Biblio

A common way to detect malware attacks and avoid their destructive impact on a system is the use of virtual machines; A.K.A sandboxing. Attackers, on the other hand, strive to detect sandboxes when their software is running under such a virtual environment. Accordingly, they postpone launching any attack (Malware) as long as operating under such an execution environment. Thus, it is common among malware developers to utilize different sandbox detection techniques (sometimes referred to as Anti-VM or Anti-Virtualization techniques). In this paper, we present novel, side-channel-based techniques to detect sandboxes. We show that it is possible to detect even sandboxes that were properly configured and so far considered to be detection-proof. This paper proposes and implements the first attack which leverage side channels leakage between sibling logical cores to determine the execution environment.

We present a process for detection of IP theft in VLSI devices that exploits the internal test scan chains. The IP owner learns implementation details in the suspect device to find evidence of the theft, while the top level function is public. The scan chains supply direct access to the internal registers in the device, thus making it possible to learn the logic functions of the internal combinational logic chunks. Our work introduces an innovative way of applying Boolean function analysis techniques for learning digital circuits with the goal of IP theft detection. By using Boolean function learning methods, the learner creates a partial dependency graph of the internal flip-flops. The graph is further partitioned using the SNN graph clustering method, and individual blocks of combinational logic are isolated. These blocks can be matched with known building blocks that compose the original function. This enables reconstruction of the function implementation to the level of pipeline structure. The IP owner can compare the resulting structure with his own implementation to confirm or refute that an IP violation has occurred. We demonstrate the power of the presented approach with a test case of an open source Bitcoin SHA-256 accelerator, containing more than 80,000 registers. With the presented method we discover the microarchitecture of the module, locate all the main components of the SHA-256 algorithm, and learn the module's flow control.