • Access to performance counters
  • Execution of specific instructions (e.g. CPUID) by kernel and user code
This whole new range of dynamic information will be extremely beneficial for our malware detection and deep malware analysis engine.

Please note that hypervisor-based inspection is just one of many technologies offered by Joe Sandbox. We strongly believe in a multi-technology platform. Besides Hypervisor, Joe Sandbox employs the following techniques:

  • Generic Instrumentation (e.g. Office Macro Code, Android, and Javascript)
  • Simulation (Internet traffic, Cookbook)
  • Hybrid Code Analysis (Analysis of non-executed code branches)
  • Execution Graph Analysis (Analysis of the malware with graph analytics)

      Are you excited about this new feature and curious to see it in action? Come and visit us at Blackhat booth #IC69 in Innovation City area and we will give you a demo of some of the great features of our hypervisor implementation!