|=------------------------------------------------------------------------------------------------=|
######## ######## ######## ###### ####### ## ## ######## ####### ## ## ########
## ## ## ## ## ## ## ## ### ## ## ## ## ## ### ### ##
## ## ## ## ## ## ## #### ## ## ## ## ## #### #### ##
## ## ###### ###### ## ## ## ## ## ## ######## ## ## ## ### ## ######
## ## ## ## ## ## ## ## #### ## ## ## ## ## ## ##
## ## ## ## ## ## ## ## ## ### ## ## ## ## ## ## ##
######## ######## ## ###### ####### ## ## ## ## ####### ## ## ########
|=------------------------------------------------------------------------------------------------=|
DEF CON group 11396 @ Rome, Italy
[Main] [Meetings] [Posts] [Projects]
|=-----------------------------------------=[ May 2021 ]=-----------------------------------------=|
by pietroborrello
This is the 14th meeting of the DEF CON group.
Date and location: May 28th from 6 p.m. to 7 p.m. on Zoom (link to be posted in the Telegram group).
The schedule is:
---[ New Directions in Hypervisor Detection, by cristianrichie
Hardware-assisted virtualization is indispensable for dynamic malware analysis but, it introduces timing discrepancies with respect to bare-metal machines and malware writers can exploit those to perform hypervisor detection.
In this talk, we will see how despite sandboxes attempts to modify the values a malware can read from classical time sources, evasion is still possible. We will build two novel primitives taking advantage of recent microarchitectural research. The first involve the usage of a high-resolution covert time source to revisit well-known detection techniques. The second is a prime+probe attack on the last-level cache to detect virtual machine monitor pressure over cache memory caused by its execution from the hypervisor.
Slides link: https://docs.google.com/presentation/d/1gLDU2Ep3iRIfGJv_A2tz2KiCtpYIeyM7tQLdM4pZmO8/edit?usp=sharing