DOCSLIB.ORG

Bypassing Modern Sandbox Technologies

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Bypassing Modern Sandbox Technologies Gustav Lundsgård & Victor Nedström Bypassing modern sandbox technologies technologies sandbox modern Bypassing Master’s Thesis Bypassing modern sandbox technologies An experiment on sandbox evasion techniques — Gustav Lundsgård An experiment on sandbox evasion techniques Victor Nedström Series of Master’s theses Department of Electrical and Information Technology LU/LTH-EIT 2016-517 Department of Electrical and Information Technology, http://www.eit.lth.se Faculty of Engineering, LTH, Lund University, 2016. Bypassing modern sandbox technologies An experiment on sandbox evasion techniques Gustav Lundsgård Victor Nedström Department of Electrical and Information Technology Lund University Advisor: Paul Stankovski June 21, 2016 Printed in Sweden E-huset, Lund, 2016 Abstract Malware (malicious software) is becoming an increasing problem, as it continu- ously grows both in numbers and complexity. Traditional, signature based anti- virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior. The authors of this Master’s Thesis have developed and compared differ- ent types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques devel- oped were capable of both detecting and bypassing the sandboxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst. Patterns of weaknesses were noticed in the sandboxes, affecting primar- ily the limited hardware and lack of user interaction - both of which are typical sandbox characteristics. Surprisingly, the time for which the sandbox vendors had been developing their sandboxing technology seemed to have no positive impact on the result of their product, but rather the other way around. Further- more, some detection techniques proved very efficient while being trivial to de- velop. The test results have been communicated to the sandbox vendors, and the authors are of the belief that the sandboxes could be quite significantly improved with these results as a guideline. i ii Acknowledgements This Master’s Thesis is a result not only of our own work but also of the efforts of people we have had the privilege to work with. Without you, this Master’s Thesis would not be what it is today. First and foremost, we would like to warmly thank our supervisor at the de- partment of Electrical and Information Technology, Paul Stankovski, for his com- mitment and care throughout the entire process. Secondly, we want to express our sincere gratitude towards Coresec Systems AB for giving us the opportunity to write our Master’s Thesis on a topic close to our hearts. We would especially like to thank our two supervisors, Stefan Lager and David Olander, for their continuous support, technical advisory and encouragement. Furthermore, both Philip Jönsson and Holger Yström deserve many thanks for their efforts in helping and sharing their technical expertise. We are very grateful to all of you for everything we have learnt during the process and are looking forward to working with you in the future. Lastly, we would like to thank The Swedish National Board of Student Aid, Centrala Studiestödsnämnden (CSN), for their investment in our studies. iii iv Acronyms A API - Application Programming Interface C C&C - Command and Control (server) CPU - Central Processing Unit D DLL - Dynamic Link Library DMZ - Demilitarized Zone DNS - Domain Name Server G GPU - Graphics Processing Unit GUI - Graphical User Interface H HTTP - Hypertext Transfer Protocol I IAT - Import Address Table ICMP - Internet Control Message Protocol IRC - Internet Relay Chat M MAC - Media Access Control P PE - Portable Executable R RDP - Remote Desktop Protocol V v VLAN - Virtual Local Area Network VM - Virtual Machine VMM - Virtual Machine Monitor VPN - Virtual Private Network vi Glossary C Command and Control (C&C) server: a server to which malware, after infecting a target host, connects to download files or receive additional instructions. D Debugger: enables a program to be examined during execution. Most debuggers can run programs step by step. F False positive: a benign file causing a "false alarm" in an anti-malware system, commonly because its behavior resembles that of malicious files. G Golden image: an operating system image configured according to best effort. H Hypervisor: software that enables virtualization by creating and running virtual machines. M Malware sample: a single copy of malware being subject to analysis. R Ransomware: a type of malware that encrypts files on a file system and demands a ransom to be paid in exchange for the decryption key. S Snapshot: a preserved state in a virtual machine. Z Zero-day threat: a previously unseen threat. vii viii Table of Contents 1 Introduction 1 1.1 Background ................................ 1 1.2 Problem Description ............................ 1 1.3 Purpose .................................. 2 1.4 Method ................................... 2 1.5 Scope .................................... 3 1.6 Report Layout ............................... 4 2 Theory 5 2.1 Malware .................................. 5 2.1.1 Origin and purpose 5 2.1.2 Types of malware 6 2.2 Malware analysis .............................. 7 2.2.1 Static Analysis 7 2.2.2 Dynamic Analysis 8 2.3 Malware analysis detection ........................ 8 2.4 The Portable Executable file format ................... 