haow do i sandbox
play

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer - PowerPoint PPT Presentation

Apr 23, 2023 •350 likes •1.15k views

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

  1. Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 / 79

  2. Introduction - Cuckoo Sandbox Team Figure : Mark Schloesser, Claudio Guarnieri, Me, Alessandro Tanasi June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 2 / 79

  3. Introduction - What this talk is NOT about! Figure : Dragon Sandbox! June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 3 / 79

  4. Introduction - What this talk is about! ◮ How we built Cuckoo ◮ How to evade Cuckoo ◮ Left as an exercise for the attendee ◮ Who would do such terrible thing though? June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 4 / 79

  5. Introduction - Todays problems in Malware ◮ . . . Insert long list of problems . . . ◮ In the end, we prefer to blame.. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 5 / 79

  6. Introduction - Todays problems in Malware June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 6 / 79

  7. Introduction - Todays problems in Malware Analysis ◮ Static Analysis takes a lot of time ◮ Obfuscation ◮ Packers ◮ Dynamic Analysis also takes a lot of time ◮ Multi-threaded malware ◮ Anti-debugger, anti-virtual machine, etc. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 7 / 79

  8. Introduction - Sandboxing in General (1) ◮ Enter Sandboxes ◮ Automated Malware Analysis - handles all repetitive work ◮ Process thousands of samples in a reasonable time ◮ Generic methods for bypassing anti’s ◮ For the Client ◮ User friendly - anyone can use it ◮ Setup once, use it for eternity ◮ For this step, see the manual :p June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 8 / 79

  9. Introduction - Sandboxing in General (2) ◮ Existing Solutions ◮ Closed Source ◮ Not 100% customizable ◮ Very expensive ◮ Enter Cuckoo Sandbox ◮ Entirely Open Source ◮ Free to use June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 9 / 79

  10. Introduction - Disadvantages of Sandboxing ◮ Environment could be detected ◮ Anti-sandbox ◮ Randomize environment ◮ Can only randomize so many things ◮ Various limitations depending on the implementation ◮ We try our best to bypass these ◮ E.g., Hook Detection by Malware ◮ Reports still have to be read by somebody June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 10 / 79

  11. Cuckoo Sandbox Architecture June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 11 / 79

  12. Demonstration of analyzing a PDF exploit ◮ Demo showing the entire analysis process ◮ Quick look through the report June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 12 / 79

  13. Cuckoo Sandbox Internals June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 13 / 79

  14. Inside the Virtual Machine - Agent ◮ Listening Agent ◮ Accepts a connection ◮ Host connects ◮ Host sends zip file ◮ Agent unpacks zip file ◮ Python code ◮ Easily upgrade Cuckoo to a new version! ◮ Configuration files ◮ The sample ◮ Agent runs the Analyzer ◮ Which has been sent through the zip June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 14 / 79

  15. Inside the Virtual Machine - Analyzer ◮ Analyzer ◮ Initializes Cuckoo stuff ◮ Open IPC Channel (Named Pipe) ◮ Some handwaving etc ◮ Dumps Configuration for the first Process ◮ Name of the Named Pipe ◮ IP and Port of the Result Server ◮ (Will come back to that later) ◮ Runs the specified Package June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 15 / 79

  16. Inside the Virtual Machine - Packages ◮ Package starts an application with commandline parameters ◮ Wrappers around CreateProcess(CREATE SUSPENDED) ◮ Packages for EXE, DLL, PDF, DOC, etc. ◮ Inject Cuckoo Monitor DLL into the process ◮ Using APC, QueueUserAPC(...) ◮ Resume main thread of the process June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 16 / 79

  17. Inside the Application - Cuckoo Monitor ◮ When resuming the main thread ◮ Cuckoo Monitor is executed first ◮ Due to the APC callback ◮ Initializes internals & installs API Hooks ◮ Notifies the Analyzer ◮ Through Named Pipes ◮ Real application is started June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 17 / 79

  18. Outside the Virtual Machine - Result Server ◮ Cuckoo Monitor logs directly to the Host, over TCP/IP ◮ IP and Port retrieved from the Configuration ◮ More stability than before, when we logged to a local file ◮ VM Crashes resulted in no logs ◮ Now real-time results June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 18 / 79

  19. So, what now? ◮ We’ve covered the basics ◮ Useful for single-process stuff ◮ What’s next? June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 19 / 79

  20. More Advanced Malware (1) ◮ Some samples run new processes ◮ RunPE, for Packers ◮ Internet ExploderˆWExplorer for URLs ◮ Some malware injects into other processes ◮ Explorer.exe Injection to evade Firewalls ◮ Banking Trojans June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 20 / 79

  21. Child Process Injection Before the new Process is executed, we want to inject Cuckoo Monitor. ◮ Cuckoo Monitor notifies Analyzer ◮ Asks to be injected into the target process ◮ Analyzer dumps configuration file ◮ Injection using APC June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 21 / 79

