escaping the sandbox
play

Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior - PowerPoint PPT Presentation

Apr 09, 2024 •45 likes •896 views

Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior Researcher Matasano Security stephen@sa7ori.org @s7ephen (Twitter) http://www.dontstuffbeansupyournose.com Monday, October 4, 2010 Who I am. Stephen A. Ridley Senior Security

  1. Escaping The Sandbox Blackhat Abu Dhabi Stephen A. Ridley Senior Researcher Matasano Security stephen@sa7ori.org @s7ephen (Twitter) http://www.dontstuffbeansupyournose.com Monday, October 4, 2010

  2. Who I am. Stephen A. Ridley Senior Security Researcher (Matasano) • Previously: Senior Security Architect at McAfee, founding member of Security Architecture Group • Prior to that: Researcher at leading Defense contractor. Directly supported U.S. Defense and Intelligence communities in realm of software exploitation and software reverse engineering • Columnist for/interviewed by IT magazines (Wired, Ping!, Washington Post) • Kenshoto DefCon CTF organizers for a few years • blog: http://www.dontstuffbeansupyournose.com • Guest Lecturer/Instructor (New York University, Netherlands Forensics Institute, Department of Defense, Google, et al) • My Focus : software reverse engineering, software development, software exploitation, software security, Kernels (Microsoft ones for now). Increasingly interested in embedded systems and mobile devices Monday, October 4, 2010

  3. What am I talkin’ ‘bout today? ★ Sandboxing Overview (very brief ;-) • Goals, Sandbox Architecture (Chrome) ★ Sandboxes from a User-space Perspective • Securable Objects and SID apertures • Patches/Hooks/Interception • user32 issues ★ Sandboxes from a Kernel-space Perspective • Between User-space and Kernel-space • Kernel supported “Quasi Securable Objects”, Native API • Job Objects handle the rest, or do they? ★ Tools/Techniques/Demos • SandKit Toolkit (code injection, copymem, memdiff, hookfix, sa7shell, bincompare, dumptoken, tokenbrute, handlebrute) • Using Sandbox PoC Project (from Google) • Using kernel debugger while attacking Chrome • Triggering Chrome Bugs and where to start Monday, October 4, 2010

  4. Presentation Focus ★ Sandbox implementations are (by their nature) strongly coupled to the Operating System ★ This presentation focuses on Microsoft Windows Operating Systems and the NT Kernel (XP and Vista) • Side Note : Check out OSX’s DAC/Sandbox. (“man sandbox-exec”, “ls /usr/share/sandbox”) It’s pretty awesome! Scheme-like rules sent to a DAC engine with a Scheme-like interpreter in the Kernel! Nice idea! ★ This presentation uses Google Chromium because it’s the most popular of the Sandbox implementations. ★ Focus on blackbox/reversing approach to sandboxing technologies (less source source audit of IPC mechanisms, etc). For that approach see Azimuth Security’s excellent “The Chrome Sandbox” series) Monday, October 4, 2010

  5. Sandboxing Overview Monday, October 4, 2010

  6. The Goal of the Sandbox ★ Localize the damage by “containing” potentially malicious code ★ Trapping malicious code is nuanced and tough but from a high level it consists mostly of: • Locking down all IPC mechanisms • Perform process monitoring • Basically not trusting any code within the Sandbox to do anything on the system without it first being checked by some authority Monday, October 4, 2010

  7. Chromium Sandbox Architecture • A great number of resources currently exist on the architecture and design of sandboxes in general, especially for Google Chromium. Not going to echo-chamber. • Mark Dowd and the team at Azimuth Security began releasing Sandboxing papers that happened to coincide with my talk and paper: http://blog.azimuthsecurity.com/2010/05/chrome-sandbox-part-1-of-3- overview.html • Google Chrome Design Documents: http://www.chromium.org/ developers/design-documents • The Chromium Design Docs are all you really need, but other small bits can be gleaned from Infosec bloggers and research papers (Robert Hensing, David Leblanc, Nicolas Sylvain, and others). Not much *actual* code/tools/techniques/examples have been released though, this talk hopefully will help with this. Monday, October 4, 2010

  8. Chromium Sandbox Architecture Credit: Gartner and Google Chrome Monday, October 4, 2010

  9. Locking down IPC and IO ★ The Operating System is what does all the “hard work” for permissions and restrictions. Developers don’t need to reinvent this technology these days. ★ In the NT Kernel this is handled by using the DACL system built into the Object Manager and Security Reference Manager ★ These two components of the NT kernel implement and enforce the permissions system for “NT Securable Objects” like: • Files • Processes • Shared Memory Regions • Lots more... Monday, October 4, 2010

