the sandbox roulette are you ready to gamble
play

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk - PowerPoint PPT Presentation

Jan 26, 2024 •17 likes •417 views

The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code

  1. The Sandbox Roulette: are you ready to gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com

  2. What is a sandbox? • Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code from damaging the rest of the system • For this talk, we focus on Windows-based application sandboxes • This talk is not about bugs in sandboxes, but rather an architectural discussion on their pros and cons (well mostly limitations)

  3. Sandbox types • Type 1: OS enhancement based (Sandboxie, Buffer Zone Pro etc.) • Type 2: Master/slave model (Adobe ReaderX, Chrome browser)

  4. Digression: Windows OS internals • A lot of commonly used code reliant on kernel components • Large exposure to kernel interfaces

  5. Digression - kernel security status • C urrent popular OS’s are large and exploitable • 25 CVE items for Windows kernel in 2012 • 30 CVE items for win32k.sys in Feb 2013 only • To what degree does a sandbox limit the exposure of the kernel to exploitation? – Note there are known cases of Windows kernel bugs exploited in the wild, e.g. Duqu [10]

  6. How kernel enforces access control • Sandboxed app: dear kernel, please open a file for me, the file name is at address X • Kernel: X points to “allowed_file.txt” string; here goes a file handle for you • Sandboxed app: dear kernel, please open a file for me, the file name is at address Y • Kernel: Y points to “secret_file.txt” string; you are a sandboxed app, I will not let you access this file

  7. How kernel exploits work (example) • Sandboxed app: dear kernel, please draw the text “Hello world” for me please, using the true type font stored at address X • Kernel: You are a sandboxed app, but using a font is a benign operation which you need to function properly • Kernel: OK, just a moment, I need to parse this font • While processing the font, kernel corrupts its own memory because the parser code in the kernel is buggy • Because of memory corruption, kernel starts executing code at X, which allows the app to do anything it wants

  8. TYPE 1: OS ENHANCEMENT BASED SANDBOX

  9. Type 1 Sandbox: Sandboxie • Example: Sandboxie [1] • Custom kernel driver modifies Windows behavior, so that change to protected system components is prevented • Use cases: Most of such sandboxes are used for controlled execution of applications. • Sandboxie is widely used for malware analysis

  10. Picture copied from http: //vallejo.cc/48 (not an official Sandboxie material)

  11. OS enhancement based sandbox • The problem – sandboxed code has direct access to almost full OS functionality • Almost all kernel vulnerabilities are exploitable from within this sandbox • This sandbox has no means to contain malicious kernel-mode code (because they both run at the same privilege level)

  12. Exhibit A: MS12-042 • User Mode Scheduler Memory Corruption, CVE-2012- 0217 • Allows to run arbitrary code in kernel mode • If running in sandboxie container, the usual SYSTEM- token-steal shellcode is not enough to break out of the sandbox • Need to use the unlimited power of kernel mode to either – Disable sandboxie driver – Migrate to another process, running outside of the container

  13. Exhibit A: MS12-042 • User Mode Scheduler Memory Corruption, CVE-2012- 0217 • Allows to run arbitrary code in kernel mode • If running in sandboxie container, the usual SYSTEM- token-steal shellcode is not enough to break out of the sandbox • Need to use the unlimited power of kernel mode to either – Disable sandboxie driver – Migrate to another process, running outside of the container

  14. Sandboxie bypass demo • Demo • Recommendation: Use Type 1 category sandboxes inside a VM for malware analysis

  15. Type 1 Sandbox: rZone Pro • Example: BufferZone Pro [8] • Similar in principle to Sandboxie – Although by default also prevents data theft • The same MS12-042 exploit works against BufferZone Pro • Demo

  16. TYPE 2: MASTER/SLAVE TYPE SANDBOX

  17. Type 2 Sandbox • Two processes - master and slave, talking over IPC channel • Slave is confined using OS access control facilities • Master mediates access to resources

