haow do i sandbox
play

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer - PowerPoint PPT Presentation

Apr 23, 2023 •350 likes •1.15k views

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

  1. Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 / 79

  2. Introduction - Cuckoo Sandbox Team Figure : Mark Schloesser, Claudio Guarnieri, Me, Alessandro Tanasi June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 2 / 79

  3. Introduction - What this talk is NOT about! Figure : Dragon Sandbox! June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 3 / 79

  4. Introduction - What this talk is about! ◮ How we built Cuckoo ◮ How to evade Cuckoo ◮ Left as an exercise for the attendee ◮ Who would do such terrible thing though? June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 4 / 79

  5. Introduction - Todays problems in Malware ◮ . . . Insert long list of problems . . . ◮ In the end, we prefer to blame.. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 5 / 79

  6. Introduction - Todays problems in Malware June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 6 / 79

  7. Introduction - Todays problems in Malware Analysis ◮ Static Analysis takes a lot of time ◮ Obfuscation ◮ Packers ◮ Dynamic Analysis also takes a lot of time ◮ Multi-threaded malware ◮ Anti-debugger, anti-virtual machine, etc. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 7 / 79

  8. Introduction - Sandboxing in General (1) ◮ Enter Sandboxes ◮ Automated Malware Analysis - handles all repetitive work ◮ Process thousands of samples in a reasonable time ◮ Generic methods for bypassing anti’s ◮ For the Client ◮ User friendly - anyone can use it ◮ Setup once, use it for eternity ◮ For this step, see the manual :p June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 8 / 79

  9. Introduction - Sandboxing in General (2) ◮ Existing Solutions ◮ Closed Source ◮ Not 100% customizable ◮ Very expensive ◮ Enter Cuckoo Sandbox ◮ Entirely Open Source ◮ Free to use June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 9 / 79

  10. Introduction - Disadvantages of Sandboxing ◮ Environment could be detected ◮ Anti-sandbox ◮ Randomize environment ◮ Can only randomize so many things ◮ Various limitations depending on the implementation ◮ We try our best to bypass these ◮ E.g., Hook Detection by Malware ◮ Reports still have to be read by somebody June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 10 / 79

  11. Cuckoo Sandbox Architecture June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 11 / 79

  12. Demonstration of analyzing a PDF exploit ◮ Demo showing the entire analysis process ◮ Quick look through the report June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 12 / 79

  13. Cuckoo Sandbox Internals June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 13 / 79

  14. Inside the Virtual Machine - Agent ◮ Listening Agent ◮ Accepts a connection ◮ Host connects ◮ Host sends zip file ◮ Agent unpacks zip file ◮ Python code ◮ Easily upgrade Cuckoo to a new version! ◮ Configuration files ◮ The sample ◮ Agent runs the Analyzer ◮ Which has been sent through the zip June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 14 / 79

  15. Inside the Virtual Machine - Analyzer ◮ Analyzer ◮ Initializes Cuckoo stuff ◮ Open IPC Channel (Named Pipe) ◮ Some handwaving etc ◮ Dumps Configuration for the first Process ◮ Name of the Named Pipe ◮ IP and Port of the Result Server ◮ (Will come back to that later) ◮ Runs the specified Package June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 15 / 79

  16. Inside the Virtual Machine - Packages ◮ Package starts an application with commandline parameters ◮ Wrappers around CreateProcess(CREATE SUSPENDED) ◮ Packages for EXE, DLL, PDF, DOC, etc. ◮ Inject Cuckoo Monitor DLL into the process ◮ Using APC, QueueUserAPC(...) ◮ Resume main thread of the process June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 16 / 79

  17. Inside the Application - Cuckoo Monitor ◮ When resuming the main thread ◮ Cuckoo Monitor is executed first ◮ Due to the APC callback ◮ Initializes internals & installs API Hooks ◮ Notifies the Analyzer ◮ Through Named Pipes ◮ Real application is started June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 17 / 79

  18. Outside the Virtual Machine - Result Server ◮ Cuckoo Monitor logs directly to the Host, over TCP/IP ◮ IP and Port retrieved from the Configuration ◮ More stability than before, when we logged to a local file ◮ VM Crashes resulted in no logs ◮ Now real-time results June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 18 / 79

  19. So, what now? ◮ We’ve covered the basics ◮ Useful for single-process stuff ◮ What’s next? June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 19 / 79

  20. More Advanced Malware (1) ◮ Some samples run new processes ◮ RunPE, for Packers ◮ Internet ExploderˆWExplorer for URLs ◮ Some malware injects into other processes ◮ Explorer.exe Injection to evade Firewalls ◮ Banking Trojans June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 20 / 79

  21. Child Process Injection Before the new Process is executed, we want to inject Cuckoo Monitor. ◮ Cuckoo Monitor notifies Analyzer ◮ Asks to be injected into the target process ◮ Analyzer dumps configuration file ◮ Injection using APC June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 21 / 79

