Cyberus Technology welcomes students and encourages them to work on research related topics. Our software stack is a good research base, as it resides in the field of operating systems (OS) and virtualization. One example is my journey at Cyberus. I am Philipp Schuster, a former student and now full-time employee. From October 2021 to April 2022, I wrote my thesis (Diplomarbeit) at TU Dresden in cooperation with Cyberus Technology. It has the title A Policy-Free System-Call Layer for the Hedron Microhypervisor and covers multiple interesting aspects of OS development and integrates into our existing technology stack. Instead of focusing on the virtualization part of our stack (see our SVP product), the thesis focuses on applications running directly on top of Hedron. We call them Hedron-native applications or hyperapps. Hedron is the kernel (Hypervisor) that builds the secure base of our SVP stack.
In this blogpost, I am going to outline a few exciting key aspects of the thesis and provide links to dig further into the topic, in case you are interested.read more
In the last post of this series, we described the value proposition of the Cyberus Secure Virtualization Platform (SVP). This post goes into more technical details.
In this post we will talk about:
HoTSoS identifies itself as "research event centered on the Science of Security, which aims to address the fundamental problems of security in a principled manner." Because the seminal Spectre paper won NSA's Best Scientific Cybersecurity Paper Competition last year, its authors were invited to give a keynote speech at the symposium. Given that the corresponding vulnerabilities were disclosed to Intel almost 4 years ago, we (the authors) decided to take a step back and to look, in HotSoS' spirit, at the fundamental problems. We (Cyberus Technology) feel deeply honoured that we were entrusted with delivering the talk and want to give you a sneak preview of what to expect.
By the way, the conference is fully virtual this year and registration is open to everybody for free. The keynote is scheduled for April 14th, 15:35 CEST (9:35am EDT).read more
The 17th German IT-Security Congress, organized by the Federal Office for Information Security (BSI), took place on February 2/3 and Cyberus Technology was among a select group of companies providing insights into new developments in this field. Given we are probably best known for our secure virtualization platform (SVP), we used the opportunity to highlight security-related use cases beyond virtualization's isolation properties. Starting point were the recent Solarwinds-related security incidents that highlight the need for more checks and balances in current computer systems. How can we limit the consequences of compromised software, even when a trusted system component is affected? We presented Virtual Machine Introspection as game changing answer and talked about its basic principles in laymen's terms. In the following you will find a condensed version of our talk.
Today Cyberus Technology announces the general availabiliy of SVP, a fast, flexible and secure virtualization platform. SVP is a fully vertically integrated virtualization solution, designed to enable our customers' use-cases with high performance and increased security.
secunet has adopted our fast and flexible Secure Virtualization Platform, SVP, as the base platform of SINA Workstation ⁴. SINA Workstation is a secure workstation designed for modern working in Public Administration.
At Cyberus Technology we work on a fast, flexible and secure compute environment. Our innovative virtualization stack is an integral part of this strategy. The foundation of this stack is the open-source Hedron Hypervisor. Hedron already drives our malware analysis platform Tycho and will soon be at the heart of a high-security workstation solution.
This blog post introduces the Hedron Hypervisor and philosophy around it.read more
Network analysis is an important and interesting part of malware analysis. Very often malware communicates with so-called command and control servers. From these servers it receives instructions, keys are exchanged or new functions are loaded in the form of payloads. If you want to analyze unknown Malware, it is a good first step to find out if the malware connects to a server.
In this blog article i will show you, how to quickly and easily create a small network analysis tool for TCP connections with Tycho. The goal is to detect when a process connects to a server, find out the address of the server, and report what data is exchanged.read more
This blog gives a brief description of Winnti, a malware well known for attacking german DAX companies, an introduction on how it works, other methods of how to detect Winnti and my own solution using Tycho and YARA. The script can detect Winnti injected code in a process by exploiting the malware's behavior. The Winnti detector script is the fundament of the Winnti detective script, which will be used to extract the configuration data of the Winnti malware sample. The configuration data holds valuable information about the company that has been targeted by the sample discovered by the Winnti detector.
Winnti is injecting its code into
an instance of
svchost.exe. This means by dumping the virtual memory of each process and checking it with the specific
YARA rule one can detect if Winnti is active on the target PC. Fortunately, dumping virtual memory of a
process is really easy and convenient with Tycho and the following will show you how it's done.
In this article I present a python script that combines Tycho and Volatility in order to analyze physical memory from a target machine. This is especially important when dealing with unknown malware samples. Unlike other approaches, Tycho allows an analyst to carefully monitor processes without ever having to fear that the malware could detect the analyst - read more about this here. For example if a machine is suspected to be infected by some unknown malware, Tycho can be used to extract the possibly malicious program for further analysis using Volatility and a special Tycho Python script, that I developed during my internship and present in this article. The script is able to reliably create memory dumps of a target PC which have the right format to be analyzed by Volatility.read more
In this article, I will show how easy and fast it is to dump the payload of a packed malware using a simple pyTycho python script. This explanation is based on the semantic breakpoints feature of Tycho and its open-source library
pyTycho. If you are not familiar with Tycho, you can have a look at the previous blog posts.