  18. Picture taken from http://dev.chromium.org/developers/design-documents/sandbox

  19. Chrome sandbox on Windows • Slave runs with low privileges – restricted token – job object – desktop object – integrity level

  20. Chrome sandbox on Windows • How exhaustive is the OS-based confinement, according to the documentation [2]? – Mounted FAT or FAT32 volumes – no protection – TCP/IP – no protection – Access to most existing securable resources denied – Everybody agrees it is good enough… • … assuming the kernel behaves correctly

  21. Chrome sandbox in action

  22. Chrome sandbox on Windows • How resistant is Master to a malicious Slave? – This is what other authors focused on • How resistant is OS to a malicious Slave? – We focus on the last aspect

  23. Master/slave type sandbox on Windows, Adobe Reader Observe “Low” integrity level

  24. Master/slave type sandbox on Windows, Adobe Reader • Exhaustive previous related work on methodology of attacking the Master [3], [4] • The first case of Adobe sandbox vulnerability exploited in the wild reported in Feb 2013 [9] – This escape possible because of a bug in Master • Are kernel vulnerabilities exploitable from within Adobe Reader sandbox?

  25. Master/slave type sandbox on Windows, Chrome browser Observe “untrusted” integrity level

  26. Master/slave type sandbox on Windows, Chrome browser • Slave deprivileged even more than stated in chrome sandbox documentation – “Untrusted” integrity level – Particularly, access to FAT32 filesystem denied

  27. Master/slave type sandbox on Windows, Chrome browser • Well-known cases of successful attacks against the master (shown at Pwnium[5], Pwn2own[6]) • The attacks against the master are complex and relatively rare

  28. Master/slave type sandbox on Windows, Chrome browser • Slave can still exploit a kernel vulnerability • Some vulnerabilities are not exploitable by Slave – If need to create a process – If need to alter specific locations in the registry • win32k.sys still much exposed A vulnerability in win32k.sys can potentially be exploited at the browser level, yielding full control over the machine directly, without the need to achieve code execution in the sandbox first.

  29. Exhibit B: MS12-075 • TrueType Font Parsing Vulnerability – CVE- 2012-2897 • Just opening a crafted web page in a vulnerable Chrome browser running on a vulnerable Windows version results in BSOD • Chances of achieving kernel mode code execution much better if attacker is able to run arbitrary code in the sandbox first

  30. Exhibit B: MS12-075 • TrueType Font Parsing Vulnerability – CVE- 2012-2897 • Just opening a crafted web page in a vulnerable Chrome browser running on a vulnerable Windows version results in BSOD • Chances of achieving kernel mode code execution much better if attacker is able to run arbitrary code in the sandbox first

  31. BSOD caused by Chrome browser processing malformed TrueType font Exhibit C: MS12-075

  32. Exhibit C: MS11-087 • TrueType Font Parsing Vulnerability – CVE- 2011-3042 • Exploited in the wild by Duqu malware, via MS Office documents • What if one runs the exploit within the Chrome sandbox?

  33. Exhibit C: MS11-087 • TrueType Font Parsing Vulnerability – CVE- 2011-3042 • Exploited in the wild by Duqu malware, via MS Office documents • What if one runs the exploit within the Chrome sandbox?

  34. Adobe renderer, MS11-087 exploit

  35. Chrome renderer, MS11-087 exploit

  36. Exhibit D: MS11-098 • Windows Kernel Exception Handler Vulnerability, CVE-2011-2018

  37. Exhibit D: MS11-098 • Windows Kernel Exception Handler Vulnerability, CVE-2011-2018

  38. Memorize This Slide! • Many Windows kernel vulnerabilities have been discovered, more is expected in the future • If a sandbox relies on kernel security, a suitable kernel vulnerability can be used to break out of the sandbox • It is happening now (e.g. MWR Labs at Pwn2own)