  22. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 22 / 79

  23. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 23 / 79

  24. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 24 / 79

  25. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 25 / 79

  26. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 26 / 79

  27. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 27 / 79

  28. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 28 / 79

  29. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 29 / 79

  30. Child Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 30 / 79

  31. Process Injection Before a sample injects and executes code into another process, we also want to inject Cuckoo Monitor. Process Injection is similar to Child Injection, except for a few steps. ◮ No APC, but CreateRemoteThread(...) ◮ Can’t guarantee APC finishes in time ◮ Entirely inject Cuckoo Monitor before resuming execution ◮ For Child Processes June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 31 / 79

  32. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 32 / 79

  33. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 33 / 79

  34. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 34 / 79

  35. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 35 / 79

  36. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 36 / 79

  37. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 37 / 79

  38. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 38 / 79

  39. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 39 / 79

  40. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 40 / 79

  41. Process Injection June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 41 / 79

  42. That said.. Figure : What the malware thinks it’s doing. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 42 / 79

  43. That said.. Figure : What Cuckoo Sandbox thinks it’s doing. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 43 / 79

  44. That said.. Figure : What really happens. June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 44 / 79

Recommend

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

417 views • 40 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00

Together in the Sandbox: Board and Staff Relationships Welcome! The webinar will begin at 10:00 a.m. CT. While you wait: 1. Download PDFs of the slides and handout under the Handouts tab of your control bar. 2. Confirm that your

540 views • 36 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research

BREEDING SANDWORMS: HOW TO FUZZ YOUR WAY OUT OF ADOBE READER X'S SANDBOX Who we are Research and Analysis: Zhenhua(Eric) Liu Vulnerability Researcher zhliu@fortinet.com Contributor and Editor: Guillaume Lovet Sr Manager of Fortinet's

646 views • 52 slides
Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of

Sandboxes VM Most sandboxes provide an isolation-based approach where the effect of programs run inside a sandbox is entirely isolated from resources outside the sandbox's authority. However, due to practical requirements, sandboxing

1.9k views • 164 slides
Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT

Practical and Effective Sandboxing for Non-root users Taesoo Kim and Nickolai Zeldovich MIT CSAIL Why yet another sandbox for desktop applications? There are many existing sandbox mechanisms Chroot / Lxc (Unix/Linux) Jail (Freebsd)

515 views • 48 slides
PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29,

PLAYING WELL IN THE SANDBOX TO REVITALIZE COMMUNITIES CWLA 2015 NATIONAL CONFERENCE APRIL 27-29, 2015 ADVANCING EXCELLENCE THROUGH INNOVATION AND COLLABORATION Pinellas County Florida Census Estimates 2013 930,109 total population 159,979

329 views • 13 slides
SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133

SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133

SA SANDBOX Megan Fillion, Gabriel Guzman, and Dimitri Leggas mlf2179, grg2117, and ddl2133 Overview o Motivation o Improve our understanding of digital systems o Simple HDL to facilitate our/others learning o A challenging PLT project o Goals

345 views • 11 slides
The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011

The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011

Dionysus Blazakis The Apple Sandbox dion@securityevaluators.com Blackhat DC 2011 Wednesday, January 19, 2011 Where to find stuff https://github.com/dionthegod/XNUSandbox http://www.semantiscope.com/research/ BHDC2011/BHDC2011-Paper.pdf

1.21k views • 69 slides
AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC

AccTEE: A WebAssembly-based Two-way Sandbox for Trusted R esource Accounting MIDDLEWARE 2019 , UC Davis David Goltzsche, 1 Manuel Nieke, 1 Thomas Knauth, 2 and Rdiger Kapitza 1 goltzsche@ibr.cs.tu-bs.de @d_goltzsche 1 TU Braunschweig, Germany 2

502 views • 37 slides
secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing:

secmodel_sandbox An application sandbox for NetBSD Stephen Herwig sandboxing Sandboxing: limiting the privileges of a process Two motivations - Running untrusted code in a restricted environment - Dropping privileges in trusted code so as to

1.09k views • 58 slides
Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory

Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory

Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc. Presented by: Gilmore R.

497 views • 39 slides
Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki

170 views • 13 slides
Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services

Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services

Financial conduct authority sandbox Lara Kaplan Lara Kaplan Background Financial Services Regulatory Lawyer qualified in England & Wales FinTech and Payments Group, Paul Hastings in Washington DC* Finance & Innovation

159 views • 12 slides
Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX,

Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX,

Game Genres INTRODUCTION TO GAME GENRES: SIMULATION, SPORT, FIGHTING, CASUAL, SANDBOX, EDUCATIONAL, PUZZLE, ONLINE, 1 Simulations Simulations require a substantial amount of depth. Often, a great deal of research is required in

2.01k views • 45 slides

More recommend