Sandbox Exploitations

- ECE 4112 Group 12 Gary Kao Jimmy Vuong

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Sandboxes

• Sandboxes are a specific type of virtualization, like VMware.

• Usually used to test untrusted apps • Effective since optimal sandboxes can purge all data stored on computer after sandbox was run.

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Significance of Sandbox

• All files downloaded after sandbox is initiated will be removed by restarting.

• Upon restarting, the sandbox should be free of malware, should be unable to detect the OS, and should be able to close within itself. (like loading up taskmngr within sandbox)

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Advantages

• Can read objects on the real HD and the files in the sandbox.

• All write operations are done in a Transient Storage Area and never on the HD unless specified.

• Does not allow service installation.

• Applications are typically run already sandboxed.

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Disadvantages

• Sandbox can contain good and bad objects.

• If the user doesn't know the difference between good and bad objects, he still can infect his own computer by moving the bad objects to his real harddisk.

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

• Sandboxie

Programs Used

• Shadow Surfer • Virtual Sandbox

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Sandboxie

Transparent layer Hard drive Programs

• Creates an isolated storage space that stores all the temporary files.

• Puts a # in the title when its on.

• Both the sandbox and the actual HD function at the same time, as opposed to SS and VS.

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Sandboxie

• Pros:

– Freeware – Small program (309kb) – System Resource efficient

• Cons:

– Must manually load up programs for sandboxing – Does not screen auto-run programs (e.g. USB Key Logger)

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Shadow Surfer

• Shadow Mode: snapshot of your volume and in a virtual PC or server state. • any changes made to the computer thereafter are made to the Shadow Mode duplicate.

• Unless specified, Shadow Mode resets upon reboot.

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Shadow Surfer

• Pros:

– Runs constantly – Easy to use

• Cons:

– Paidware – Files are saved where they actually should be – Relies on restarts for cleaning and blocking

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Virtual Sandbox

• Operates like a firewall • Creates an isolated environment through which programs and downloaded files operate. • Does not give access to internet (by default) • Does not allow overwriting of files (by default)

Introduction

-

Background

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Virtual Sandbox

• Pros:

– Once enabled, everything is sandboxed.

– Files are saved in a transient storage space.

• Cons:

– Paidware – Easy to bypass

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Exploiting Sandboxes

• Test various Sandbox programs.

• Use methods developed in past labs to test the various programs’ vulnerabilities.

• Document the tests and results.

• Summarize results and show vulnerabilities.

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Testbed

• 3 Identical Virtual Machines using Windows XP • Each VM has a sandbox installed • Each VM goes through the same series of tests • After the tests are performed, the computers are restarted to see whether they are clean or not

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

File Storage

• Create file, then clear the sandbox and see if the file still exists.

• Sandboxie: – erased • Virtual Sandbox: – erased • Shadow Surfer – erased

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Closing a Process

• Loaded a sandboxed Task Manager to try and close the sandbox.

• Sandboxie: – Failed closing Sandboxie • Virtual Sandbox: – Closed Virtual Sandbox • Shadow Surfer – Closing ShadowSurfer, but still sandboxed

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Jpeg of Death

• Checking to see if local vulnerabilities are still affected • Sandboxie: – Succeeded • Virtual Sandbox: – Blocked • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Dcom Crash

• Checking to see if remote vulnerabilties are still affected • Sandboxie: – Crashed • Virtual Sandbox: – Crashed, but notifies you that these apps are being exploited • Shadow Surfer – Crashed

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

HackerDefender

• Sandboxie: – Succeeded • Virtual Sandbox: – Uses dll hook, which results it not even initiating properly • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

FU

• Sandboxie: – Succeeded • Virtual Sandbox: – Succeeded • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Netcat

• Sending files via netcat, will the files persist after clearing sandbox?

• Sandboxie: – Succeeded • Virtual Sandbox: – Succeeded • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

VNC

• Sandboxie: – Remote mouse/keyboard deactivated by Sandboxie • Virtual Sandbox: – Succeeded • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

AnnaKournikova Worm

• Sandboxie: – Succeeded • Virtual Sandbox: – Succeeded • Shadow Surfer – Succeeded

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

• Sandboxie: – Succeeded • Virtual Sandbox: – Blocked • Shadow Surfer – Succeeded

SDBot

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Restarting Sandbox

• Sandboxie: – clean • Virtual Sandbox: – SDbot and hxdef remain • Shadow Surfer – clean

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Results

• Even if exploitations gets through sandbox, most will be gone after the sandbox is wiped.

• on weaker sandboxes, sdbot and hxdef persists even after sandbox wipes.

– Fatal for Virtual Sandbox

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

Conclusion

• Optimal Sandboxes will appear transparent to the users.

• Sandboxie most efficient Sandbox tool available for individual programs.

• Shadow Surfer most efficient overall.

-

Objectives

-

Testing

-

Results

-

Conclusion

-

References

References

• Sandboxie

– http://www.sandboxie.com/ • Shadow Surfer – http://www.storagecraft.com/products/Shadow Surfer/ • Virtual Sandbox – http://www.fortresgrand.com/products/vsb/vsb.

htm

- Sandbox Vulnerabilities -

Questions?