In the last post of this series, we described the value proposition of the Cyberus Secure Virtualization Platform (SVP). This post goes into more technical details.

In this post we will talk about:

• SVP as a fast, flexible and secure virtualization platform.
• How the open-source Hedron Hypervisor enables uniquely flexible virtualization solutions
• How our microkernel-based virtualization stack enables a small Trusted Compute Base for high-security use-cases
• Enabling great performance through pass-through virtualization

HoTSoS identifies itself as “research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner.” Because the seminal Spectre paper won NSA’s Best Scientific Cybersecurity Paper Competition last year, its authors were invited to give a keynote speech at the symposium. Given that the corresponding vulnerabilities were disclosed to Intel almost 4 years ago, we (the authors) decided to take a step back and to look, in HotSoS’ spirit, at the fundamental problems. We (Cyberus Technology) feel deeply honoured that we were entrusted with delivering the talk and want to give you a sneak preview of what to expect.

• Iron Law of processor performance
• Memory latency, caching, and side-channels
• Turing machine and performance increase through parallelism
• Control flow discontinuities: branch history (BHT) and branch targets (BTB)
• Spectre v1 (BHT) and v2 (BTB)

By the way, the conference is fully virtual this year and registration is open to everybody for free. The keynote is scheduled for April 14th, 15:35 CEST (9:35am EDT).

Update: in case you are curious about the keynote, the organisers made the slides and the recording available on the HoTSoS site. You can also go directly to YouTube to watch the video.

The 17th German IT-Security Congress, organized by the Federal Office for Information Security (BSI), took place on February 2/3 and Cyberus Technology was among a select group of companies providing insights into new developments in this field. Given we are probably best known for our secure virtualization platform (SVP), we used the opportunity to highlight security-related use cases beyond virtualization’s isolation properties. Starting point were the recent Solarwinds-related security incidents that highlight the need for more checks and balances in current computer systems. How can we limit the consequences of compromised software, even when a trusted system component is affected? We presented Virtual Machine Introspection as game changing answer and talked about its basic principles in laymen’s terms. In the following you will find a condensed version of our talk.

Key Points:

• Compromised software of the trusted compute base is a major challenge as it allows attackers to fly under the radar
• VMI provides for defense-in-depth and enables event-driven response in a sandbox environment
• Our microkernel-based architecture offers fine-grained access rights managements, thus limiting the consequences of vulnerabilities

Today Cyberus Technology announces the general availabiliy of SVP, a fast, flexible and secure virtualization platform. SVP is a fully vertically integrated virtualization solution, designed to enable our customers’ use-cases with high performance and increased security.

secunet has adopted our fast and flexible Secure Virtualization Platform, SVP, as the base platform of SINA Workstation ⁴. SINA Workstation is a secure workstation designed for modern working in Public Administration.

Key Points:

• General availability of SVP, a fast, flexible and secure virtualization platform
• SVP drives the next generation of SINA Workstation, a secure workstation designed for the public sector
• A microkernel-based architecture offers the flexibility to tailor the platform to a wide variety of use-cases
• Support for GPU virtualization enables performant video conferences and improves battery life

At Cyberus Technology we work on a fast, flexible and secure compute environment. Our innovative virtualization stack is an integral part of this strategy. The foundation of this stack is the open-source Hedron Hypervisor. Hedron already drives our malware analysis platform Tycho and will soon be at the heart of a high-security workstation solution.

This blog post introduces the Hedron Hypervisor and philosophy around it.

Network analysis is an important and interesting part of malware analysis. Very often malware communicates with so-called command and control servers. From these servers it receives instructions, keys are exchanged or new functions are loaded in the form of payloads. If you want to analyze unknown Malware, it is a good first step to find out if the malware connects to a server.

In this blog article i will show you, how to quickly and easily create a small network analysis tool for TCP connections with Tycho. The goal is to detect when a process connects to a server, find out the address of the server, and report what data is exchanged.

