Xen Winter Meetup 2025

Xen Winter Meetup 2025

Léo Cosseron

Léo Cosseron is a 3rd year PhD student in the MAGELLAN team at IRISA (Rennes), and holds a M2 in Computer Science from ENS Rennes (2022). His research interests include hardware virtualization, network simulation and system security. During his thesis, Léo is looking to precisely synchronize a network simulator with a malware analysis sandbox, with the aim of creating a dummy network environment that is indistinguishable from a real network, in order to counter evasive malware based on network performance fingerprinting.


Session

01-31
10:00
30min
Hiding VMI Pauses on a networked Xen-Based Sandbox with TANSIV
Léo Cosseron

Malware analysis sandboxes use virtual machine introspection (VMI) to analyze
malware samples. VMI is a set of techniques to monitor the execution of a
virtual machine (VM) while remaining isolated from the VM. Some so-called
evasive malware detects VM execution pauses caused by VMI to avoid exhibiting
their malicious behavior. This problem tends to disappear since sandbox
designers manipulate the VM clock to hide these pauses. On the other hand, the
fake network created by a sandbox offers new opportunities to evasive malware.
Indeed, VMI pauses have a measurable impact on network performance. In this way,
malware can detect performance differences between the observed network and the
network of the target system.

To solve this problem, the TANSIV approach consists in building the sandbox
network on top of a discrete-event network simulator. The simulator defines the
time reference and TANSIV coordinates the flow of time, by synchronizing the
virtual clocks with the simulator clock. Packets emitted by the VMs are
intercepted and transmitted to the destination VM at the virtual time calculated
by the simulator. The VMs are regularly interrupted to resynchronize them with
the network simulator. In the case of hardware virtualization, in addition to
manipulating the virtual clocks to hide VMI pauses, TANSIV hides the
synchronization pauses with the network simulator.

TANSIV is portable between hypervisors and has been ported on the Xen
hypervisor. Moreover TANSIV has been integrated with DRAKVUF, an open-source
Xen-based hypervisor which leverages VMI to analyze Xen guests. Our results show
that TANSIV is able to hide the impact of VMI pauses both on local and network
timings.

Session Presentations
Salles de séminaire 1