9 2.5 Running executable files .......................... 11 2.6 Virtual machines .............................. 11 2.7 Sandboxes ................................. 12 2.7.1 Detection of virtual machines and sandboxes 13 2.8 DLL injection and API hooking ...................... 14 2.9 Sandbox analysis procedure ........................ 15 2.10 Related work ................................ 17 3 System Description 19 3.1 Introduction ................................ 19 3.2 Vendors and sandboxes .......................... 19 3.2.1 Vendor A 19 3.2.2 Vendor B 20 3.2.3 Vendor C 21 3.2.4 Vendor D 22 3.2.5 Vendor E 22 3.2.6 Sandbox specification summary 22 ix 4 Experiments 25 4.1 Introduction ................................ 25 4.2 Test case design .............................. 25 4.3 Test method, environment and configuration .............. 27 4.3.1 Inline deployment 29 4.3.2 Upload deployment 30 4.4 Test cases ................................. 31 4.4.1 Timing 32 4.4.2 Process 33 4.4.3 File 33 4.4.4 Environment 34 4.4.5 Hardware 35 4.4.6 Network 35 4.4.7 Interactive 36 4.5 Test criteria ................................ 37 4.6 Choice of malware ............................. 37 5 Results 39 5.1 Introduction ................................ 39 5.2 Results per category ............................ 39 5.2.1 Timing 40 5.2.2 Process 42 5.2.3 File 44 5.2.4 Environment 46 5.2.5 Hardware 48 5.2.6 Network 50 5.2.7 Interactive 52 5.3 Result of golden image configuration .................. 54 5.4 Result summary .............................. 55 6 Discussion 57 6.1 Sandbox technologies and result patterns ................ 57 6.2 Weakness patterns based on detection technique ............ 60 6.3 Simplicity contra efficiency in detection techniques ........... 61 6.4 System lifetime in relation to test results ................ 62 6.5 General discussion and sources of error ................. 63 7 Conclusions 67 7.1 Future work ................................ 68 References 69 A Test case simplicity-efficiency score 73 x List of Figures 2.1 Flow chart of an inline API hook. .................... 14 2.2 Communication between user mode and kernel mode components. .. 15 3.1 Relative vendor size measured in number of employees ......... 20 3.2 Relative vendor age ............................ 21 4.1 Test case components overview ..................... 26 4.2 Test case flow chart ............................ 26 4.3 A simplified overview of the test environment. ............. 28 4.4 Detailed view of the test environment including network interfaces. 30 4.5 A detailed view of how the malware is hidden as a resource in the test case [1]. .................................. 32 5.1 Timing - detected malware per vendor. ................. 41 5.2 Process - detected malware per vendor. ................. 43 5.3 Files - detected malware per vendor. ................... 45 5.4 Environment - detected malware per vendor. .............. 47 5.5 Hardware - detected malware per vendor. ................ 49 5.6 Network - detected malware per vendor. ................. 51 5.7 Interactive category - detected malware per vendor. .......... 53 5.8 Malware detection rate per vendor. ................... 55 5.9 Average malware detection rate per category and coefficient of variation. 56 6.1 Sandbox detection rate per vendor where the test cases detected the sandbox .................................. 59 6.2 Simplicity contra efficiency score per category. ............. 62 xi xii List of Tables 3.1 Sandbox specifications and features ................... 23 5.1 Timing results statistics. ......................... 40 5.2 Timing category results per vendor. ................... 40 5.3 Process results statistics. ........................
Load more

Recommended publications
  • A Client Honeypot
    MASARYKOVA UNIVERSITY FACULTY OF INFORMATICS A CLIENT HONEYPOT MASTER’S THESIS BC. VLADIMÍR BARTL BRNO, FALL 2014 STATEMENT OF AUTHORSHIP Hereby I declare that this thesis is my original work, which I accomplished independently. All sources, references and literature I use or refer to are accurately cited and stated in the thesis. Signature:............................................ i ACKNOWLEDGEMENT I wish to express my gratitude to RNDr. Marian Novotny, Ph.D. for governance over this thesis. Furthermore, I wish to thank my family and my girlfriend for their support throughout the process of writing. TUTOR: RNDr. Marian Novotny, Ph.D. ii ABSTRACT This thesis discusses a topic of malicious software giving emphasis on client side threats and vulnerable users. It gives an insight into concept of client honeypots and compares several implementations of this approach. A configuration of one selected tool is proposed and tested in the experiment. KEYWORDS client honeypot, low-interaction, high-interaction, malware, attacker, exploit, vulnerability, Cuckoo Sandbox iii TABLE OF CONTENTS 1 INTRODUCTION .......................................................................................................................... 3 1.1 MOTIVATION ........................................................................................................................ 4 1.2 CONTRIBUTION .................................................................................................................... 6 2 BACKGROUND THEORY ..........................................................................................................
