A challenge for sandbox /virtualization technology

It seems in the last few weeks, sandbox, virtualization technology has being hyped up by the usual suspects. It has being describes as a "major way forward", a new foundation, a way to eliminate the bad old scanners.

Vikorr is trying Antimalware, Notok is trying Defensewall host, other people are trying sandboxie, greenborder etc.

I'm just curious, how does the following products succueed in sandboxing
snip....Link removed as there are links from that page that are against the Wilders TOS - Bubba

Are these blocked?

[Rmus]

Quote:

Originally Posted by Pollmaster

I'm just curious, how does the following products succueed in sandboxing

snip....Link removed as there are links from that page that are against the Wilders TOS - Bubba

Are these blocked?

The first exploit, the DDE-IPC exploit, has been discussed in the Firewalls forum in the "Malicious code could trick ZoneAlarm firewall" thread. Whether "sandboxing" could block applications from connecting out would depend on how you define "sandboxing." That is, what should a sandbox or "virtualization" program be expected to do?

Quote:

It seems in the last few weeks, sandbox, virtualization technology has being hyped up by the usual suspects. It has being describes as a "major way forward", a new foundation, a way to eliminate the bad old scanners.

Vikorr is trying Antimalware, Notok is trying Defensewall host, other people are trying sandboxie, greenborder etc.

I'm beginning to suspect (after reading comments in the other virtualization thread) that this technology is being expected to do things it wasn't designed to do.

Regarding "Defeating Citi-Bank Virtual Keyboard Protection" in the link you cited - I noticed these comments on the POC download page:

=================
This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious
website or follow a specially crafted link.
---------------
This can be of great aid to the phishers who can entice the user to click on
the above link and get re-directed to some malicious sites where their
critical informations can be stolen.
=================

Similar comment made about the "Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks"

A little bit of common sense should work here.

-rich
________________
~~Be ALERT!!! ~~

Quote:

Originally Posted by Rmus

The first exploit, the DDE-IPC exploit, has been discussed in the Firewalls forum in the "Malicious code could trick ZoneAlarm firewall" thread. Whether "sandboxing" could block applications from connecting out would depend on how you define "sandboxing." That is, what should a sandbox or "virtualization" program be expected to do?

*Exactly*. That was the point I was trying to make actually. After all vikorr has claimed that he tested all sorts of PoCs and nothing has got past.....

See also http://www.wilderssecurity.com/showthread.php?t=99742

[Vikorr]

Hiya Pollmaster

Why not try the tests I ran out for yourself. They are easy enough to find <I included the links somewhere, but it may have been over at Castlecops>

I'll have a look at your above link when I wake up. I just finished a shift of nightwork.

As for virtualisation programs, I like SU (as an example because I use it), for it's simplicity. It's easy to understand how it works.

With regards to AM. If I was using it by itself, I would probably like it very much. I do like the program, but not entirely certain if I'll keep it <most because of issues related to SU>

And I saw another post of yours Pollmaster, where you said that sandboxes are being used for much the same purpose as HIPS (or words to that effect). I quite agree. I suppose the difference is, that almost everything seeing as almost everything is contained within the sandbox - it does not need a specific rule (for example) for things like registry protection...all registry changes are written to a virtual registry, which is not read at computer startup.

And yes, installations, once again, are a weak point.

[ErikAlbert]

Quote:

Originally Posted by Vikorr

And yes, installations, once again, are a weak point.

I guess you mean softwares, that can't be installed without an internet connection.
In my case, I know only 3 softwares that need an internet connection :
1. Windows Update.
2. MSAS beta1
3. A2 Free.
The rest of all my software can be installed without internet.

[Vikorr]

I mean software installs that require drivers

Other installs a fine, so long as you don't want the program to autostart.

[Peter2150]

What you guys are discussing is exactly why I like First Defense. I can use it as a big ole sandbox if I want to. For example not to long ago I want to test a trial of Norton's Security suite. This is not the easiest thing to remove. Does require rebooting etc etc. Sure couldn't use something like Sandboxie. So I rebooted into my secondary snapshot, and installed it there. Internet access, reboots, autostarts, etc no problem. Then if I want to go back to regular work, I just boot into my regular snapshot. I can leave Norton on the other snapshot as long as I want, and when I am done, a 5 minute copy and it is all gone. I use the same principle if I want to do some risky surfing, or go online without full protection. Has worked fine for me.

Pete

[Notok]

Quote:

Originally Posted by Pollmaster

...a way to eliminate the bad old scanners.

Hmm, I don't recall seeing much of that.

[Vikorr]

Pete

That sounds like a better way of testing things than ShadowUser, which is causing problems with AM, because I think, of the virtual registry used by AM, which I can't exclude from SU.

I've been wanting a disk imaging system for a while now (just not prepared to pay the money yet - have to get rid of the credit card debt first- don't like having them).