  10. Locking down IPC and IO ★ IO and IPC on Windows is performed predominantly using these NT Objects. I really realized this more, the more kernel stuff I began doing. ★ “Almost everything in userspace is an NT Object, or is at some point supported by one.”....but there are still gaps. “Quasi-securable Objects” ★ Most of the functionality for interfacing with/ manipulating these NT Objects is implemented within the Native API • Think: OpenFile, OpenProcess, CreateFile, CreateProcess, CreateThread, or basically anything in ntdll or kernel32) ★ There are some other public techniques for performing faux-IPC. (we will review these and some less popular ideas/techniques) Monday, October 4, 2010

  11. Sandboxes from a User-space Perspective Monday, October 4, 2010

  12. As malicious code, what would you try first? ★ Accessing Out of Proc COM Servers? ★ Accessing WMI Interfaces? ★ Writeable locations on the disk? ★ Injecting into Other processes (reading/writing other process memory)? ★ Loading Drivers? ★ Accessing LPC/RPC/LRPC endpoints? ★ Accessing NamedPipes? ★ Accessing RunAs Service? ★ sending User32 messages? ★ ...lots of other stuff? ★ Let’s See Why Most of this Won’t Work! Monday, October 4, 2010

  13. BLOCKED! ★ These things are all good places to start. In fact we will demonstrate a new tool in the SandKit that you can use to assist with these kinds of tests. In other implementations you will mostly likely find bugs here. ★ HOWEVER, virtually all of these operations under the hood are (or are supported by) Securable Objects which fall under the purview of the Object Manager and Security Reference Manager. ★ Therefore, the proper restrictions on security descriptors will kill access to these in one fell swoop! Monday, October 4, 2010

  14. As malicious code, what would you try first? COM is NamedPipes ★ Accessing Out of Proc COM Servers? ★ Accessing WMI Interfaces? WMI is COM which is LPC/NamedPipes ★ Writeable locations on the disk? Handles and IO objects are securable. ★ Injecting into Other processes (reading/writing other Processes/Threads/IO objects are securable. process memory)? SCManager is all LPC/NamedPipes also ★ Loading Drivers? “Load Driver” token perm covers it ★ Accessing LPC/RPC/LRPC endpoints? LPC/LRPC/RPC sit on NamedPipes ★ Accessing NamedPipes? NamedPipes are obviously securable ★ Accessing RunAs Service? ShellExecuteA(“runas”) is LPC/NamedPipe to LSASS ★ sending User32 messages? User32 partitioned by “Desktop” and user32 handles are restricted by Job Object (XP) UAC (Vista) Monday, October 4, 2010

  15. Bootstrapping the Sandbox “The beginning is a very delicate time...” Frank Herbert’s Dune ★ The Broker starts all the Sandbox processes. ★ The “Broker” process is the Overseer, he starts the “Sandbox” processes. ★ The Broker performs “privileged” actions on behalf of Sandbox processes via code hooks and IPC mechanisms. ★ Let’s review the steps the Broker goes through when bootstrapping the Sandbox. Monday, October 4, 2010

  16. Bootstrapping the Sandbox 1. Before spawning Sandbox, the Broker process creates a restricted token using: CreateRestrictedToken() with the ‘SidsToRestrict’ array populated. 2. The Broker uses CreateProcess() with the fdwCreate argument set to CREATE_SUSPENDED and the restricted token to start sandbox “frozen”. 3. It is during this suspended time that the Broker then further restricts the Sandbox process by: 1. Installing hooks (we will review these shortly) 2. Performing some other setup We’ll see later that the Broker also continues to “debug” the Sandbox process, catching his exceptions! Annoying for your fuzzing huh? ;-) Monday, October 4, 2010

  17. Bootstrapping the Sandbox 4. The Broker further adjusts the Sandbox’s Token with AdjustTokenPrivileges() 5. The Broker places the Sandbox into a very restrictive Job Object by setting restrictive members of JOBOBJECT_BASIC_UI_RESTRICTIONS when calling SetInformationJobObject() 6. The Broker can then place the Sandbox into its own Desktop (depending on which “type” of Sandboxed process it is) if XP , or on Vista set low integrity token and use User Interface Privilege Isolation (UIPI which is just “UAC” stuff) 7. The Broker does other stuff I probably didn’t notice (or am forgetting ;-) and then resumes the Sandbox’s main thread. Monday, October 4, 2010

  18. Bootstrapping the Sandbox ★ Example from “Sandbox PoC” in Chrome Source Code (/home/chrome-svn/tarball/chromium/src/sandbox/sandbox_poc/main_ui_window.cc) Monday, October 4, 2010

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The structure of the escaping set of a transcendental entire function Gwyneth Stallard (joint

The structure of the escaping set of a transcendental entire function Gwyneth Stallard (joint

The structure of the escaping set of a transcendental entire function Gwyneth Stallard (joint work with Phil Rippon) The Open University Postgraduate Conference in Complex Dynamics March 2015 The escaping set Definition The escaping set is I

650 views • 43 slides
Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
Escaping Saddle Points with Adaptive Gradient Methods Matthew Staib 1 , Sashank Reddi 2 ,