    [Show full text]
  • Application Sandboxes: a Pen-Tester's
    Application Sandboxes: A Pen-Tester’s Perspective Rahul Kashyap, [email protected] Rafal Wojtczuk, [email protected] 1 Table of Contents 1.0.0 Executive Summary 4 2.0.0 Results Summary 4 3.0.0 Methodology and Techniques Used 4 4.0.0 Introduction 5 4.1.0 What is a Sandbox? 5 4.2.0 Products Tested 6 5.0.0 Windows Architecture Overview 10 5.1.0 Windows Integrity Mechanisms 11 5.2.0 Malware Trends 12 6.0.0 Type A Sandbox 12 6.1.0 Architecture 12 7.0.0 Type B Sandbox 16 7.1.0 Chromium Sandbox Architecture 16 8.0.0 Exploitation 18 8.1.0 Category 1: Vulnerabilities in OS Kernel 18 8.1.1.0 Kernel Exploit 1 19 8.1.1.1 Type A Sandbox 19 8.1.2.0 Kernel Exploit 2 22 8.1.2.1 Type A Sandbox 23 8.1.2.2 Type B Sandbox 24 8.1.3.0 Kernel Exploit 3 25 8.1.3.1 Type A Sandbox 25 8.1.3.2 Type B Sandbox 26 8.1.4.0 Summary 28 8.2.0 Category 2: Vulnerabilities in OS User Mode Components 28 8.2.1 TCP/IP Networking in Sandboxes 28 8.2.1.1 ALPC Ports 29 8.2.2 User Mode Exploit 31 8.2.2.1 Type A Sandbox 31 8.2.2.2 Type B Sandbox 34 8.2.3 Summary 36 8.3.0 Category 3: Sandbox Leakage 37 8.3.1 Webcam Access 37 8.3.2 Screen Scraping 39 8.3.3 Keylogging 40 8.3.4 ClipBoard Hijack 42 8.3.5 Steal Files 44 8.3.6 Network Shares Access 45 8.3.7 Summary 47 8.4.0 Category 4: Sandbox Vulnerabilities 47 8.4.1 Summary 48 8.5.0 A sandbox Inside a Sandbox 48 8.5.1 Type A Sandbox + Type B Sandbox 48 9.0.0 Conclusion 50 10.0.0 Bibliography 51 11.0.0 Appendix A.
    [Show full text]
  • Transparent System Introspection in Support of Analyzing Stealthy Malware
    Transparent System Introspection in Support of Analyzing Stealthy Malware A Dissertation Presented to the faculty of the School of Engineering and Applied Science University of Virginia In partial fulfillment of the requirements for the degree Doctor of Philosophy Computer Engineering by Kevin Joseph Leach December 2016 APPROVAL SHEET The dissertation is submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Kevin Joseph Leach, author The dissertation has been read and approved by the examining committee: Dr. Westley Weimer, Advisor Dr. Joanne Dugan, Committee Chair Dr. Marty Humphrey Dr. Ronald D. Williams Dr. Laura E. Barnes Dr. Angelos Stavrou Accepted for the School of Engineering and Applied Science: Craig H. Benson, Dean, School of Engineering and Applied Science December 2016 Abstract The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment. Malware samples are run in an instrumented virtual machine or analysis tool, and existing introspection techniques help an analyst determine its behavior. Unfortunately, a growing body of malware samples has begun employing anti-debugging, anti-virtualization, and anti- emulation techniques to escape or otherwise subvert these analysis mechanisms. These anti-analysis techniques often require measuring differences between the analysis en- vironment and the native environment (e.g., executing more slowly in a debugger). We call these measurable differences artifacts. Malware samples that use artifacts to exhibit stealthy behavior have increased the effort required to analyze and understand each stealthy sam- ple.