  39. Virtualization based sandbox • Wraps the whole OS in a sandbox • OS vulnerabilities nonfatal • Hypervisor and supporting environment still an attack vector • A customized virtualization solution required to limit the exposure • The amount of functionality exposed by the hardened hypervisor to the attacker, although not negligible, is orders of magnitude less than the equivalent OS functionality

Recommend

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to probability. Alan H. SteinUniversity of Connecticut Roulette The game of roulette serves as a nice introduction to some of the key ideas relating to

1.14k views • 64 slides
Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics

Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics

Variational Russian Roulette for Variational Russian Roulette for Deep Bayesian Nonparametrics Deep Bayesian Nonparametrics Kai Xu [1] Joint work with Akash Srivastava [1,2] and Charles Sutton [1,3,4] [1] University of Edinburgh [2] MIT-IBM

372 views • 6 slides
Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and

Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and

Roulette: Inheritance Case Study What are scenarios? Roulette involves a player, a wheel, and bets User/player given choice of bet Real game has several players, well use one Bet choice made Real game has lots of kinds of

369 views • 3 slides
Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game

Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game

Roulette: Inheritance Case Study Roulette involves a player, a wheel, and bets Real game has several players, well use one Real game has lots of kinds of bets, well use three but make it simple to add more Instead of

236 views • 10 slides
Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a

Welcome! What Is an AR Sandbox? (and how to build one) An Augmented Reality Sandbox Is: a box filled with white sand a projector mounted over the sand a Kinect depth-sensing camera mounted over the sand a computer that runs

491 views • 11 slides
SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined

SELinux Sandbox Daniel Walsh Red Hat What is Sandbox Run applications in a confined environment. Allow filtering tools to read untrusted content. Vulnerability in a filtering tools can allow content to cause the application to do bad

501 views • 13 slides
Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of

Haow do I sandbox?!?! Cuckoo Sandbox Internals Jurriaan Bremer @skier t Student (University of Amsterdam), Freelance Security Researcher June 22, 2013 June 22, 2013 Jurriaan Bremer @skier t Haow do I sandbox?!?! Cuckoo Sandbox Internals 1 /

1.15k views • 79 slides
How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of

How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of

How to Gamble Against All Odds Gilad Bavly 1 Ron Peretz 2 1 Bar-Ilan University 2 London School of Economics Heidelberg, June 2015 How to Gamble Against All Odds 1 Preface starting with an algorithmic randomness problem transformed to a

1.14k views • 88 slides
Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th

Inn nnovative R Reg egulations i in n Insuran ance Regulatory S y Sandbox 19 th December, 2019 Institute of Actuaries Agenda Regulatory Sandbox Regulations Salient Features Operational Guidelines Salient Features

578 views • 15 slides
iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox

iOS App Extensions Photo Extensions: Shared Settings Separate Sandboxes Extension App Sandbox Sandbox Shared Container App Group Extension App Sandbox Sandbox Shared Container Shared NSUserDefaults

509 views • 7 slides
iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f

iForensics Digital Inc. App Sandbox CEO Po Huang po@iforensics.com.tw h t t p : / / w w w . i f o r e n s i c s . c o m . t w / i n d e x E N . h t m l Agenda Company Profile APP Sandbox DG-Secure COMPANY PORTFOLIO Company

247 views • 20 slides
Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer

Full-System Architectural Exploration Sandbox Eriko Nurvitadhi and James C. Hoe Computer Architecture Lab (CALCM) Carnegie Mellon University Nurvitadhi & Hoe, CMU/ECE WARFP 2005, February 2005, Slide 1 Sandbox Desiderata A PC where I

157 views • 4 slides
SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

SANDBOXING How does a sandbox look like? Software or hardware appliances that receive suspicious

H ERE Claudio nex Guarnieri @botherder Security Researcher at Rapid7 Labs Core member of The Shadowserver Foundation Core member of The Honeynet Project Creator of Cuckoo Sandbox Founder of Malwr.com H ERE Mark