This blog gives a brief description of Winnti, a malware well known for attacking german DAX companies, an introduction on how it works, other methods of how to detect Winnti and my own solution using Tycho and YARA. The script can detect Winnti injected code in a process by exploiting the malware’s behavior. The Winnti detector script is the fundament of the Winnti detective script, which will be used to extract the configuration data of the Winnti malware sample. The configuration data holds valuable information about the company that has been targeted by the sample discovered by the Winnti detector.

Winnti is injecting its code into an instance of svchost.exe. This means by dumping the virtual memory of each process and checking it with the specific YARA rule one can detect if Winnti is active on the target PC. Fortunately, dumping virtual memory of a process is really easy and convenient with Tycho and the following will show you how it’s done.

In this article I present a python script that combines Tycho and Volatility in order to analyze physical memory from a target machine. This is especially important when dealing with unknown malware samples. Unlike other approaches, Tycho allows an analyst to carefully monitor processes without ever having to fear that the malware could detect the analyst - read more about this here. For example if a machine is suspected to be infected by some unknown malware, Tycho can be used to extract the possibly malicious program for further analysis using Volatility and a special Tycho Python script, that I developed during my internship and present in this article. The script is able to reliably create memory dumps of a target PC which have the right format to be analyzed by Volatility.

In this article, I will show how easy and fast it is to dump the payload of a packed malware using a simple pyTycho python script. This explanation is based on the semantic breakpoints feature of Tycho and its open-source library pyTycho. If you are not familiar with Tycho, you can have a look at the previous blogs.

This article demonstrates how Tycho can be used to gain valuable data on how a process or malware sample behaves to therefore detect said sample successfully. With the help of the ELK (Elasticsearch, Logstash, Kibana) stack it is possible to display the gained data in a dashboard to visualize how the sample behaves.

Today a new variant of the ZombieLoad family of side-channel attacks has been made public. This new variant is called TSX Asynchronous Abort (TAA). TAA works on all recent Intel processors that support Intel TSX, including Intel’s most recent Cascade Lake processors.

In light of yet another side-channel attack, Cyberus Technology announces the start of a public side-channel mitigation test and benchmarking lab. This new lab will enable us to evaluate new side-channel attacks and new mitigations against such attacks in a quick and automated manner. Please refer to the release announcement for in-depth information.

In light of yet another side-channel attack, Cyberus Technology announces the a public side-channel mitigation test and benchmarking lab. This new lab will enable us to evaluate new side-channel attacks and new mitigations against such attacks in a quick and automated manner.

Before diving deep into the analysis of unknown malware, some basic knowledge about its behavior is required. As a starting point, it is useful to observe the files the malware touches and changes. Tycho can help to automate the observation of file creation and modification, giving the malware analyst a good overview of its behavior. In this blog entry, I will show you how to build a file tracker with Tycho.

Reverse engineering a software is not an easy task. Especially not if you do this for the first time.

Hi, my name is Sebastian Manns. I study “general and digital forensics”. Since one month I am a trainee at Cyberus Technology and my job is Software/Malware Analysis with Tycho.

In my first blog entry I will show you how easy it is to evaluate and manipulate system calls with Tycho using Pafish as an example.

Do you recall the year change 2017/18? Of course, I am not referring to the New Year’s resolutions usually getting out of sight after a couple of weeks. Back then, I (together with a small team of other security researchers) was waiting for Intel to disclose security vulnerabilities we had discovered in its microprocessor hardware. We expected a fair bit of excitement because the industry had been scrambling to get mitigations in place. However I was thoroughly gobsmacked by the kind of delayed fireworks unfolding in the media. More than a year has elapsed since then so it is only fair to ask what is left beyond the sound and smoke - and why it was not the beginning of the end of the familiar IT universe, as predicted by a couple of pessimists.

ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack. It demonstrates that faulting load instructions can transiently expose private values of one Hyperthread sibling to the other. This new exploit is the result of a collaboration between Michael Schwarz, Daniel Gruss and Moritz Lipp from Graz University of Technology, Thomas Prescher and Julian Stecklina from Cyberus Technology, Jo Van Bulck from KU Leuven, and Daniel Moghimi from Worcester Polytechnic Institute.

In this article, we summarize the implications and shed light on the different attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves, and give advice over possible ways to mitigate such attacks.