I had heard that some of them take like 5-8 CD's to capture a computer, but you are saying First Defense ISR can re-install in 5min, and has option of booting in different snapshots of the OS...that sounds flexible. I take it the only thing you can't recover from is a system crash ? <I've heard you can recover from system crashes with other imaging systems>

Quote:

Originally Posted by Notok

Hmm, I don't recall seeing much of that.

Really? Just a few examples here.

Quote:

Definition/heuristic-based softwares do NOT have a future
and I'm not going to repeat myself, I've explained this
already in other posts.

Quote:

IMO softwares like Sandboxie, AntiMalware, ShadowUser, ... are much better than definition-based softwares, because they don't depend on what the bad guys do.

Quote:

Btw, any of the programs I'm using are quite good by themselves...AM claims you don't need an AV with it, Mike Nash at OA is aiming to have OA eliminate the need for an AV (there's lots of improvements coming up for it), and SU by itself is also very safe....but the reason I'm using them together...I'm basically looking for a way to eliminate the need of realtime AV's

Must I go on? The same old "signatures are bad" <insert whatever new approach is the fancy of the month> is better.

Quote:

Originally Posted by Vikorr

Hiya Pollmaster

And I saw another post of yours Pollmaster, where you said that sandboxes are being used for much the same purpose as HIPS (or words to that effect). I quite agree. I suppose the difference is, that almost everything seeing as almost everything is contained within the sandbox - it does not need a specific rule (for example) for things like registry protection...all registry changes are written to a virtual registry, which is not read at computer startup.

And yes, installations, once again, are a weak point.

Vikorr, if you look at the posts Erikalbert is making he is bashing "definitions" because they list only the bad things which according to him is infinite.

So he prefers sandboxes.

But what I'm trying to show is that sandboxes might also be based on the bad old method of listing bad actions. If it is unknown to the sandbox maker that a certain action can be used to do evil, it will be allowed.

So virtualization tech isn't all that good either, considering the complexity problems of employing them.

[Peter2150]

Quote:

Originally Posted by Vikorr

Pete



I had heard that some of them take like 5-8 CD's to capture a computer, but you are saying First Defense ISR can re-install in 5min, and has option of booting in different snapshots of the OS...that sounds flexible. I take it the only thing you can't recover from is a system crash ? <I've heard you can recover from system crashes with other imaging systems>

Hi Vikorr

What First Defense does is maintain full snapshots for your system. It can keep up to 10 just depends on your disk space. A copy from one to another refreshes the target so it looks exactly like the source. 1st time takes time, refreshes are quick. Once in a snapshot if you didn't know what First Defense was you flat couldn't tell. You can install,uninstall reboot whatever and you stay in the snapshot your in. I have totally trashed my system by accident. Had a registry cleaner running and machine froze. Had to power reset. Wasn't pretty. Just did a reboot, used the preboot selector to boot to another snapshot and did a five minute copy. All fixed.

The latest version even has the ability to do a copy to an archive on an external drive. Once created takes about 2 minutes to refresh every day. Having that archive if I had a total disk failure what I could do is just do a Wiindows xp quickie install. Install the external drive drivers, and then install FDISR. Then I could copy that archive to a snaphot on hard drive, and I am back in business. Works like a champ. I do also use disk imaging software.

Pete

PS From a sandbox point of view I love this, because it really is like just working on your computer, and yet you are protected.

[Notok]

Quote:

Originally Posted by Pollmaster

Must I go on?

I dunno, 3 out of the 517,830 posts on this board hardly qualifies as 'hype' to me. Talk about the strengths and weaknesses, sure, but c'mon man.. don't try to wrap internet/forum politics into this, please.

Quote:

Originally Posted by Notok

I dunno, 3 out of the 517,830 posts on this board hardly qualifies as 'hype' to me. Talk about the strengths and weaknesses, sure, but c'mon man.. don't try to wrap internet/forum politics into this, please.

Like it or not, this board is built on forum politics. I think if you study the behavior of the board and its personalities you will see some interesting patterns.

From past experience this is how hype happens

1. A few vendors by chance or circumstance produce a certain gimack that until there was not offered to home users but is old hat to enterprise users.

2. Remus/kareldjag will post some official sounding defintion about it, some tests

3. Then the betatester group will move in (Vikorr, Peter, myself, Richrf) etc . Either testing it, or ....Threads covering the same topic start appearing in frequency.

4. People then start talking about how it's a new paradigm, a new foundation to replace antiviruses....

5. Profit!

Sometimes its not a new class of software, but rather some new software that catches the fancy of the beta tester group.

Surely this is starting to sound familar to you Notok.

I just call them as I see them. I don't care if you think this is a troll.

Quote:

Forum is a transliteration of the Latin noun which referred to a Roman city's marketplace or public square. [...] This meaning in turn stems from the Latin verb ferre, meaning "to bring" (in this sense alluding to the goods traders bring to market).

http://en.wikipedia.org/wiki/Forum

[MikeNash]

Quote:

Originally Posted by pollgone

5. Profit!

Hi Everyone,

I would appreciate it if we could proceed with some swiftness to step number 5 in the pollmaster plan


Mike

Quote:

Originally Posted by MikeNash

Hi Everyone,

I would appreciate it if we could proceed with some swiftness to step number 5 in the pollmaster plan


Mike

Experience tells me that having pollmaster campaign against a certain product, adds 200% to its sales.