1.02k views • 89 slides
Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission

Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission

Photon Mapping (Helper Slides) Sampling Patterns Specular Reflection and Transmission Available in ray tracer Use Fresnels Eqns for F r Russian Roulette RGB Roulette Caustics: Projection Maps Cast caustic map photons toward

527 views • 14 slides
SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection

SELECTION Deterministic Stochastic Proportionate selection: Roulette Wheel Selection Rank based selection Tournament Selection COMPETITION (mu) denotes the size of the (parent) population (lambda) denotes the

390 views • 19 slides
Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage

Work-in-Progress: RWS A Roulette Wheel Scheduler for Preventing Execution Pattern Leakage Ying Zhang, Lingxiang Wang, Wei Jiang, Zhishan Guo Department of Computer Science, Missouri S&T Presenter: Zheng Dong* * Department of Computer

566 views • 9 slides
The Broadcasters Transition Date Roulette: Strategic Aspects of the DTV Transition James

The Broadcasters Transition Date Roulette: Strategic Aspects of the DTV Transition James

The Broadcasters Transition Date Roulette: Strategic Aspects of the DTV Transition James Prieger James.Prieger@pepperdine.edu James Miller JamesMillerEsquire@gmail.com The opinions expressed are those of the author and do not necessarily

492 views • 28 slides
The 13th International ACE Conference, Dublin, Maureen Gamble rauzet priory, 2012 The 13th

The 13th International ACE Conference, Dublin, Maureen Gamble rauzet priory, 2012 The 13th

The 13th International ACE Conference, Dublin, Maureen Gamble rauzet priory, 2012 The 13th International ACE Conference, Dublin, Maureen Gamble (handwritten) rules The 13th International ACE Conference, Dublin, Maureen Gamble collection of

391 views • 16 slides
FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019

FTA MOD Sandbox Grant Multimodal Trip Planner TriMet Board of Directors Briefing, 2/27/2019 Bibiana McHugh, Manager, Mobility & Location-Based Services 1 FTA Mobility on Demand (MOD) Sandbox Grant Jan 2017 - Jan 2019 TriMet was one of

391 views • 12 slides
Jamie Gamble Wicked Systems Problems Are unique and have no precedent Do not have

Jamie Gamble Wicked Systems Problems Are unique and have no precedent Do not have

Losing Sight of the Shore Where DE and Co-design Meet Jamie Gamble Wicked Systems Problems Are unique and have no precedent Do not have definitive criteria or indications for the right solutions Are difficult to address and change

727 views • 31 slides
On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas

On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas

7th International Workshop on Rare Event Simulation On the mathematical theory of splitting and Russian roulette techniques Viatcheslav B. Melas St.Petersburg State University, Russia Viatcheslav B. Melas On the mathematical theory of splitting

479 views • 25 slides
1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs

1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs

1 Ready Medical Ready Medical Medically Ready DHA Presence Across the Globe Supporting COCOMs and Services 6 55 55 H Hospital itals 36 360 0 Outpa patient tient Cl Clin inic ics 9.4M 1.5M Benefi eficia ciarie ies In

1.04k views • 27 slides
Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1.

Mitigating the Danger of Malicious Bytecode Peter Cawley <lua@corsix.org> Lua Workshop 2011 A Common Pattern 1. Create sandbox 2. Load user-supplied Lua (byte|source) code 3. Run code in sandbox A Common Pattern 1. Create sandbox 2.

369 views • 35 slides
Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni

Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni

Se Seni nior Ye or Year 1 ar 101 01 College Ready, Career Ready, Life Ready Co Comm mmuni unicatio cation Newsletters, Callouts, Emails, Presentations, Conferences St Stay ay Info Inform rmed ed The Coronado High School (CHS)

1.39k views • 34 slides

More recommend