Xen Winter Meetup 2025

Malware analysis sandboxes use virtual machine introspection (VMI) to analyze
malware samples. VMI is a set of techniques to monitor the execution of a
virtual machine (VM) while remaining isolated from the VM. Some so-called
evasive malware detects VM execution pauses caused by VMI to avoid exhibiting
their malicious behavior. This problem tends to disappear since sandbox
designers manipulate the VM clock to hide these pauses. On the other hand, the
fake network created by a sandbox offers new opportunities to evasive malware.
Indeed, VMI pauses have a measurable impact on network performance. In this way,
malware can detect performance differences between the observed network and the
network of the target system.

To solve this problem, the TANSIV approach consists in building the sandbox
network on top of a discrete-event network simulator. The simulator defines the
time reference and TANSIV coordinates the flow of time, by synchronizing the
virtual clocks with the simulator clock. Packets emitted by the VMs are
intercepted and transmitted to the destination VM at the virtual time calculated
by the simulator. The VMs are regularly interrupted to resynchronize them with
the network simulator. In the case of hardware virtualization, in addition to
manipulating the virtual clocks to hide VMI pauses, TANSIV hides the
synchronization pauses with the network simulator.

TANSIV is portable between hypervisors and has been ported on the Xen
hypervisor. Moreover TANSIV has been integrated with DRAKVUF, an open-source
Xen-based hypervisor which leverages VMI to analyze Xen guests. Our results show
that TANSIV is able to hide the impact of VMI pauses both on local and network
timings.