Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.
-
Upload
david-newton -
Category
Documents
-
view
221 -
download
0
Transcript of Sandbox Exploitations - ECE 4112 Group 12 - Gary Kao Jimmy Vuong.
Sandbox Exploitations- ECE 4112 Group 12 -
Gary Kao
Jimmy Vuong
Sandboxes
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxes are a specific type of virtualization, like VMware.
• Usually used to test untrusted apps
• Effective since optimal sandboxes can purge all data stored on computer after sandbox was run.
Significance of Sandbox
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• All files downloaded after sandbox is initiated will be removed by restarting.
• Upon restarting, the sandbox should be free of malware, should be unable to detect the OS, and should be able to close within itself. (like loading up taskmngr within sandbox)
Advantages
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Can read objects on the real HD and the files in the sandbox.
• All write operations are done in a Transient Storage Area and never on the HD unless specified.
• Does not allow service installation.
• Applications are typically run already sandboxed.
Disadvantages
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandbox can contain good and bad objects.
• If the user doesn't know the difference between good and bad objects, he still can infect his own computer by moving the bad objects to his real harddisk.
Programs Used
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie
• Shadow Surfer
• Virtual Sandbox
• Creates an isolated storage space that stores all the temporary files.
• Puts a # in the title when its on.• Both the sandbox and the actual HD function
at the same time, as opposed to SS and VS.
Transparent layer Hard drivePrograms
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Sandboxie
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Sandboxie• Pros:
– Freeware– Small program (309kb)– System Resource efficient
• Cons:– Must manually load up programs for
sandboxing– Does not screen auto-run programs (e.g. USB
Key Logger)
• Shadow Mode: snapshot of your volume and in a virtual PC or server state.
• any changes made to the computer thereafter are made to the Shadow Mode duplicate.
• Unless specified,Shadow Mode resetsupon reboot.
Shadow Surfer
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Shadow Surfer• Pros:
– Runs constantly– Easy to use
• Cons:– Paidware– Files are saved where they actually should be– Relies on restarts for cleaning and blocking
• Operates like a firewall
• Creates an isolated environment through which programs anddownloaded files operate.
• Does not give access tointernet (by default)
• Does not allow overwriting of files (by default)
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Virtual Sandbox
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Virtual Sandbox• Pros:
– Once enabled, everything is sandboxed.– Files are saved in a transient storage space.
• Cons:– Paidware– Easy to bypass
• Test various Sandbox programs.
• Use methods developed in past labs to test the various programs’ vulnerabilities.
• Document the tests and results.
• Summarize results and show vulnerabilities.
Exploiting Sandboxes
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Testbed
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• 3 Identical Virtual Machines using Windows XP
• Each VM has a sandbox installed
• Each VM goes through the same series of tests
• After the tests are performed, the computers are restarted to see whether they are clean or not
• Create file, then clear the sandbox and see if the file still exists.
• Sandboxie: – erased
• Virtual Sandbox: – erased
• Shadow Surfer – erased
File Storage
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Loaded a sandboxed Task Manager to try and close the sandbox.
• Sandboxie:
– Failed closing Sandboxie
• Virtual Sandbox:
– Closed Virtual Sandbox
• Shadow Surfer
– Closing ShadowSurfer, but still sandboxed
Closing a Process
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Checking to see if local vulnerabilities are still affected
• Sandboxie: – Succeeded
• Virtual Sandbox: – Blocked
• Shadow Surfer – Succeeded
Jpeg of Death
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Dcom Crash
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Checking to see if remote vulnerabilties are still affected
• Sandboxie: – Crashed
• Virtual Sandbox: – Crashed, but notifies you that these apps are being exploited
• Shadow Surfer – Crashed
• Sandboxie: – Succeeded
• Virtual Sandbox: – Uses dll hook, which results it not even initi
ating properly• Shadow Surfer
– Succeeded
HackerDefender
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie: – Succeeded
• Virtual Sandbox: – Succeeded
• Shadow Surfer – Succeeded
FU
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sending files via netcat, will the files persist after clearing sandbox?
• Sandboxie: – Succeeded
• Virtual Sandbox: – Succeeded
• Shadow Surfer – Succeeded
Netcat
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie: – Remote mouse/keyboard deactivated by
Sandboxie• Virtual Sandbox:
– Succeeded• Shadow Surfer
– Succeeded
VNC
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie:
– Succeeded
• Virtual Sandbox:
– Succeeded
• Shadow Surfer
– Succeeded
AnnaKournikova Worm
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie:
– Succeeded
• Virtual Sandbox:
– Blocked
• Shadow Surfer
– Succeeded
SDBot
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie: – clean
• Virtual Sandbox: – SDbot and hxdef remain
• Shadow Surfer – clean
Restarting Sandbox
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Even if exploitations gets through sandbox, most will be gone after the sandbox is wiped.
• on weaker sandboxes, sdbot and hxdef persists even after sandbox wipes.– Fatal for Virtual Sandbox
Results
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Optimal Sandboxes will appear transparent to the users.
• Sandboxie most efficient Sandbox tool available for individual programs.
• Shadow Surfer most efficient overall.
Conclusion
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
• Sandboxie– http://www.sandboxie.com/
• Shadow Surfer– http://www.storagecraft.com/products/
ShadowSurfer/• Virtual Sandbox
– http://www.fortresgrand.com/products/vsb/vsb.htm
References
Introduction
Background Objectives Results ConclusionTesting References- - - - - -
Questions?
- Sandbox Vulnerabilities -