Slashdot Mirror
Attacking Sandboxes
SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."
There will never, ever be an end to this.
As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.
With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".
Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.
To which I can only say: WOW.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
The article didn't say that they've found code that attacks sandboxes, it said that they've found code that detects a sandbox (VMWare for instance) and plays innocent so as to avoid detection through the sandbox.
It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.
The article then goes on to FUD that code that attacks the sand box "must" be coming.
Oh, it must be coming. Uhuh.
It's pretty trivial to find a dozen ways to detect a virtual machine, just make a project that generates some random bytes and then jump to the bytes. Put the program in a script that calls it over and over again with a seed for the random number generator. When the VM crashes, look at the last seed that was used. Run the program again with that seed to confirm it is repeatable. This also happens to be a good way to detect if your VM is any good and fix it when it isn't. Unfortunately, many things are just so obscure on the x86 architecture that fixing all these bugs is just a chore that doesn't get you any big payout (as no real code uses these obscure things) so most VM developers don't bother.
How we know is more important than what we know.
Because the AV/S/M app is frequently able to obtain all sorts of wacky permissions and access, it could be viable to piggyback on it into otherwise secure systems. For example, if an AV was set up such that it could scan encrypted data, then exploiting it to get past the encryption could be feasible.
Try not to take me more seriously than I take myself.
So you're saying the RSA key fob isn't another useless insecure layer of crap ? Have you even HEARD their sales pitch ?
-Billco, Fnarg.com
as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.
Of Code And Men
"Fdisk it from orbit - it's the only way to be sure."
s /secmgmt/sm0504.mspx
Even Microsoft agrees with you. You can't "clean" a compromized machine.
http://www.microsoft.com/technet/community/column
That goes for other OSes too.
--
BMO
as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.
I don't think you understand what he's really saying - you could hand out RSA key fobs and/or client certificates that authenticate the browser to the bank. Without that, the password would/could be utterly useless.
If the bank uses the key fob, you can't enter by password alone. If the bank uses client certificates, then that must be installed on the browser first. (much more difficult than just lifting a password)
Now, if only they made it easier to set up client certificates...
I have no problem with your religion until you decide it's reason to deprive others of the truth.