A challenge for sandbox /virtualization technology

Discussion in 'sandboxing & virtualization' started by Pollmaster, Oct 4, 2005.

Thread Status:
Not open for further replies.
  1. Pollmaster

    Pollmaster Guest

    It seems in the last few weeks, sandbox, virtualization technology has being hyped up by the usual suspects. It has being describes as a "major way forward", a new foundation, a way to eliminate the bad old scanners.

    Vikorr is trying Antimalware, Notok is trying Defensewall host, other people are trying sandboxie, greenborder etc.

    I'm just curious, how does the following products succueed in sandboxing
    snip....Link removed as there are links from that page that are against the Wilders TOS - Bubba

    Are these blocked?
    Last edited by a moderator: Oct 6, 2005
  2. Rmus

    Rmus Exploit Analyst

    The first exploit, the DDE-IPC exploit, has been discussed in the Firewalls forum in the "Malicious code could trick ZoneAlarm firewall" thread. Whether "sandboxing" could block applications from connecting out would depend on how you define "sandboxing." That is, what should a sandbox or "virtualization" program be expected to do?

    I'm beginning to suspect (after reading comments in the other virtualization thread) that this technology is being expected to do things it wasn't designed to do.

    Regarding "Defeating Citi-Bank Virtual Keyboard Protection" in the link you cited - I noticed these comments on the POC download page:

    This can be exploited to execute arbitrary HTML or script code in a user's browser session in context of an affected site by tricking the user into visiting a malicious
    website or follow a specially crafted link.
    This can be of great aid to the phishers who can entice the user to click on
    the above link and get re-directed to some malicious sites where their
    critical informations can be stolen.

    Similar comment made about the "Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks"

    A little bit of common sense should work here.

    ~~Be ALERT!!! ~~
    Last edited by a moderator: Oct 6, 2005
  3. Pollmaster

    Pollmaster Guest

    *Exactly*. That was the point I was trying to make actually. After all vikorr has claimed that he tested all sorts of PoCs and nothing has got past..... :)

    See also http://www.wilderssecurity.com/showthread.php?t=99742
  4. Vikorr

    Vikorr Registered Member

    Hiya Pollmaster

    Why not try the tests I ran out for yourself. They are easy enough to find <I included the links somewhere, but it may have been over at Castlecops>

    I'll have a look at your above link when I wake up. I just finished a shift of nightwork.

    As for virtualisation programs, I like SU (as an example because I use it), for it's simplicity. It's easy to understand how it works.

    With regards to AM. If I was using it by itself, I would probably like it very much. I do like the program, but not entirely certain if I'll keep it <most because of issues related to SU>

    And I saw another post of yours Pollmaster, where you said that sandboxes are being used for much the same purpose as HIPS (or words to that effect). I quite agree. I suppose the difference is, that almost everything seeing as almost everything is contained within the sandbox - it does not need a specific rule (for example) for things like registry protection...all registry changes are written to a virtual registry, which is not read at computer startup.

    And yes, installations, once again, are a weak point.
  5. ErikAlbert

    ErikAlbert Registered Member

    I guess you mean softwares, that can't be installed without an internet connection.
    In my case, I know only 3 softwares that need an internet connection :
    1. Windows Update.
    2. MSAS beta1
    3. A2 Free.
    The rest of all my software can be installed without internet.
  6. Vikorr

    Vikorr Registered Member

    I mean software installs that require drivers

    Other installs a fine, so long as you don't want the program to autostart.
  7. Peter2150

    Peter2150 Global Moderator

    What you guys are discussing is exactly why I like First Defense. I can use it as a big ole sandbox if I want to. For example not to long ago I want to test a trial of Norton's Security suite. This is not the easiest thing to remove. Does require rebooting etc etc. Sure couldn't use something like Sandboxie. So I rebooted into my secondary snapshot, and installed it there. Internet access, reboots, autostarts, etc no problem. Then if I want to go back to regular work, I just boot into my regular snapshot. I can leave Norton on the other snapshot as long as I want, and when I am done, a 5 minute copy and it is all gone. I use the same principle if I want to do some risky surfing, or go online without full protection. Has worked fine for me.

