Attacking Sandboxes 110
SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."
Enter the Sandbox (Score:2, Funny)
Sandbox the sandbox (Score:4, Funny)
Re:Sandbox the sandbox (Score:5, Funny)
Re:Sandbox the sandbox (Score:5, Funny)
Love this -- like the turtles.... (Score:5, Funny)
Re:Love this -- like the turtles.... (Score:5, Funny)
Aborted
Re: (Score:2, Funny)
Oh Slashdot, your memes are teh win.
Re:Sandbox the sandbox (Score:5, Funny)
Re:Sandbox the sandbox (Score:5, Interesting)
It's all layers of useless crap piled on top of eachother which doesn't stop the real problem of people falling for stupid fishing sites, and entering a password in a site that looks like their bank's. If they really wanted to add real security they'd hand out RSA key fobs to everyone instead of adding layers of stuff that makes it look more secure but actually isn't.
Re: (Score:3, Insightful)
Re:Sandbox the sandbox (Score:4, Insightful)
Re: (Score:3, Insightful)
I don't think you understand what he's really saying - you could hand out RSA key fobs and/or client certificates that authenticate the browser to the bank. Without that, the password would/could be utterly useless.
If the bank uses the key fob, you can't enter by password alone. If the bank uses client certificates, then that must be
Re: (Score:2, Interesting)
e.g. user visits phisherman's site, phisherman's server visits bank, passes on RSA auth request to user's browser, user's browser passes auth request back to phisherman, who passes it to bank. Phisherman now logged on as user?
Re: (Score:2)
This question belies a misunderstanding of public-key cryptography. With public cryptography (often called dual-key cryptography) the only thing exposed is a public key, which can only be used to encrypt. Without the matching private key, anything encrypted with the public key is indecipherable.
Thus, the man-in-the-middle attack is prevented.
Re: (Score:1)
When you said "RSA key fobs" I instantly thought of RSA SecurID tokens, which believe do not provide this as a feature, so would leave the mentioned hole open. However private keys clearly are provided by the RSA Smart Key range, which, as you say, would stop the MITM.
Does anyone know if RSA Smart Keys (or equivalent) actually integrate with browsers easily?
Re: (Score:2)
A very low-tech approach would be this: On your paper bank statement that you receive every month, print a list of twenty 10-digit access codes. Each access code can be only used by you, in the following month, and only once. One month delay so you can tell your bank if the statement didn't
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Plus banks are trying to push people to electronic statements. They're actually more secure, since mail theft is a very common method of obtaining personal information.
I would also appreciate it if they didn't let someone log in use "bill" pay, which I had never previously used, to send himself (well probably s
Re: (Score:1)
Mind you, I'm in
Re: (Score:2)
For anyone in the US reading this, I would recommend finding a credit union. Since they are owned by the members, they are generally more responsive, offer lower rate mortgages to long time customers, etc. Also your money is lent out to people like you, based on whatever criteria for which you can find a credit union including: your religion, your local regi
Re: (Score:2)
Re: (Score:3, Informative)
Does that mean the use is restricted to the users own computers or any others that has the correct interface and software which is able to send the key-fob data to the bank's server at the correct time?
A password will work with *any* computer, but a piece of hardware, whether key-fob or biometric scanner will only work with a computer that has the correct software installed on it. That software would have to be st
Re: (Score:2)
Alternatively, if you have a smart keyfob, you punch in your password (cached for say 5 minutes) and then out comes some new number which you then use to log in.
There are plenty of other alternatives - ask the crypto people.
Still you do not want to be using an untrusted computer since on
Re: (Score:2, Funny)
Re: (Score:2)
Bah, all banks in the Netherlands, and most of Europe, do this. Either that or they rely on mobile devices or one time codes to do secure login and transaction authentication. If they didn't, I would switch banks. Although the security devices here are delivered by a company named Vasco. The devices are not connected to the PC as you indee
Re: (Score:2)
Re: (Score:2, Interesting)
Re: (Score:1)
Most of the sandboxed systems it refers to in the article are anti(virus/spyware/malware) programs. If the machine is already compromised with some malware, there's no real incentive for a virus to become active only when Symantec's VM runs across them. If it's already on the system, there's no limit to the damage a file could do through other (more direct) methods.
