Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.

transcript

Sandbox Exploitations- ECE 4112 Group 12 -

Gary Kao

Jimmy Vuong

Sandboxes

Introduction

Background Objectives Results ConclusionTesting References- - - - - -

• Sandboxes are a specific type of virtualization, like VMware.

• Usually used to test untrusted apps

• Effective since optimal sandboxes can purge all data stored on computer after sandbox was run.

Significance of Sandbox

Introduction

• All files downloaded after sandbox is initiated will be removed by restarting.

• Upon restarting, the sandbox should be free of malware, should be unable to detect the OS, and should be able to close within itself. (like loading up taskmngr within sandbox)

Advantages

Introduction

• Can read objects on the real HD and the files in the sandbox.

• All write operations are done in a Transient Storage Area and never on the HD unless specified.

• Does not allow service installation.

• Applications are typically run already sandboxed.

Disadvantages

Introduction

• Sandbox can contain good and bad objects.

• If the user doesn't know the difference between good and bad objects, he still can infect his own computer by moving the bad objects to his real harddisk.

Programs Used

Introduction

• Sandboxie

• Shadow Surfer

• Virtual Sandbox

• Creates an isolated storage space that stores all the temporary files.

• Puts a # in the title when its on.• Both the sandbox and the actual HD function

at the same time, as opposed to SS and VS.

Transparent layer Hard drivePrograms

Introduction

Sandboxie

Introduction

Sandboxie• Pros:

– Freeware– Small program (309kb)– System Resource efficient

• Cons:– Must manually load up programs for

sandboxing– Does not screen auto-run programs (e.g. USB

Key Logger)

• Shadow Mode: snapshot of your volume and in a virtual PC or server state.

• any changes made to the computer thereafter are made to the Shadow Mode duplicate.

• Unless specified,Shadow Mode resetsupon reboot.

Shadow Surfer

Introduction

Shadow Surfer• Pros:

– Runs constantly– Easy to use

• Cons:– Paidware– Files are saved where they actually should be– Relies on restarts for cleaning and blocking

• Operates like a firewall

• Creates an isolated environment through which programs anddownloaded files operate.

• Does not give access tointernet (by default)

• Does not allow overwriting of files (by default)

Introduction

Virtual Sandbox

Introduction

Virtual Sandbox• Pros:

– Once enabled, everything is sandboxed.– Files are saved in a transient storage space.

• Cons:– Paidware– Easy to bypass

• Test various Sandbox programs.

• Use methods developed in past labs to test the various programs’ vulnerabilities.

• Document the tests and results.

• Summarize results and show vulnerabilities.

Exploiting Sandboxes

Introduction

Testbed

Introduction

• 3 Identical Virtual Machines using Windows XP

• Each VM has a sandbox installed

• Each VM goes through the same series of tests

• After the tests are performed, the computers are restarted to see whether they are clean or not

• Create file, then clear the sandbox and see if the file still exists.

• Sandboxie: – erased

• Virtual Sandbox: – erased

• Shadow Surfer – erased

File Storage

Introduction

• Loaded a sandboxed Task Manager to try and close the sandbox.

• Sandboxie:

– Failed closing Sandboxie

• Virtual Sandbox:

– Closed Virtual Sandbox

• Shadow Surfer

– Closing ShadowSurfer, but still sandboxed

Closing a Process

Introduction

• Checking to see if local vulnerabilities are still affected

• Sandboxie: – Succeeded

• Virtual Sandbox: – Blocked

• Shadow Surfer – Succeeded

Jpeg of Death

Introduction

Dcom Crash

Introduction

• Checking to see if remote vulnerabilties are still affected

• Sandboxie: – Crashed

• Virtual Sandbox: – Crashed, but notifies you that these apps are being exploited

• Shadow Surfer – Crashed

• Virtual Sandbox: – Uses dll hook, which results it not even initi

ating properly• Shadow Surfer

– Succeeded

HackerDefender

Introduction

• Virtual Sandbox: – Succeeded

Introduction

• Sending files via netcat, will the files persist after clearing sandbox?

• Virtual Sandbox: – Succeeded

Netcat

Introduction

• Sandboxie: – Remote mouse/keyboard deactivated by

Sandboxie• Virtual Sandbox:

– Succeeded• Shadow Surfer

– Succeeded

Introduction

• Sandboxie:

– Succeeded

• Shadow Surfer

– Succeeded

AnnaKournikova Worm

Introduction

• Sandboxie:

– Succeeded

– Blocked

• Shadow Surfer

– Succeeded

Introduction

• Sandboxie: – clean

• Virtual Sandbox: – SDbot and hxdef remain

• Shadow Surfer – clean

Restarting Sandbox

Introduction

• Even if exploitations gets through sandbox, most will be gone after the sandbox is wiped.

• on weaker sandboxes, sdbot and hxdef persists even after sandbox wipes.– Fatal for Virtual Sandbox

Results

Introduction

• Optimal Sandboxes will appear transparent to the users.

• Sandboxie most efficient Sandbox tool available for individual programs.

• Shadow Surfer most efficient overall.

Conclusion

Introduction

• Sandboxie– http://www.sandboxie.com/

• Shadow Surfer– http://www.storagecraft.com/products/

ShadowSurfer/• Virtual Sandbox

– http://www.fortresgrand.com/products/vsb/vsb.htm

References

Introduction

Questions?

- Sandbox Vulnerabilities -

Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.

Documents