This article demonstrates how Tycho can be used to gain valuable data on how a process or malware sample behaves to therefore detect said sample successfully. With the help of the ELK (Elasticsearch, Logstash, Kibana) stack it is possible to display the gained data in a dashboard to visualize how the sample behaves.

In light of yet another side-channel attack, Cyberus Technology announces the a public side-channel mitigation test and benchmarking lab. This new lab will enable us to evaluate new side-channel attacks and new mitigations against such attacks in a quick and automated manner.

Today a new variant of the ZombieLoad family of side-channel attacks has been made public. This new variant is called TSX Asynchronous Abort (TAA). TAA works on all recent Intel processors that support Intel TSX, including Intel's most recent Cascade Lake processors.

In light of yet another side-channel attack, Cyberus Technology announces the start of a public side-channel mitigation test and benchmarking lab. This new lab will enable us to evaluate new side-channel attacks and new mitigations against such attacks in a quick and automated manner. Please refer to the release announcement for in-depth information.

Before diving deep into the analysis of unknown malware, some basic knowledge about its behavior is required. As a starting point, it is useful to observe the files the malware touches and changes. Tycho can help to automate the observation of file creation and modification, giving the malware analyst a good overview of its behavior. In this blog entry, I will show you how to build a file tracker with Tycho.

Reverse engineering a software is not an easy task. Especially not if you do this for the first time.

Hi, my name is Sebastian Manns. I study "general and digital forensics". Since one month I am a trainee at Cyberus Technology and my job is Software/Malware Analysis with Tycho.

In my first blog entry I will show you how easy it is to evaluate and manipulate system calls with Tycho using Pafish as an example.

Do you recall the year change 2017/18? Of course, I am not referring to the New Year's resolutions usually getting out of sight after a couple of weeks. Back then, I (together with a small team of other security researchers) was waiting for Intel to disclose security vulnerabilities we had discovered in its microprocessor hardware. We expected a fair bit of excitement because the industry had been scrambling to get mitigations in place. However I was thoroughly gobsmacked by the kind of delayed fireworks unfolding in the media. More than a year has elapsed since then so it is only fair to ask what is left beyond the sound and smoke - and why it was not the beginning of the end of the familiar IT universe, as predicted by a couple of pessimists.

ZombieLoad is a novel category of side-channel attacks which we refer to as data-sampling attack. It demonstrates that faulting load instructions can transiently expose private values of one Hyperthread sibling to the other. This new exploit is the result of a collaboration between Michael Schwarz, Daniel Gruss and Moritz Lipp from Graz University of Technology, Thomas Prescher and Julian Stecklina from Cyberus Technology, Jo Van Bulck from KU Leuven, and Daniel Moghimi from Worcester Polytechnic Institute.

In this article, we summarize the implications and shed light on the different attack scenarios across CPU privilege rings, OS processes, virtual machines, and SGX enclaves, and give advice over possible ways to mitigate such attacks.

We are proud to announce that today we are releasing Tycho 1.2. This release features Process Listing, Cuckoo Sandbox Integration and the Autostart Semantic Breakpoint.

We are proud to announce that today we are releasing Tycho 1.1. This release features USB 3 Debug Port Support, System Call Interpretation, and a plugin for IDA Pro that shows memory information directly within IDA.

After Meltdown (see also our article about Meltdown) and Spectre, more vulnerabilities in out-of-order CPUs have been uncovered that use similar side channels. This article is about the L1 Terminal Fault vulnerability, a meltdown-style attack that is also effective against up-to-date system software incorporating KPTI-like patches. L1 Terminal Fault actually refers to three different vulnerabilities with the ancestor being the Foreshadow vulnerability that was published at this year's USENIX Security Symposium. While the article authors focus on SGX security aspects we are more concerned about implications for virtualization as it also enables crossing virtual machine borders with uncomfortable ease.