[ghost16825]

Sandboxes do not automatically stop exploitation of vulnerabilities, they just have the ability with user input to set tight boundaries on executable behaviour. But it's because of these set boundaries that execution of program code by exploitation of a vulnerability can be made to fail, or the damage largely mitigated.
I also posted a reply on the issue of sandboxes here:
http://www.wilderssecurity.com/showp...27&postcount=9

[Chris12923]

I'm taking this challenge with anti malware right now. Stay tuned for results.

Thanks,

Chris

[Chris12923]

hmm now the link is gone. Someone please pm me with the link.

Thanks,

Chris

[Chris12923]

Using Antimalware.

First test:
Bypassing Personal Firewall (ZoneAlarm Pro) Protection

This test does send the information to it's server. But this is expected.

Second test:
Defeating Citi-Bank Virtual Keyboard Protection

Whether it is Antimalware or something else this test fails with the program giving the message "Citibank login page not found!!"

Third test:
Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks

The only one that I could get to work was the redirection code and this did redirect my browser.

Fourth test:
Defeating Microsoft WGA (Windows Genuine Advantage) Validation Check

Could not find the POC on the site. Please pm me if I missed it somewhere.

Fifth test:
CuteNews "archive" parameter Cross Site Scripting (XSS) Vulnerability

I did not test this due to the current version of Cute news is 1.4 and this version is not affected by the exploit.


Conclusion:
I think most if not all of these tests are not tests for Antimalware or sandbox apps. The POC's are mostly using flaws in the browser not in Antimalware or a sandbox app. A better test would be to run a trojan, virus or other malware and see the results. Pollmaster if you can pm me with any types of these programs which would actually be a test for Antimalware or a sandbox app than I will test them and post the results here as well. Please remember these tests only represent my PC and the conclusion is just my opinion.

Thanks,

Chris

Quote:

Originally Posted by Chris12923

Using Antimalware.


Conclusion:
I think most if not all of these tests are not tests for Antimalware or sandbox apps.

Perhaps but What exactly would a test for sandbox apps be? Saying trojans or viruses doesn't clarify the matter, since the technique used by this leak test can easily be used ina trojan (perhaps combined with a keylogger for bypassing the firewall).

Doesn't a sandbox claim to restrict all types of behavior except for a few harmless activities. The question then becomes is the type of behavior carried out by this leak test a possibly dangerous one? If so, shouldn't the sandbox block this behavior?

Or are sandboxes mainly focused only about logging changes to the files and directories only?

Quote:

The POC's are mostly using flaws in the browser not in Antimalware or a sandbox app. A better test would be to run a trojan, virus or other malware and see the results.

Chris

I think you misunderstand the point of this thread. Please see Ghost's post higher up in the thread, and the link to another post he made (in response to my post in another thread).

I would add, that saying that "flaws in the browser" (actually this is false with respect to the test 1) is not excusable.

[toploader]

in the case of sandboxie - the sandboxie virtual disk folder is the universe - everything that runs within sandboxie and downloads within sandboxie thinks the virtual disk folder is the real hard drive. at the end of the session you empty the sandbox - so for example if there is a keylogger running in memory that was inadvertantly downloaded during the session it will be writing it's log file to the virtual folder - emptying the sandbox will destroy the log file - if the keylogger tried to write autostart keys to the registry it will be the virtual folder copy of the registry so all autostart info is destroyed when the sandbox is emptied.

[Chris12923]

Quote:

Saying trojans or viruses doesn't clarify the matter, since the technique used by this leak test can easily be used ina trojan (perhaps combined with a keylogger for bypassing the firewall).

This will not happen if the trojan is untrusted, It can not install a hook to capture keys.

Quote:

Doesn't a sandbox claim to restrict all types of behavior except for a few harmless activities. The question then becomes is the type of behavior carried out by this leak test a possibly dangerous one? If so, shouldn't the sandbox block this behavior?

This is not considered dangerous behavior by the sandbox so it does not blok it. The program is simply sending text that a user inputs into the program or uses the default text using a method that the firewall does not stop. It does not capture your keystrokes.

Quote:

I would add, that saying that "flaws in the browser" (actually this is false with respect to the test 1) is not excusable.

Well I doubt you are going to find a program sandbox or not that will allow most programs to function correctly but yet block all exploits. You will not find an anti virus or anti trojan or anti anything that will do this. Nothing can block 100 percent of everything besides turning off the power. But sandbox or similar products will let you run untrusted apps that for the most part will work well but not be able to do damage. Not sure other than that on how to explian it.

Quote:

that saying that "flaws in the browser" (actually this is false with respect to the test 1)

That is why I wrote:

Quote:

The POC's are mostly using flaws in the browser

Note the word mostly. I would say that 1 out of 5 does clasify as mostly.

Thanks,

Chris