Sandbox Detection Using Hardware Side Channels

Yehonatan Lusky and Avi Mendelson


A common way to detect malware attacks and avoid their destructive impact on a system is the use of virtual machines; A.K.A sandboxing. Attackers, on the other hand, strive to detect sandboxes when the SW is running under such a virtual environment. Accordingly, they postpone launching any attack (Malware) as long as operating under such an execution environment. Thus, it is common among malware developers to utilize different sandbox detection techniques (sometimes referred to as Anti-VM or Anti-Virtualization techniques). In this paper, we present novel, side-channel-based techniques to detect sandboxes. We show that it is possible to detect even sandboxes that were properly configured and so far considered to be detection-proof. This paper proposes and implements the first attack which leverage side channels leakage between sibling logical cores to determine the execution environment.