  8. Notok

    Notok Registered Member

    Hmm, I don't recall seeing much of that.
  9. Vikorr

    Vikorr Registered Member


    That sounds like a better way of testing things than ShadowUser, which is causing problems with AM, because I think, of the virtual registry used by AM, which I can't exclude from SU.

    I've been wanting a disk imaging system for a while now (just not prepared to pay the money yet - have to get rid of the credit card debt first- don't like having them).

    I had heard that some of them take like 5-8 CD's to capture a computer, but you are saying First Defense ISR can re-install in 5min, and has option of booting in different snapshots of the OS...that sounds flexible. I take it the only thing you can't recover from is a system crash ? <I've heard you can recover from system crashes with other imaging systems>
  10. Pollmaster

    Pollmaster Guest

    Really? Just a few examples here.

    Must I go on? The same old "signatures are bad" <insert whatever new approach is the fancy of the month> is better.
  11. Pollmaster

    Pollmaster Guest

    Vikorr, if you look at the posts Erikalbert is making he is bashing "definitions" because they list only the bad things which according to him is infinite.

    So he prefers sandboxes.

    But what I'm trying to show is that sandboxes might also be based on the bad old method of listing bad actions. If it is unknown to the sandbox maker that a certain action can be used to do evil, it will be allowed.

    So virtualization tech isn't all that good either, considering the complexity problems of employing them.
  12. Peter2150

    Peter2150 Global Moderator

    Hi Vikorr

    What First Defense does is maintain full snapshots for your system. It can keep up to 10 just depends on your disk space. A copy from one to another refreshes the target so it looks exactly like the source. 1st time takes time, refreshes are quick. Once in a snapshot if you didn't know what First Defense was you flat couldn't tell. You can install,uninstall reboot whatever and you stay in the snapshot your in. I have totally trashed my system by accident. Had a registry cleaner running and machine froze. Had to power reset. Wasn't pretty. Just did a reboot, used the preboot selector to boot to another snapshot and did a five minute copy. All fixed.

    The latest version even has the ability to do a copy to an archive on an external drive. Once created takes about 2 minutes to refresh every day. Having that archive if I had a total disk failure what I could do is just do a Wiindows xp quickie install. Install the external drive drivers, and then install FDISR. Then I could copy that archive to a snaphot on hard drive, and I am back in business. Works like a champ. I do also use disk imaging software.


    PS From a sandbox point of view I love this, because it really is like just working on your computer, and yet you are protected.
  13. Notok

    Notok Registered Member

    I dunno, 3 out of the 517,830 posts on this board hardly qualifies as 'hype' to me. Talk about the strengths and weaknesses, sure, but c'mon man.. don't try to wrap internet/forum politics into this, please.
  14. pollgone

    pollgone Guest

    Like it or not, this board is built on forum politics. I think if you study the behavior of the board and its personalities you will see some interesting patterns.

    From past experience this is how hype happens

    1. A few vendors by chance or circumstance produce a certain gimack that until there was not offered to home users but is old hat to enterprise users.

    2. Remus/kareldjag will post some official sounding defintion about it, some tests

    3. Then the betatester group will move in (Vikorr, Peter, myself, Richrf) etc . Either testing it, or ....Threads covering the same topic start appearing in frequency.

    4. People then start talking about how it's a new paradigm, a new foundation to replace antiviruses....

    5. Profit! :)

    Sometimes its not a new class of software, but rather some new software that catches the fancy of the beta tester group.

    Surely this is starting to sound familar to you Notok. :)

    I just call them as I see them. I don't care if you think this is a troll.
  15. Mysterion

    Mysterion Guest

  16. MikeNash

    MikeNash Security Expert

    Hi Everyone,

    I would appreciate it if we could proceed with some swiftness to step number 5 in the pollmaster plan :D

  17. pollgone

    pollgone Guest

    Experience tells me that having pollmaster campaign against a certain product, adds 200% to its sales.
  18. ghost16825

    ghost16825 Registered Member

    Sandboxes do not automatically stop exploitation of vulnerabilities, they just have the ability with user input to set tight boundaries on executable behaviour. But it's because of these set boundaries that execution of program code by exploitation of a vulnerability can be made to fail, or the damage largely mitigated.
    I also posted a reply on the issue of sandboxes here:
  19. Chris12923

    Chris12923 Registered Member

    I'm taking this challenge with anti malware right now. Stay tuned for results.