    [Show full text]
  • Set Shortcut Clean Defrag Set Shortcut Clean Defrag Winrescue
    RE-SETUP WINDOWS XP sp 2 – 31/05/2009 Personal/Corporate) ver. 5.1.2600.2180 – 040803.2158 7. Explorer right click My Document Properties Move (F5=system, F8=select boot) 8. Outlook Express (OE) Tools Options General : When starting, go directly to Inbox A. BACKUP Send : Automatically put people …. 1. Data, Pasword, Program Data by manual or program Maintenance : Store Folder = change OK Yes 2. Doc.Set.\username\Appl.Data\Microsoft\Templates 9. Regedit 3. Doc.Set.\username\ Favorites HKLM\System\CurrentControlSet\Control : 4. Doc.Set.\username\Loc.Set.\Appl.Data\ Microsoft\Outlook WaitToKillServiceTimeout < 2000 (200 is OK) 5. Doc.Set.\username\Loc.Set.\Appl.Data\Identities\ HKLM\System\CurrentControlSet\Control\SM\MM\PP : {37462A10……}\Microsoft\Outlook Express EnablePrefetcher=3 6. Hasil dari backup E.6. HKLM\Software\Microsoft\Windows\CV\Explorer\RC\NS : B. PARTITION Delete {D6277990-4C6A-11CF-8D87-00AA0060F5BF} C:\15GB\FAT32\Win98SE (HQ6K2-QPC42-3HWDM-BF4KJ-W4XWJ) HKCU\Control Panel\Desktop : MenuShowDelay=0 D:\50GB\FAT32\TEMPORARY (dibuat setelah Virtual Memory) HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 1. Temp : win (TWF, Recent, Program), int (TIF, Cache, Cookies, History) buat DWORD dgn nama EnableBallonTips=0 2. Backup HKCU&HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3. ProgramData buat DWORD dgn nama NoDriveTypeAutorun=ff 4. Draft : Project, Exercise HKCU(&HKLM?)\Software\Microsoft\Windows\CurrentVersion\ E:\65GB\FAT32\DATA Explorer\ShellFolders&UserShellFolders Documents (Corporate, Personal, Program), Masterbox (Setup, FlashDisk), HKLM\System\CurrentControlSet\Services\LanmanServer\Parameter Multimedia, Reference (buat DWORD untuk IRPStackSize = 11~50 (decimal) HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall C. PARTITION HIDING (delete folder u/ ngilangin nama program di Add/Remove, export dulu) 1.
    [Show full text]
  • Operating System Based Virtualization Models in Cloud Computing Dev Ras Pandey, Bharat Mishra, S
    World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:11, No:3, 2017 Operating System Based Virtualization Models in Cloud Computing Dev Ras Pandey, Bharat Mishra, S. K. Tripathi 1 virtualization causes a single point of failure, and taking Abstract—Cloud computing is ready to transform the structure of control over the hypervisor from virtual machine level is not businesses and learning through supplying the real-time applications possible [3]. OS based virtualization model is also categorized and provide an immediate help for small to medium sized businesses. as container based and hypervisor based virtualization. Under The ability to run a hypervisor inside a virtual machine is important feature of virtualization and it is called nested virtualization. In this, a wide group of models is available with their today’s growing field of information technology, many of the specification, which makes difficult to select one. On the basis virtualization models are available, that provide a convenient of user’s requirements, different models of OS based approach to implement, but decision for a single model selection is virtualization and both type of techniques container based and difficult. This paper explains the applications of operating system hypervisor based are selected for further study incorporated based virtualization in cloud computing with an appropriate/suitable with requirements of users. model with their different specifications and user’s requirements. In the present paper, most popular models are selected, and the selection was based on container and hypervisor based virtualization. Selected II. OS BASED VIRTUALIZATION models were compared with a wide range of user’s requirements as Host OS enables virtualization that supports multiple number of CPUs, memory size, nested virtualization supports, live isolated, virtualized guests – OS instances, nested migration and commercial supports, etc.