Referring to a cousin comment, it's probably better for the malware to lay low when scanned rathe
Re: (Score:3, Insightful)
Over coming sandboxing (Score:1)
utility called Cats(TM). It will effectively pollute any benefits of
sandboxing. In addition, it will spawn child processes Kittens(TM) to
further confuse the processes.
Serves us right (Score:3, Funny)
Re: (Score:3, Funny)
Well, silicium, anyway.
Old news (Score:4, Informative)
"Thwarting Virtual Machine Detection" is a nice paper on virtual machine detection.
Re: (Score:3, Insightful)
Re: (Score:1)
Re: (Score:2, Interesting)
Strike vs Counterstrike (Score:5, Insightful)
As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.
With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".
Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.
To which I can only say: WOW.
Re: (Score:2)
Re: (Score:2)
Would that really be considered a flaw in TCP/IP though? That's really Ethernet's (L2/L1) fault, TCP/UDP (Layer 4) and IP (Layer 3) aren't really involved with hubs/non-L3 switches (Layer 1 and 2 respectively).
On another note:
How many of the major flaws/security issues have been entirelly the fault of the protocol's specification? I honestly don't know, I usually don
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:2)
Re:Strike vs Counterstrike (Score:4, Insightful)
It may be even easier. Who cares? However you look at it, TCP is doing its job. If you want to prevent against hijacking, the layered topology of the communication stack lets you prevent that at a higher level. (EG: Using encryption - which can be interrupted, but not hijacked)
TCP hijacking is merely a side effect of a missing layer in the stack of your application.
Re: (Score:2)
Just use SSL if you want more security. There's no point paying the extra cost of encryption when you don't need it.
You need to do lots of extra stuff (check certs etc) if you do not want to be hijacked by MITM attacks.
Sandboxes and Firewalls (Score:1, Funny)
hahahahahahhahahahahaha
I hate when people do that.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Once again, they didn't read the article. (Score:5, Insightful)
It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.
The article then goes on to FUD that code that attacks the sand box "must" be coming.
Oh, it must be coming. Uhuh.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Just wait till Intel VT and AMD Pacifica improve.
Re: (Score:1)
How long before someone codes up a hack to make a real instance appear to be a sandbox so that malware will go dormant?
LK
Re: (Score:1)
Verbing weirds acronyms.
Re: (Score:1)
Imagine that an "analyst" is either not allowed to use automated tools or that s/he doesn't have any (but if s/he doesn't have any, why do this? Just bear with me...). If the analyst looks at each instruction and maps them all out, the analyst would then be able to see if the software is benevolent or malevolent. The analyst could also see if the software attempts to determine if it's running in a VM, etc.
This is why I
Umm... yes? And? (Score:5, Interesting)
So far, malware that "breaks out" of the sandbox would be new to me (though I'd be grateful for a sample). Though, seriously, why not run a VM with Windows (to analyze) on a box running Linux? I'd be very interested if someone manages to do the feat of creating a piece of malware that manages to break out of the sandbox and then run on a machine with a completely different operating system.
If you wanna throw another stick between the malware's feet, run the VM on a non-i386 architecture. If someone manages to break out of THAT and manages to hijack my machine, he really earned it and should get it.
Re: (Score:1)
Are you saying that you own over 60% of current malware?
Re: (Score:2)
It's just too tempting:
In soviet russia, malware pnws YOU!
Re: (Score:3, Funny)
Re: (Score:2)
Re: (Score:2)
you are right, the point of using virtualization is to isolate applications from one another and the host operating system, but that is not the only security feature provided by virtualization.
the article fails to mention that most virtualiz
Re: (Score:2)
I don't see what kind of difference this makes. It's pretty easy to compile stuff to run on multiple platforms. I don't see how it is any more difficult to break out of a virtual box running xxx and infect yyy than it is to break out of xxx and infect xxx. Much of the same VM code - including bugs
Re: (Score:2)
Simply recompiling won't cut it, though. You have to roll two very heterogenous binaries into one. The lengths you'd have to go to to create something like this tell me that we'll never see more of that than a PoC.
Malware is a business.
This might be good for end-users (Score:2)
By the same token, it suggests a new attack against malware.... find out what makes a piece of malware think it's running on a VM and then make a physical machine react the same way. The possibilities are endless here.
