the sandbox roulette are you ready to gamble
play

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk - PowerPoint PPT Presentation

Jan 26, 2024 •17 likes •417 views

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

  1. The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com

  2. What is a sandbox? • Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code from damaging the rest of the system • For this talk, we focus on Windows-based application sandboxes • This talk is not about bugs in sandboxes, but rather an architectural discussion on their pros and cons (well mostly limitations)

  3. Sandbox types • Type 1: OS enhancement based (Sandboxie, Buffer Zone Pro etc.) • Type 2: Master/slave model (Adobe ReaderX, Chrome browser)

  4. Digression: Windows OS internals • A lot of commonly used code reliant on kernel components • Large exposure to kernel interfaces

  5. Digression - kernel security status • C urrent popular OS’s are large and exploitable • 25 CVE items for Windows kernel in 2012 • 30 CVE items for win32k.sys in Feb 2013 only • To what degree does a sandbox limit the exposure of the kernel to exploitation? – Note there are known cases of Windows kernel bugs exploited in the wild, e.g. Duqu [10]

  6. How kernel enforces access control • Sandboxed app: dear kernel, please open a file for me, the file name is at address X • Kernel: X points to “allowed_file.txt” string; here goes a file handle for you • Sandboxed app: dear kernel, please open a file for me, the file name is at address Y • Kernel: Y points to “secret_file.txt” string; you are a sandboxed app, I will not let you access this file

  7. How kernel exploits work (example) • Sandboxed app: dear kernel, please draw the text “Hello world” for me please, using the true type font stored at address X • Kernel: You are a sandboxed app, but using a font is a benign operation which you need to function properly • Kernel: OK, just a moment, I need to parse this font • While processing the font, kernel corrupts its own memory because the parser code in the kernel is buggy • Because of memory corruption, kernel starts executing code at X, which allows the app to do anything it wants

  8. TYPE 1: OS ENHANCEMENT BASED SANDBOX

  9. Type 1 Sandbox: Sandboxie • Example: Sandboxie [1] • Custom kernel driver modifies Windows behavior, so that change to protected system components is prevented • Use cases: Most of such sandboxes are used for controlled execution of applications. • Sandboxie is widely used for malware analysis

  10. Picture copied from http: //vallejo.cc/48 (not an official Sandboxie material)

  11. OS enhancement based sandbox • The problem – sandboxed code has direct access to almost full OS functionality • Almost all kernel vulnerabilities are exploitable from within this sandbox • This sandbox has no means to contain malicious kernel-mode code (because they both run at the same privilege level)

  12. Exhibit A: MS12-042 • User Mode Scheduler Memory Corruption, CVE-2012- 0217 • Allows to run arbitrary code in kernel mode • If running in sandboxie container, the usual SYSTEM- token-steal shellcode is not enough to break out of the sandbox • Need to use the unlimited power of kernel mode to either – Disable sandboxie driver – Migrate to another process, running outside of the container

  13. Exhibit A: MS12-042 • User Mode Scheduler Memory Corruption, CVE-2012- 0217 • Allows to run arbitrary code in kernel mode • If running in sandboxie container, the usual SYSTEM- token-steal shellcode is not enough to break out of the sandbox • Need to use the unlimited power of kernel mode to either – Disable sandboxie driver – Migrate to another process, running outside of the container

  14. Sandboxie bypass demo • Demo • Recommendation: Use Type 1 category sandboxes inside a VM for malware analysis

  15. Type 1 Sandbox: rZone Pro • Example: BufferZone Pro [8] • Similar in principle to Sandboxie – Although by default also prevents data theft • The same MS12-042 exploit works against BufferZone Pro • Demo

  16. TYPE 2: MASTER/SLAVE TYPE SANDBOX

  17. Type 2 Sandbox • Two processes - master and slave, talking over IPC channel • Slave is confined using OS access control facilities • Master mediates access to resources

  18. Picture taken from http://dev.chromium.org/developers/design-documents/sandbox

  19. Chrome sandbox on Windows • Slave runs with low privileges – restricted token – job object – desktop object – integrity level

  20. Chrome sandbox on Windows • How exhaustive is the OS-based confinement, according to the documentation [2]? – Mounted FAT or FAT32 volumes – no protection – TCP/IP – no protection – Access to most existing securable resources denied – Everybody agrees it is good enough… • … assuming the kernel behaves correctly

