Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attacking Sandboxes

Posted by kdawson on from the just-another-brick-in-the-wall dept.

SkiifGeek writes "Many anti-malware applications use a sandbox as a tool to help identify potentially malicious software. Now knowledge is spreading about techniques and methods that can allow sandboxed software to target the sandbox itself (and by extension the application that applied it). While attacks that specifically target sandboxing applications are probably a little way off, this technology can be considered the logical extension of techniques and procedures to identify the presence of hosted systems (VMWare, Virtual PC, etc.)."

6 of 110 comments (clear)

  1. Strike vs Counterstrike by mcrbids · · Score: 5, Insightful

    There will never, ever be an end to this.

    As long as people are imperfect (and they always will be) there will be measures, countermeasures, and counter-counter measures. New techniques will make old ones obsolete, and even newer techniques will make the once-new techniques no longer apply.

    With this understanding, any technology that can outsurvive more than one or two iterations of other products in the same field becomes "venerable" and "stable".

    Which makes now a particularly good time to appreciate the guys who worked out the spec for TCP/IP some 30 (?) years ago. Despite going from mainframes, to minis, to PCs, and now on to the era of ubiquitous computing, the basic concepts and ideas behind the TCP/IP specification continue to hold steady and useful. They managed to come up with a technology, that whatever flaws have actually been found, hasn't come up against any real show-stoppers. None.

    To which I can only say: WOW.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:Strike vs Counterstrike by mcrbids · · Score: 3, Insightful

      TCP hijacking is almost just as easy now as it was 10 years ago.

      It may be even easier. Who cares? However you look at it, TCP is doing its job. If you want to prevent against hijacking, the layered topology of the communication stack lets you prevent that at a higher level. (EG: Using encryption - which can be interrupted, but not hijacked)

      TCP hijacking is merely a side effect of a missing layer in the stack of your application.

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  2. Once again, they didn't read the article. by Cafe+Alpha · · Score: 5, Insightful

    The article didn't say that they've found code that attacks sandboxes, it said that they've found code that detects a sandbox (VMWare for instance) and plays innocent so as to avoid detection through the sandbox.

    It also said that software has been found that detects when it's attached to a debugger. Big deal, copy protection schemes have been doing that for decades.

    The article then goes on to FUD that code that attacks the sand box "must" be coming.

    Oh, it must be coming. Uhuh.

  3. Re:Sandbox the sandbox by billcopc · · Score: 3, Insightful

    So you're saying the RSA key fob isn't another useless insecure layer of crap ? Have you even HEARD their sales pitch ?

    --
    -Billco, Fnarg.com
  4. Re:Sandbox the sandbox by Poltras · · Score: 3, Insightful

    as long as USERS don't understand it, yes it is useless. Secure the communication and provide X509 certs all you want, if the user think it's a bank, he will enter his password.

    --
    Of Code And Men
  5. Re:Arms race for nothing by bmo · · Score: 4, Insightful

    "Fdisk it from orbit - it's the only way to be sure."

    Even Microsoft agrees with you. You can't "clean" a compromized machine.

    http://www.microsoft.com/technet/community/columns /secmgmt/sm0504.mspx

    That goes for other OSes too.

    --
    BMO