  22. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 22 / 79

  23. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 23 / 79

  24. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 24 / 79

  25. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 25 / 79

  26. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 26 / 79

  27. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 27 / 79

  28. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 28 / 79

  29. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 29 / 79

  30. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 30 / 79

  31. Process Injection Before a sample injects and executes code into another process, we also want to inject Cuckoo Monitor. Process Injection is similar to Child Injection, except for a few steps. ◮ No APC, but CreateRemoteThread(...) ◮ Can’t guarantee APC finishes in time ◮ Entirely inject Cuckoo Monitor before resuming execution ◮ For Child Processes June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 31 / 79

  32. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 32 / 79

  33. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 33 / 79

  34. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 34 / 79

  35. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 35 / 79

  36. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 36 / 79

  37. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 37 / 79

  38. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 38 / 79

  39. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 39 / 79

  40. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 40 / 79

  41. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 41 / 79

  42. That said.. Figure : What the malware thinks it’s doing. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 42 / 79

  43. That said.. Figure : What Cuckoo Sandbox thinks it’s doing. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 43 / 79

  44. That said.. Figure : What really happens. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 44 / 79

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm that your

540 views • 36 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29, 2015 ADVANCING EXCELLENCE THROUGH INNOVATION AND COLLABORATION Pinellas County Florida Census Estimates 2013 930,109 total population 159,979

329 views • 13 slides
Advanced Algorithms COMS31900 Hashing part three Cuckoo Hashing Rapha el Clifford Slides

Advanced Algorithms COMS31900 Hashing part three Cuckoo Hashing Rapha el Clifford Slides

Advanced Algorithms COMS31900 Hashing part three Cuckoo Hashing Rapha el Clifford Slides by Benjamin Sach Back to the start (again) A dynamic dictionary stores ( key , value ) -pairs and supports: add ( key , value ) , lookup ( key )

2.03k views • 163 slides
A Model of Type Theory in Cubical Sets Simon Huber (j.w.w. Marc Bezem and Thierry Coquand)

A Model of Type Theory in Cubical Sets Simon Huber (j.w.w. Marc Bezem and Thierry Coquand)

A Model of Type Theory in Cubical Sets Simon Huber (j.w.w. Marc Bezem and Thierry Coquand) University of Gothenburg Barcelona, 23. September 2013 Univalent Foundations Vladimir Voevodsky formulated the Univalence Axiom (UA) in Martin-L

763 views • 34 slides
POLYTOPES IN THE 0/1-CUBE WITH BOUNDED CHV ATAL-GOMORY RANK Yohann Benchetrit, Samuel Fiorini,

POLYTOPES IN THE 0/1-CUBE WITH BOUNDED CHV ATAL-GOMORY RANK Yohann Benchetrit, Samuel Fiorini,

POLYTOPES IN THE 0/1-CUBE WITH BOUNDED CHV ATAL-GOMORY RANK Yohann Benchetrit, Samuel Fiorini, Tony Huynh Universit e Libre de Bruxelles Stefan Weltge ETH Z urich CUTTING-PLANE PROOFS AND CHV ATAL-GOMORY CLOSURES Cutting-plane

414 views • 22 slides
Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law

Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law

Week 10 -Wednesday What did we talk about last time? Fresnel reflection Snell's Law Microgeometry effects Implementing BRDFs Ambient lighting Image based rendering A more complicated tool for area lighting is

582 views • 31 slides
PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek

PIR-PSI : SCALING PRIVATE CONTACT DISCOVERY PETS 2018 Peter Rindal Daniel Demmler Mike Rosulek Ni Trieu Motivation Application: Contact Discovery Contact discovery tells social network users which of their contacts are in the social

755 views • 38 slides
Vlserver Memory Cache Mark Vitale OpenAFS Workshop 2019 19 Jun 2019 vlserver performance

Vlserver Memory Cache Mark Vitale OpenAFS Workshop 2019 19 Jun 2019 vlserver performance

Vlserver Memory Cache Mark Vitale OpenAFS Workshop 2019 19 Jun 2019 vlserver performance problems? For typical OpenAFS sites, fileservers and cache managers have the highest impact on overall cell performance; vlserver performance is close to

524 views • 23 slides
Hash Table Design and Optimization for Software Virtual Switches PRESENTER: REN WANG YIPENG

Hash Table Design and Optimization for Software Virtual Switches PRESENTER: REN WANG YIPENG

Hash Table Design and Optimization for Software Virtual Switches PRESENTER: REN WANG YIPENG WANG, SAMEH GOBRIEL, REN WANG, CHARLIE TAI, CRISTIAN DUMITRESCU INTEL LABS OUTLINE Background and motivation Survey and understanding

606 views • 16 slides
Cache Digests for HTTP/2 Kazuho Oku Cache Digest (IETF 100) Pull Request #413 proposes:

Cache Digests for HTTP/2 Kazuho Oku Cache Digest (IETF 100) Pull Request #413 proposes:

Cache Digests for HTTP/2 Kazuho Oku Cache Digest (IETF 100) Pull Request #413 proposes: SENDING_CACHE_DIGEST SETTINGS Parameter switch to Cuckoo hashing thanks to Yoav Weiss for the proposal Cache Digest (IETF 100)

289 views • 6 slides

More recommend