We are proud to announce that today we are releasing Tycho 1.2. This release features Process Listing, Cuckoo Sandbox Integration and the Autostart Semantic Breakpoint.

We are proud to announce that today we are releasing Tycho 1.1. This release features USB 3 Debug Port Support, System Call Interpretation, and a plugin for IDA Pro that shows memory information directly within IDA.

After Meltdown (see also our article about Meltdown) and Spectre, more vulnerabilities in out-of-order CPUs have been uncovered that use similar side channels. This article is about the L1 Terminal Fault vulnerability, a meltdown-style attack that is also effective against up-to-date system software incorporating KPTI-like patches. L1 Terminal Fault actually refers to three different vulnerabilities with the ancestor being the Foreshadow vulnerability that was published at this year’s USENIX Security Symposium. While the article authors focus on SGX security aspects we are more concerned about implications for virtualization as it also enables crossing virtual machine borders with uncomfortable ease.

After Meltdown (see also our article about Meltdown) and Spectre, which were publicly disclosed in January, the Spectre V3a and V4 vulnerabilities followed in May (see also our article about Spectre V4). According to the German IT news publisher Heise, the latter might be part of 8 new vulnerabilities in total that are going to be disclosed in the course of the year.

Earlier this year, Julian Stecklina (Amazon) and Thomas Prescher (Cyberus Technology) jointly discovered and responsibly disclosed another vulnerability that might be part of these, and we call it LazyFP. LazyFP (CVE-2018-3665) is an attack targeting operating systems that use lazy FPU switching. This article describes what this attack means, outlines how it can be mitigated and how it actually works.

After Meltdown (see also our article about Meltdown) and Spectre, more vulnerabilities in out-of-order CPUs have been uncovered that use similar attack vectors.

This article is about the new variant 4 of the Spectre attack that works without misleading the branch predictor. Instead, it exploits an implementation detail of Intel’s memory disambiguation technique inside the CPU’s pipeline.

The Cyberus Tycho Malware Forensics Tool is now available for purchase.

Tycho is a uniquely powerful malware forensics tool suite which aids and expedites the work of manual malware analyst and software reverse engineers – a malware debugger on steroids.

As an important step towards automating the creation of Windows disk assets/images, we will take a closer look at the Critical Device Database (CDDB) inside the Windows registry. The goal is to transform any locally installed instance to be bootable from iSCSI without having to run a full installation onto an iSCSI disk before.

In this article, we will describe how an ordinary Windows 7 installation can be converted to be booted from iSCSI. We will cover the particularities of the Windows network boot process and and elaborate on the differences to the normal boot. We then describe our solution using some registry modifications.

This series of three posts is about installing Windows 7 on an iSCSI disk. In this first article, we install it using qemu and iPXE and cover some of the pitfalls and particularities of this install method, as well as the topic of duplicating the resulting disk for use in machines of the same type. Two more follow-up posts will cover details of the network boot process, leading to a method of converting an existing installation to be iSCSI-bootable.

In the last article, we have shown how to interrupt a process running in an unpatched Windows system on top of the Cyberus virtualization platform before it executes specific system calls using the Tycho Python API. This time, we demonstrate how to implement a short but useful script that logs which files are accessed by a process of our choice.

Due to its introspection capabilities, the Cyberus virtualization platform is able to analyze Windows system calls. In this article we demonstrate how simple it is to extract system call parameters out of a running windows machine with Python using the Tycho API.

In this article we are going to play with a DLL injection tool on a Windows system that is running on top the Cyberus Virtualization Platform. Using the Tycho Python API, we will see how dead simple it is to check if a process has been subject to DLL injection.

Meltdown is an attack on the general memory data security of computers with the Intel x86 architecture. Two members of the founder team of Cyberus Technology GmbH were among the first experts to discover this vulnerability. This article describes how Meltdown actually works and also examines the mitigations that have been patched into the most widespread operating systems while the information embargo was still intact.

This article demonstrates how simple it is to setup our analysis tool Tycho and plays with the Tycho Python API in order to outline its potential. We will pause and resume processes, read interesting process information, and inject errors using the Tycho Python API.