BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.vates.tech//xen-meetup-2025//talk//YJG3DV BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-xen-meetup-2025-YJG3DV@cfp.vates.tech DTSTART;TZID=CET:20250131T100000 DTEND;TZID=CET:20250131T103000 DESCRIPTION:Malware analysis sandboxes use virtual machine introspection (V MI) to analyze\nmalware samples. VMI is a set of techniques to monitor the execution of a\nvirtual machine (VM) while remaining isolated from the VM . Some so-called\nevasive malware detects VM execution pauses caused by VM I to avoid exhibiting\ntheir malicious behavior. This problem tends to dis appear since sandbox\ndesigners manipulate the VM clock to hide these paus es. On the other hand\, the\nfake network created by a sandbox offers new opportunities to evasive malware.\nIndeed\, VMI pauses have a measurable i mpact on network performance. In this way\,\nmalware can detect performanc e differences between the observed network and the\nnetwork of the target system.\n\nTo solve this problem\, the TANSIV approach consists in buildin g the sandbox\nnetwork on top of a discrete-event network simulator. The s imulator defines the\ntime reference and TANSIV coordinates the flow of ti me\, by synchronizing the\nvirtual clocks with the simulator clock. Packet s emitted by the VMs are\nintercepted and transmitted to the destination V M at the virtual time calculated\nby the simulator. The VMs are regularly interrupted to resynchronize them with\nthe network simulator. In the case of hardware virtualization\, in addition to\nmanipulating the virtual clo cks to hide VMI pauses\, TANSIV hides the\nsynchronization pauses with the network simulator.\n\nTANSIV is portable between hypervisors and has been ported on the Xen\nhypervisor. Moreover TANSIV has been integrated with D RAKVUF\, an open-source\nXen-based hypervisor which leverages VMI to analy ze Xen guests. Our results show\nthat TANSIV is able to hide the impact of VMI pauses both on local and network\ntimings. DTSTAMP:20260518T182715Z LOCATION:Salles de séminaire 1 SUMMARY:Hiding VMI Pauses on a networked Xen-Based Sandbox with TANSIV - L éo Cosseron URL:https://cfp.vates.tech/xen-meetup-2025/talk/YJG3DV/ END:VEVENT END:VCALENDAR