  21. Chrome sandbox in action

  22. Chrome sandbox on Windows • How resistant is Master to a malicious Slave? – This is what other authors focused on • How resistant is OS to a malicious Slave? – We focus on the last aspect

  23. Master/slave type sandbox on Windows, Adobe Reader Observe “Low” integrity level

  24. Master/slave type sandbox on Windows, Adobe Reader • Exhaustive previous related work on methodology of attacking the Master [3], [4] • The first case of Adobe sandbox vulnerability exploited in the wild reported in Feb 2013 [9] – This escape possible because of a bug in Master • Are kernel vulnerabilities exploitable from within Adobe Reader sandbox?

  25. Master/slave type sandbox on Windows, Chrome browser Observe “untrusted” integrity level

  26. Master/slave type sandbox on Windows, Chrome browser • Slave deprivileged even more than stated in chrome sandbox documentation – “Untrusted” integrity level – Particularly, access to FAT32 filesystem denied

  27. Master/slave type sandbox on Windows, Chrome browser • Well-known cases of successful attacks against the master (shown at Pwnium[5], Pwn2own[6]) • The attacks against the master are complex and relatively rare

  28. Master/slave type sandbox on Windows, Chrome browser • Slave can still exploit a kernel vulnerability • Some vulnerabilities are not exploitable by Slave – If need to create a process – If need to alter specific locations in the registry • win32k.sys still much exposed A vulnerability in win32k.sys can potentially be exploited at the browser level, yielding full control over the machine directly, without the need to achieve code execution in the sandbox first.

  29. Exhibit B: MS12-075 • TrueType Font Parsing Vulnerability – CVE- 2012-2897 • Just opening a crafted web page in a vulnerable Chrome browser running on a vulnerable Windows version results in BSOD • Chances of achieving kernel mode code execution much better if attacker is able to run arbitrary code in the sandbox first

  30. Exhibit B: MS12-075 • TrueType Font Parsing Vulnerability – CVE- 2012-2897 • Just opening a crafted web page in a vulnerable Chrome browser running on a vulnerable Windows version results in BSOD • Chances of achieving kernel mode code execution much better if attacker is able to run arbitrary code in the sandbox first

  31. BSOD caused by Chrome browser processing malformed TrueType font Exhibit C: MS12-075

  32. Exhibit C: MS11-087 • TrueType Font Parsing Vulnerability – CVE- 2011-3042 • Exploited in the wild by Duqu malware, via MS Office documents • What if one runs the exploit within the Chrome sandbox?

  33. Exhibit C: MS11-087 • TrueType Font Parsing Vulnerability – CVE- 2011-3042 • Exploited in the wild by Duqu malware, via MS Office documents • What if one runs the exploit within the Chrome sandbox?

  34. Adobe renderer, MS11-087 exploit

  35. Chrome renderer, MS11-087 exploit

  36. Exhibit D: MS11-098 • Windows Kernel Exception Handler Vulnerability, CVE-2011-2018

  37. Exhibit D: MS11-098 • Windows Kernel Exception Handler Vulnerability, CVE-2011-2018

  38. Memorize This Slide! • Many Windows kernel vulnerabilities have been discovered, more is expected in the future • If a sandbox relies on kernel security, a suitable kernel vulnerability can be used to break out of the sandbox • It is happening now (e.g. MWR Labs at Pwn2own)

  39. Virtualization based sandbox • Wraps the whole OS in a sandbox • OS vulnerabilities nonfatal • Hypervisor and supporting environment still an attack vector • A customized virtualization solution required to limit the exposure • The amount of functionality exposed by the hardened hypervisor to the attacker, although not negligible, is orders of magnitude less than the equivalent OS functionality

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to probability. Alan H. SteinUniversity of Connecticut Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

1.14k views • 64 slides
Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics

Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics

Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics Deep Bayesian Nonparametrics Kai Xu [1] Joint work with Akash Srivastava [1,2] and Charles Sutton [1,3,4] [1] University of Edinburgh [2] MIT-IBM

372 views • 6 slides
Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and

Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and

Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and bets User/player given choice of bet Real game has several players, well use one Bet choice made Real game has lots of kinds of

369 views • 3 slides
Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game

Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game

Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game has several players, well use one Real game has lots of kinds of bets, well use three but make it simple to add more Instead of