Re: (Score:2)
Re: (Score:2)
Not if the VM is emulates the actual HARDWARE accurately. Ultimately, if the emulation software is written to behave EXACTLY the same way the hardware it is emulating, there can be no SURE way any software running under that emulator can determine whether it is running on real hardware or not. Modern microprocessors are combinations of hardware and software also. The software part is
Re: (Score:1)
VMWare emulates the same video and sound cards. All one has to do is check for the specified hardware. Look for the hardware emulated by VMWare and if you find it, turn off certain "functionality".
LK
Re: (Score:2)
If that were done, then the real hardware in other systems would also be detected. That means if the VM emulated really popular hardware, the detector would give many false indications for the real hardware the potential malware would otherwise infect..
Re: (Score:1)
That's a big if. VMWare emulates less common hardware. How many people do you know who still use S3 video cards?
LK
Re: (Score:2)
Why would it be an improvement on our (I work for VMware) products to make them undetectable? To the extent that malware disables itself in the presence of a VMM, VMMs only become more attractive for production use. Not all PCs are alike, and we make no effort to hide it, and yet the world continues in peace. We don't make any effort to hide the chipse
Re: (Score:2)
As to VMWare, it's a great product, I've bought it and I use it, but the way it virtualizes CD's/DVD's, USB
You Don't Even Need Special Code to Detect VMwa... (Score:2)
"Piercing the abstraction" as they call it in the business, however, is much more difficult especially on a VM running on top of VMware's ESX, which don't actually interact with the guest OS
Re:You Don't Even Need Special Code to Detect VMwa (Score:2)
These are so called WONTFIX bugs.. all VMs have them. There ain't enough hours in the day to worry about every nook and cranny of the x86 architecture.
Sand Toys (Score:1)
Question to those who sandbox (Score:1, Interesting)
So, does anyone know of a particularly home-friendly way to handle a real-hardware box? I'm not sure of the
Re: (Score:1)
Re: (Score:1)
Detecting virtualization? (Score:4, Funny)
There is no spoon [wikipedia.org]
Arms race for nothing (Score:1)
Meanwhile, I avoid ALL forms of anti-malware tools, and magically I rarely get infected. When I do, I notice pretty quickly because I actually pay attention to what my PC is doing. If a certain task (or game) is used to running s
Re:Arms race for nothing (Score:4, Interesting)
Isn't once enough for anyone? You did format and restore from a known good backup or install media afterwards didn't you? There's a tendency lately to trust that whoever had full control of your PC did nothing but run a set script and blindly hope that there is nothing else on there. I've played with various removal tools when people have given me compromised machines and different tools gave me different answers the other tools could not detect - perhaps there were some things neither could detect, hard to be sure especially when you are booting from a compromised system.
Fdisk it from orbit - it's the only way to be sure.
Re:Arms race for nothing (Score:5, Insightful)
Even Microsoft agrees with you. You can't "clean" a compromized machine.
http://www.microsoft.com/technet/community/column
That goes for other OSes too.
--
BMO
Re: (Score:2)
You can't clean a compromised system by reinstalling the operating system over the existing installation. Again, the attacker may very well have tools in place that tell the installer lies.
How exactly are these tools going to start running, when the system is booted to the install CD rather than the hard drive? I mean, by that logic the attacker could have tools in place to tell fdisk lies, too, so the only option is to literally incinerate the disk and buy a new one. Unless
Re: (Score:2)
I stole it from the first Alien movie anyway and have been using it for years.
Re: (Score:2)
Re: (Score:1)
If more people could self-police their PC like me, it would put a dent in both the virus and anti-virus businesses and as a result, it would slow the evolution of malware.
Yeah, I did things that way for a long time myself. It's gotten to the point, however, at which things I trusted in the past are becoming littered with infectious software. I had no problems for years until fairly recently.
If two kids are fighting over a silly toy, when you take away the toy, they find something else to occupy them.
Re: (Score:1)
If McDonalds weren't making tons of money selling their
cat /dev/colon /proc/virtual/1 (Score:1)
I always know there are security problems with sandboxes - and all the cats on the world surely know how to break them:
cat
Centipedes? (Score:1)
Re:Watch what I can do (Score:5, Funny)