Обнаружение песочницы с использованием аппаратных побочных каналов

[salsa20]

Анализирую док. Вот накидал poc
Го проверим?

Аппаратные составляющие (аппаратные боковые каналы) — это механизмы, которые обеспечивают несанкционированную передачу информации между различными компонентами аппаратного обеспечения компьютера. Эти причины могут возникать из-за совместного использования ресурсов, таких как кэш-память, буферы заполнения, буферы хранения и другие, между различными потоками выполнения или компонентами систем.

для англосаксов выжимка из pdf

Introduction:

• The paper begins by highlighting the increasing number of malware attacks and the need for automated methods to detect and analyze them.
• Sandboxing is a common technique used to analyze malware in a controlled environment, but malware developers often employ techniques to detect when their software is running in a sandbox.
• The authors propose side-channel-based techniques for detecting sandboxes, particularly by exploiting side-channel leakage between sibling logical cores.

Related Work:

• The paper discusses various existing sandbox detection techniques, including virtualized environment artifacts detection, timing attacks, and CPU instructions behavior measurements.
• It mentions previous research on sandbox detection and evasion techniques.

Background:

• The paper provides background information on Simultaneous Multithreading (SMT), a technology that allows different threads to share physical resources.
• It also discusses shared-resources-based side-channel attacks, which take advantage of shared hardware resources to leak information between sibling hardware threads.

Threat Model:

• The authors describe the conditions required for a successful attack, including the need for virtualization technology (e.g., VT-x or AMD-v) and SMT to be enabled.

Attacks Overview:

• The paper presents three novel attacks for sandbox detection:
  - Multicore Leakage: Exploiting the virtual core scheduling mechanism to detect leakage between non-sibling cores.
  - Distinguishable Leakage Rate: Identifying sandbox environments based on differences in the leakage rate over time.
  - VMM Misconfiguration: Detecting sandboxes by analyzing information returned by the hypervisor VMM, particularly focusing on discrepancies in the reported number of logical cores.

Experiments and Results:

• The authors conducted experiments to test their attacks against popular hypervisors, including VMware Workstation, VirtualBox, Microsoft Hyper-V, and MAVMM.
• The results showed that the proposed attacks successfully detected sandboxes in all tested hypervisors, except for the VMM misconfiguration attack against Microsoft Hyper-V.

Discussion:

• The paper discusses the implications of the experiments and emphasizes that the vulnerabilities for sandbox detection are not limited to specific hypervisor vendors or processor types.
• It suggests two practical mitigations: disabling SMT (which impacts performance) or implementing a strict virtual core scheduling policy in the hypervisor.

Conclusion:

• The paper concludes by highlighting the significance of the research in detecting sandboxes using hardware side channels.
• It suggests that the findings open new avenues for innovative research in sandbox detection techniques based on side-channel leakage.

Overall, the paper presents a novel approach to sandbox detection and highlights potential vulnerabilities in existing hypervisors, calling for increased attention to security and mitigation measures in virtualized environments used for malware analysis.

#include <iostream>
#include <thread>
#include <atomic>

// Глобальная переменная для отслеживания утечек данных
std::atomic<bool> data_leakage_detected(false);
// Глобальная разделяемая переменная
std::atomic<int> shared_data(0);

void thread_function() {
    int expected_value = 0;
    int consecutive_mismatches = 0;

    for (int i = 0; i < 10000000; ++i) {
        shared_data.fetch_add(1, std::memory_order_relaxed); // Atomic increment
        int value = shared_data.load(std::memory_order_relaxed); // Atomic read

        if (value != i + 1) {
            consecutive_mismatches++;
        }
        else {
            consecutive_mismatches = 0;
        }

        if (consecutive_mismatches > 100) {
            data_leakage_detected.store(true, std::memory_order_relaxed);
            break;
        }

        expected_value = i + 1;
    }
}


bool check_smt() {
    // Здесь можно реализовать код для определения наличия SMT и
    // соотношения физических и логических ядер
    // Эта функция может быть пустой для простоты

       // Get the number of available hardware threads
    const int num_threads = std::thread::hardware_concurrency();

    // Calculate the number of physical cores
    const int num_physical_cores = num_threads / 2;

    std::cout << "Number of logical cores: " << num_threads << std::endl;
    std::cout << "Number of physical cores: " << num_physical_cores << std::endl;

    if (num_physical_cores < num_threads) {
        std::cout << "SMT (Hyper-Threading) is enabled." << std::endl;
        return true;
    }
    else {
        std::cout << "SMT (Hyper-Threading) is not enabled." << std::endl;
        return false;
    }

    return false;
}

bool check_leakage() {
    // Запуск потоков на разных логических ядрах
    std::thread t1(thread_function);
    std::thread t2(thread_function);

    // Ожидание завершения потоков
    t1.join();
    t2.join();

    // Измерение времени, затраченного на утечку данных
    auto start_time = std::chrono::high_resolution_clock::now();

    for (int i = 0; i < 1000; ++i) {
        t1 = std::thread(thread_function);
        t2 = std::thread(thread_function);
        t1.join();
        t2.join();
    }

    auto end_time = std::chrono::high_resolution_clock::now();
    std::chrono::duration<double> elapsed_seconds = end_time - start_time;

    // Анализ скорости утечки данных
    if (elapsed_seconds.count() < 1.0) {
        // Если утечка данных произошла очень быстро, это может указывать на виртуализацию
        data_leakage_detected.store(true, std::memory_order_relaxed);
    }

    // Анализ флага утечки данных
    return data_leakage_detected.load(std::memory_order_relaxed);
}


int main() {
    bool is_vm = false;

    if (check_smt()) {
        is_vm = true;
    }

    if (check_leakage()) {
        is_vm = true;
    }

    if (is_vm) {
        std::cout << "Observed signs of virtualized environment" << std::endl;
    }
    else {
        std::cout << "Signs of native environment" << std::endl;
    }

    return 0;
}