  20. Chris12923

    Chris12923 Registered Member

    hmm now the link is gone. Someone please pm me with the link.


  21. Chris12923

    Chris12923 Registered Member

    Using Antimalware.

    First test:
    Bypassing Personal Firewall (ZoneAlarm Pro) Protection

    This test does send the information to it's server. But this is expected.

    Second test:
    Defeating Citi-Bank Virtual Keyboard Protection

    Whether it is Antimalware or something else this test fails with the program giving the message "Citibank login page not found!!"

    Third test:
    Indiatimes Shopping Cart XSS (Cross Site Scripting) Attacks

    The only one that I could get to work was the redirection code and this did redirect my browser.

    Fourth test:
    Defeating Microsoft WGA (Windows Genuine Advantage) Validation Check

    Could not find the POC on the site. Please pm me if I missed it somewhere.

    Fifth test:
    CuteNews "archive" parameter Cross Site Scripting (XSS) Vulnerability

    I did not test this due to the current version of Cute news is 1.4 and this version is not affected by the exploit.

    I think most if not all of these tests are not tests for Antimalware or sandbox apps. The POC's are mostly using flaws in the browser not in Antimalware or a sandbox app. A better test would be to run a trojan, virus or other malware and see the results. Pollmaster if you can pm me with any types of these programs which would actually be a test for Antimalware or a sandbox app than I will test them and post the results here as well. Please remember these tests only represent my PC and the conclusion is just my opinion.


    Last edited: Oct 6, 2005
  22. poll2

    poll2 Guest

    Perhaps but What exactly would a test for sandbox apps be? Saying trojans or viruses doesn't clarify the matter, since the technique used by this leak test can easily be used ina trojan (perhaps combined with a keylogger for bypassing the firewall).

    Doesn't a sandbox claim to restrict all types of behavior except for a few harmless activities. The question then becomes is the type of behavior carried out by this leak test a possibly dangerous one? If so, shouldn't the sandbox block this behavior?

    Or are sandboxes mainly focused only about logging changes to the files and directories only?

    I think you misunderstand the point of this thread. Please see Ghost's post higher up in the thread, and the link to another post he made (in response to my post in another thread).

    I would add, that saying that "flaws in the browser" (actually this is false with respect to the test 1) is not excusable.
  23. toploader

    toploader Registered Member

    in the case of sandboxie - the sandboxie virtual disk folder is the universe - everything that runs within sandboxie and downloads within sandboxie thinks the virtual disk folder is the real hard drive. at the end of the session you empty the sandbox - so for example if there is a keylogger running in memory that was inadvertantly downloaded during the session it will be writing it's log file to the virtual folder - emptying the sandbox will destroy the log file - if the keylogger tried to write autostart keys to the registry it will be the virtual folder copy of the registry so all autostart info is destroyed when the sandbox is emptied.
  24. Chris12923

    Chris12923 Registered Member

    This will not happen if the trojan is untrusted, It can not install a hook to capture keys.
    This is not considered dangerous behavior by the sandbox so it does not blok it. The program is simply sending text that a user inputs into the program or uses the default text using a method that the firewall does not stop. It does not capture your keystrokes.

    Well I doubt you are going to find a program sandbox or not that will allow most programs to function correctly but yet block all exploits. You will not find an anti virus or anti trojan or anti anything that will do this. Nothing can block 100 percent of everything besides turning off the power. But sandbox or similar products will let you run untrusted apps that for the most part will work well but not be able to do damage. Not sure other than that on how to explian it.
    That is why I wrote:
    Note the word mostly. I would say that 1 out of 5 does clasify as mostly.


Thread Status:
Not open for further replies.