High-level Overview

The Tycho setup consists of two computers; an analyst system and a target system connected over a dedicated communication channel (USB3 debug cable, legacy serial, or AMT).

Analyst System and Target System connected via USB3 debug cable or serial connection

Analyst System

The analyst system runs any favored Linux or Windows based operating system. It can have all the analyst's favorite tools installed. A Tycho service application is used to connect to the running hypervisor on the target system in order to create an endpoint that integrated with standard tools.

Tycho integrates into existing tool ecosystems and analyst workflows
Tycho integrates into existing tool ecosystems and analyst workflows

Be it via any supported tool or the Python API: The analyst has a full system view on the target's Operating System and application state. At the same time, the analyst PC is completely isolated from the happenings inside the target system.

Target System

The target system runs an unchanged Windows 7 (64-bit) operating system simulating a victim system that hosts the malware under analysis. The Cyberus Secure Virtual Platform runs underneath the Windows OS:

Full Cyberus Virtualization Stack
Cyberus Secure Virtual Platform Stack

The target machine can be a special analysis box in an isolated lab, or an already infected system in the field.

Cyberus Secure Virtual Platform

Cyberus Virtualization Stack in Deployment
Deploying the Cyberus Secure Virtual Platform Stack

Ad-hoc Deployment via USB or Network

The Cyberus Virtual Machine can be deployed even after Windows has been installed on the target system. After the hypervisor has been booted, it will chainload the already installed operating system from disk. Rebooting the machine removes the hypervisor again.

There are currently three supported methods to deploy the hypervisor: Either via USB stick, via PXE network boot, or from disk via GRUB.

Small Low-Overhead Passthrough Hypervisor

Tycho provides a tiny virtual machine monitor which virtualizes and encapsulates the guest OS, the applications, and with it also the malware under analysis. Only the host's CPU, memory, and interrupts are virtualized - all other hardware devices are under direct control of the guest OS. This way the overhead is at a minimum and the guest operating system contains no visible artifacts from debugging left over for malware.

The Cyberus VM itself is designed with security as a first class goal, as it is based on innovative microkernel technology that splits the system into deprivileged parts on top of a very minimal kernel. Tycho is based on NOVA, an open source microkernel hypervisor developed in Germany.

Semantic Breakpoints

Examples for semantic breakpoints:

Semantic Breakpoint Mechanism behind it
Process reads/writes from/to file system
(Blog article)
Syscall interpretation
Process resolves specific domains Syscall interpretation
A process unpacks itself and is about to execute its first instruction of payload code, aka Execute-After-Write memory access event events in hypervisor's guest memory mappings
A DLL was injected into a process
(Blog article)
VAD tree monitoring
One process writes to memory that was originally mapped into another process Syscall interpretation + VAD tree monitoring
A process hides itself in the process list Process list monitoring

Semantic Breakpoints, a unique feature that is only available in the Cyberus Virtual Machine Introspection engine, allow the analyst to use their experience to define and set behavioral or semantic high-order breakpoints to stop the program execution at a desired point. This prevents endless and time-consuming searches of the program code to find the right code entry point.

Analysts: You can compile your own rulesets/semantic breakpoints and share them among your peers. With your own collection of rich semantic breakpoints you can also quickly automate tasks that were previously regarded as tedious. This way, Tycho enables you to tap into your own contextual knowledge of how malware must or should work, putting the your competence and creativity in charge of the tools rather than the opposite.

Semantic breakpoints do not require any cooperation with the guest OS!

Tools Integration

The heart of the analyst system side of Tycho is the Tycho Server, which manages the connection to the target system. From here, it provides multiple endpoint personalities via TCP sockets:

  • A GDB stub server, which enables for interacting with Tycho via IDA Pro, Binary Ninja, GDB, etc.
  • A Python API endpoint, that allows for scripts that automate malware analysis in combination with malware analysis libraries/frameworks as e.g. Volatility.

Cuckoo Sandbox Integration

Cuckoo Sangbox Logo. The Cuckoo Sandbox Project and team are not affiliated to Cyberus Technology.

("Cuckoo Sandbox" is an open source project that is not affiliated to Cyberus Technology GmbH)

Cuckoo automates malware sample discovery and analysis by executing potential malware samples in a sandbox environment. Unfortunately, malware can detect this environment and decide to not execute its malicious code paths to proceed undetected.

Tycho provides a Cuckoo sandbox integration that solves this problem: Malware does not detect the Tycho analysis environment, because the Cyberus VM is invisible by default and Tycho's analysis features do not depend on cooperation with the guest OS!