Attacking Sandboxes 110
SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."
Strike vs Counterstrike (Score:5, Insightful)
As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.
With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".
Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.
To which I can only say: WOW.
Once again, they didn't read the article. (Score:5, Insightful)
It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.
The article then goes on to FUD that code that attacks the sand box "must" be coming.
Oh, it must be coming. Uhuh.
Re:Old news (Score:3, Insightful)
Re:Strike vs Counterstrike (Score:3, Insightful)
Re:Sandbox the sandbox (Score:3, Insightful)
Re:Sandbox the sandbox (Score:3, Insightful)
Re:Sandbox the sandbox (Score:4, Insightful)
Re:Arms race for nothing (Score:5, Insightful)
Even Microsoft agrees with you. You can't "clean" a compromized machine.
http://www.microsoft.com/technet/community/column
That goes for other OSes too.
--
BMO
Re:Strike vs Counterstrike (Score:4, Insightful)
It may be even easier. Who cares? However you look at it, TCP is doing its job. If you want to prevent against hijacking, the layered topology of the communication stack lets you prevent that at a higher level. (EG: Using encryption - which can be interrupted, but not hijacked)
TCP hijacking is merely a side effect of a missing layer in the stack of your application.
Re:Sandbox the sandbox (Score:3, Insightful)
I don't think you understand what he's really saying - you could hand out RSA key fobs and/or client certificates that authenticate the browser to the bank. Without that, the password would/could be utterly useless.
If the bank uses the key fob, you can't enter by password alone. If the bank uses client certificates, then that must be installed on the browser first. (much more difficult than just lifting a password)
Now, if only they made it easier to set up client certificates...