236 views • 10 slides
Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of

How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of

How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of Economics Heidelberg, June 2015 How to Gamble Against All Odds 1 Preface starting with an algorithmic randomness problem transformed to a

1.14k views • 88 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission

Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission

Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission Available in ray tracer Use Fresnels Eqns for F r Russian Roulette RGB Roulette Caustics: Projection Maps Cast caustic map photons toward

527 views • 14 slides
SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection Rank based selection Tournament Selection COMPETITION (mu) denotes the size of the (parent) population (lambda) denotes the

390 views • 19 slides
Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage Ying Zhang, Lingxiang Wang, Wei Jiang, Zhishan Guo Department of Computer Science, Missouri S&T Presenter: Zheng Dong* * Department of Computer

566 views • 9 slides
10/23/2015 CSE 473: Artificial Intelligence Autumn 2015 Hill Climbing Expectimax Search

10/23/2015 CSE 473: Artificial Intelligence Autumn 2015 Hill Climbing Expectimax Search

10/23/2015 CSE 473: Artificial Intelligence Autumn 2015 Hill Climbing Expectimax Search Uncertainty Fereshteh Sadeghi and Steve Tanimoto With slides from : Dieter Fox, Dan Weld, Dan Klein, Pieter Abbeel and others. 1 1 10/23/2015 2

427 views • 10 slides
and Monte Carlo Localization Wolfram Burgard, Cyrill Stachniss, Maren Bennewitz, Diego Tipaldi,

and Monte Carlo Localization Wolfram Burgard, Cyrill Stachniss, Maren Bennewitz, Diego Tipaldi,

Introduction to Mobile Robotics Bayes Filter Particle Filter and Monte Carlo Localization Wolfram Burgard, Cyrill Stachniss, Maren Bennewitz, Diego Tipaldi, Luciano Spinello 1 Motivation Recall: Discrete filter Discretize the

681 views • 65 slides
Lecture 14 - Grand Recap Welcome! , = (, ) ,

Lecture 14 - Grand Recap Welcome! , = (, ) ,

INFOMAGR Advanced Graphics Jacco Bikker - November 2016 - February 2017 Lecture 14 - Grand Recap Welcome! , = (, ) , + , , ,

556 views • 39 slides
Variance reduction A primer on simplest techniques What is variance reduction Reduce

Variance reduction A primer on simplest techniques What is variance reduction Reduce

Variance reduction A primer on simplest techniques What is variance reduction Reduce computer time required to obtain results of sufficient precision Random walk sampling modification sampling important particles at the

457 views • 14 slides
Ukraine Eurobond Market 2005-YTD: or Russian

Ukraine Eurobond Market 2005-YTD: or Russian

Ukraine Eurobond Market 2005-YTD: or Russian roulette? November 2010 Investment Banking Division Slide 1 Ukraine 2005 - Q12010 From Hero to Zero? 6000 8,000 From the beginning of 2005 till the

241 views • 5 slides
02941 Physically Based Rendering Path Tracing Jeppe Revall Frisvad June 2020 Heckberts Light

02941 Physically Based Rendering Path Tracing Jeppe Revall Frisvad June 2020 Heckberts Light

02941 Physically Based Rendering Path Tracing Jeppe Revall Frisvad June 2020 Heckberts Light Transport Notation Path tracing includes all light paths: L ( S | D ) E . References: - Heckbert, P. S. Adaptive radiosity textures for

557 views • 13 slides
Realistic Image Synthesis - MIS and Path Tracing - Philipp Slusallek Karol Myszkowski Gurprit

Realistic Image Synthesis - MIS and Path Tracing - Philipp Slusallek Karol Myszkowski Gurprit

Realistic Image Synthesis - MIS and Path Tracing - Philipp Slusallek Karol Myszkowski Gurprit Singh Realistic Image Synthesis SS2018 MIS and Path Tracing MULTIPLE IMPORTANCE SAMPLING (MIS) Realistic Image Synthesis SS2018 MIS and Path

511 views • 28 slides
What you will be doing Goals: Checkpoint 4 -- Selection and Fitness Define and implement

What you will be doing Goals: Checkpoint 4 -- Selection and Fitness Define and implement

What you will be doing Goals: Checkpoint 4 -- Selection and Fitness Define and implement fitness measure Experiment with a variety of selection mechanisms More statistics gathering. Reminder: all checkpoints to contribute to

415 views • 4 slides

More recommend