Seeking suggestions for online test page for Virtualization/Sandbox

Hi guys;

I'm Bill Stout, I work at GreenBorder, and am working on a page to test virtualization and sandboxing techniques. Initially will be a consumer-oriented page (we email a free license for the first 10,000 consumers, we're at 6,000). I'll grow it over time and create a page for analysts. I plan to keep it as simple as possible for maintainability, so I don't plan on creating complex 0-day exploits on it.

I'm seeking suggestions from this forum since you seem to be true judges of credibility. This is a different segment of security from the other guys I talk to such as pen-testers, firewall guys, and bugtraq'ers.

I'm thinking of three overall sections:
- Clean (because virtualization/sandboxing technologies don't clean)
- Scan (for awareness of information available to a site about your system)
- Test (to see if your protection mechanism works and maintains usability)

1. The cleaning step would reference 2-3 other online AV tests, and the free Spyware tools (Spybot, Ad-Aware).

2. The scan step would examine browser settings, and system identification info.

3. The test step would verify protection of local resources, and usability:
- Files - Protection of confidential files and file integrity
- Registry - Protection of confidential registry and registry integrity
- COM - Access to COM objects
- System Calls - Protected system calls
- Network - Protect access to local network services
- Network - Protect access to local network shares
- Clipbook - Protect access to clipbook

What do you guys think? Any suggestions?

Bill Stout

 

Great idea, strange that no one has replied yet, so basically you´re planning to build a site that will demonstrate how GB/sandboxing can protect you against malware? Am I correct?

I would love to see this kind of stuff, because the funny thing is that nowadays there is a lot of hype surrounding the new HIPS tools, and I´m also a fan of HIPS, but no one has actually demonstrated that these tools (pure behaviour blockers) can actually protect you against zero day exploits. So I´m looking forward to your testing site.

 

Because it is very easy to say, but very hard to implement. It need a lot of time and resources.

 

Yes, I agree with Ilya.

From inside a virtual environment which spoofs the real environment, it's harder to test and show that exploits don't work. A virtualized environment makes exploits think they succeeded.

I'm also challenged with three levels of audience; the vast majority of those who would run the test are 'grandmothers and kids', who have a different understanding of security (and language). The next general group would be I.T. people with a general knowledge of security. Then there are security analysts who have a deep knowledge of specific exploits.

It would need to be harmless as well. Creating and deleting files and registry entries should be in safe areas of an unprotected computer, however what you want to demonstrate is the presence of, or lack of confidentiality for sensitive directories and registry locations.

There are a few good generic browser test sites, but they indicate 'fail' where in a virtual environment you can turn on everything and be protected.

• http://www.drorshalev.com/SafeCenter/
• http://onlinecheck.emsisoft.com/en/ (offline?)
• http://www.scanit.be/bcheck

There are one or two others, but the rest of the 'browser test sites' are just port scanners.

 

Yes of course, I can imagine that building such a site can be difficult, especially when building a consumer oriented site. And most exploits do not work on hardened/fully patched machines anyway, so you have to come up with another way to demonstrate that your product can protect against certain attacks.

But I would really like to see several HIPS tested by IT professionals, just in the way that AV/AT´s are tested. I mean why not collect a whole lot of old exploits that were known to be used in remote code execution attacks, and then install different HIPS on fully unpatched machines and look how they perform? This should not be hard to do if I´m correct.

Btw, I did read the KeyLabs report and if I´m correct, GB was tested against some of these "zero day exploits", and it did quite well, not? I mean this would be proof that sandboxing/virtualization is one of the most powerful technologies against "drive by" malware attacks.

OT:

I also think it would be a good move if GreenBorder had the possibility to protect any app, not just IE, other apps like DefenseWall and Sandboxie already have this capability. Compatibility with other anti malware tools should have top priority also. And what´s up with the 50 bucks a year fee? This should be drastically cut, or scrapped IMO.

 

Yes, discussing exploits with security analysts and then trying to convey that to a layman can be frustrating. Translating a conversation in either direction (S.A.<->Layman) will not impress either one, to the layman something technically cool would be esoteric, and to the analyst a demo would be lame.

As far as testing, I need to expand independant analysis beyond Keylabs. I have talked to four different AV test labs, two of which are independant, and two which are commercial. It amazes me how long it takes to arrange testing, however they have to manage their schedule and resources. Turns out it's harder for the independant labs because their resources have daytime jobs also. I've posted requests to find vulnerabilites to bugtraq and full-disclosure lists where very talented security folk reside. A few have responded and have been surprised by the security provided by GreenBorder. In the end it turns out it's as secure as it's configured. No known malware or exploits escape the virtualized environments out there (knock on wood). I believe there was one hole which Ilya found in BZ, but that was fixed. I personally haven't analyzed either product other than an install and a quick look at the user experience.

GreenBorder will protect most applications, if the application opens a tagged document. You can also protect other applications by tagging the shortcuts (right-click to applications on the desktop. However, don't do this with an email client program, because your email messages will be temporary.

I agree, the pricing should be adjusted, and I'm sure marketing will do some 'price testing' promotions. I also hope we do come out with some freebie version.

 

OK thanks for the feedback, and yes, sandboxing seems to have a very promising future. Of course other type of HIPS (behavior monitors) will still be useful, but at the moment I´m not sure if they can actually protect you from the so called "zero day bugs", that´s why independent tests would be nice. But good to hear that GB will be tested more thoroughly.