Escaping Saddle Points with Adaptive Gradient Methods Matthew Staib 1 , Sashank Reddi 2 ,

Escaping Saddle Points with Adaptive Gradient Methods Matthew Staib 1 , Sashank Reddi 2 , Satyen Kale 2 , Sanjiv Kumar 2 , Suvrit Sra 1 1. MIT EECS 2. Google Research, New York Escaping Saddle Points with Adaptive Gradient Methods Matthew

614 views • 23 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
Magnetospheres of Hot Jupiters: formation of magnetodisk current system in the escaping

Magnetospheres of Hot Jupiters: formation of magnetodisk current system in the escaping

Magnetospheres of Hot Jupiters: formation of magnetodisk current system in the escaping plasma flow of an exoplanet M. L. Khodachenko 1 , T. Zaqarashvili 1 , N.V. Erkaev 2 , S. Dyadechkin 3 , I.F. Shaikhislamov 4 , I.I. Alexeev 5 , E.S.

667 views • 22 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
Creating Learning without Limits: Challenge and Success 1 Baseline assessment? 2 3 Escaping

Creating Learning without Limits: Challenge and Success 1 Baseline assessment? 2 3 Escaping

Creating Learning without Limits: Challenge and Success 1 Baseline assessment? 2 3 Escaping from the bottom set Hargreaves (1982) argues that ability labelling leads to destruction of dignity so massive and pervasive that few

324 views • 19 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Escaping the Losses from Trade: The Impact of Heterogeneity on Skill Acquisition Preliminary

Escaping the Losses from Trade: The Impact of Heterogeneity on Skill Acquisition Preliminary

Escaping the Losses from Trade: The Impact of Heterogeneity on Skill Acquisition Preliminary Axelle Ferriere 1 Gaston Navarro 2 Ricardo Reyes-Heroles 2 1 Paris School of Economics 2 Federal Reserve Board Joint Conference on Heterogeneity

845 views • 57 slides
Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019

Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019

Reducing input latency on the web bit.ly/reduce-input-latency W3C Games Workshop - June 2019 Navid Zolghadr (nzolghadr@chromium.org) Chromium Input Dev Chromium input dev Goals Smooth user interaction and scrolling across the

295 views • 18 slides
Securing the Web Platform Securing the Web Platform Collin Jackson Stanford University The Web

Securing the Web Platform Securing the Web Platform Collin Jackson Stanford University The Web

Securing the Web Platform Securing the Web Platform Collin Jackson Stanford University The Web Platform The Web Platform Dynamic Ubiquitous Dynamic Ubiquitous Interactive Instant updates Interactive Instant updates Pages Web Applications

958 views • 18 slides
QUIC Quick UDP Internet Connections Multiplexed Stream Transport over UDP IETF-88 TSV Area

QUIC Quick UDP Internet Connections Multiplexed Stream Transport over UDP IETF-88 TSV Area

QUIC Quick UDP Internet Connections Multiplexed Stream Transport over UDP IETF-88 TSV Area Presentation 2013-11-7 Presentation by Jim Roskind <jar@> Google Corp What is QUIC? Effectively replaces TLS and TCP out from under SPDY

671 views • 25 slides
Design and Analysis of Algorithms 18CS42 Module 1: Introduction to Algorithms Module 1:

Design and Analysis of Algorithms 18CS42 Module 1: Introduction to Algorithms Module 1:

Design and Analysis of Algorithms 18CS42 Module 1: Introduction to Algorithms Module 1: Introduction to Algorithms Harivinod N Harivinod N Dept. of Computer Science and Engineering Dept. of Computer Science and Engineering VCET VCET Puttur

1.17k views • 100 slides
Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA

Loophole: Timing Attacks on Shared Event Loops in Chrome Pepe Vila & Boris Kpf IMDEA Software Institute About me Im Pepe @cgvwzq http://vwzq.net/ Some notes about Chrome Chrome was a blackbox for me. Its code base is immense.

622 views • 38 slides
Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at)

Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at)

Using Clang for fun and profit Examples from the Chromium project Hans Wennborg hwennborg (at) google.com GOTO Aarhus 2013 Outline Chromium Background Numbers Clang Background Error Messages Warnings Tools Conclusion Introducing

429 views • 27 slides
Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX

Chrome OS Hardening http://outflux.net/slides/2012/bsides-pdx/chromeos.pdf Security B-Sides PDX 2012 Kees Cook <keescook@google.com> (pronounced "Case") Overview Overview Identifying the threat model not the

974 views • 50 slides
QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020,

QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020,

Proprietary + Confidential QUIC CPU Pergormance Can HTTP/3 be as efficient as HTTP/2 and HTTP 1.1? SIGCOMM EPIQ 2020, Presented by Ian Swett Proprietary + Confidential What are QUIC and HTTP/3? Proprietary + Confidential QUIC is a transporu

923 views • 34 slides

More recommend