    [Show full text]
  • Sandbox" Programskih Alata CCERT-PUBDOC-2009-03-259
    Usporedba "sandbox" programskih alata CCERT-PUBDOC-2009-03-259 Revizija 1.06 CCERT-PUBDOC-2009-03-259 Stranica 1/21 Sigurnosni problemi u računalnim programima i operativnim sustavima područje je na kojem CARNet CERT kontinuirano radi. Rezultat toga rada je i ovaj dokument, koji je nastao suradnjom CARNet CERT– a i LS&S–a, a za koji se nadamo se da će Vam koristiti u poboljšanju sigurnosti Vašeg sustava. CARNet CERT, www.cert.hr Nacionalno središte za sigurnost računalnih mreža i sustava. LS&S, www.LSS.hr Laboratorij za sustave i signale pri Zavodu za elektroničke sustave i obradbu informacija Fakulteta elektrotehnike i računarstva Sveučilišta u Zagrebu. Ovaj dokument je vlasništvo CARNet–a (CARNet CERT–a). Namijenjen je za javnu objavu, njime se može svatko koristiti, na njega se pozivati, ali samo u izvornom obliku, bez ikakvih izmjena, uz obavezno navođenje izvora podataka. Korištenje ovog dokumenta protivno gornjim navodima, povreda je autorskih prava CARNet–a, sukladno Zakonu o autorskim pravima. Počinitelj takve aktivnosti podliježe kaznenoj odgovornosti koja je regulirana Kaznenim zakonom RH. Revizija 1.06 CCERT-PUBDOC-2009-03-259 Stranica 2/21 Sadržaj 1. UVOD ............................................................................................................................................................. 4 2. OPIS „SANDBOX“ MEHANIZMA ................................................................................................................... 5 3. PRIMJENA „SANDBOX” ALATA ...................................................................................................................
    [Show full text]
  • Automated Analysis of Marginalized Malware
    Noname manuscript No. (will be inserted by the editor) The Other Guys: Automated Analysis of Marginalized Malware Marcus Felipe Botacin · Paulo L´ıciode Geus · Andr´eRicardo Abed Gr´egio Received: date / Accepted: date Abstract In order to thwart dynamic analysis and by- defensive tools, users are still being infected from mali- pass protection mechanisms, malware have been using cious attachments from phishing e-mail messages, cam- several file formats and evasive techniques. While pub- paigns of malware variants are continuously arising, and licly available dynamic malware analysis systems are operating systems protection, as well as third-party se- one of the main sources of information for researchers, curity mechanisms may be subverted by simple, older security analysts and incident response professionals, techniques. they are unable to cope with all types of threats. There- An effective way to understand and work on miti- fore, it is difficult to gather information from pub- gation of malware infections is to monitor the actions lic systems about CPL, .NET/Mono, 64-bits, reboot- exhibited by suspicious samples in a dynamic anal- dependent, or malware targeting systems newer than ysis system. There are several systems proposed in Windows XP, which result in a lack of understanding the literature and available as online services to cope about how current malware behave during infections with this task. The latter are a useful resource for re- on modern operating systems. In this paper, we discuss searchers, incident response professionals and security the challenges and issues faced during the development analysts, which take advantage of the information pre- of this type of analysis system, mainly due to security sented in the reports to assess specific threats.
    [Show full text]
  • Cursor— Page 2 — March 17, 2012 Continued from Page 2 • See for News and Tips About Windows 8
    TThheeCCuurrssoorr Monthly Newsletterofthe WashingtonArea ComputerUserGroup Meeting Location: Next Meeting: OLLI, 4210 Roberts Road March 17, 2012 Fairfax, VA Presidential Bits by GeofGoodrum President WACUG, president(at)wacug.org The February meeting, one of our best attended ever, featured excellent presentations about Digital Photography by Dan Feighery and TrueCrypt disk encryption software by Lorrin Garson. Dan characterized his session as plowing the digital photo field “a mile wide and an inch deep.” Dan covered the characteristics of Paul Howard (left) introduces digital cameras from inexpensive “point & shoot” models to high-end Dan Feighery (right) Digital Single-Lens Reflex (DSLR) models. Even the basic cameras have extensive manuals describing available features, displays, and controls of the camera, and Dan encouraged everyone who buys a Table of Contents camera to spend some time with the manual to understand the camera’s capabilities. One particular function is the histogram, which Useful Bits & Pieces.............2 can help you optimize your pictures. Dan also discussed color Linux News........................... 4 management, a somewhat involved end-to-end process that includes Sandboxie............................. 7 adjustment of video monitor, camera, and printer to ensure that the Using PowerPoint................9 colors captured by the camera are reproduced as accurately as Micro Center Clinics..........10 possible on screen and in print. Dan’s briefing slides are on the WAC Recent Meetings web page (http://www.wacug.org/recmtgs.html) as a 21 MB PDF file, and serves as an invaluable reference to the general Only in the Download concepts of digital photography. Edition: Lorrin Garson returned to talk about “Protecting Private Information with TrueCrypt” software, available as a free download for Microsoft Windows, GNU/Linux, and Apple Macintosh OS X systems.
    [Show full text]
  • SECURITY SANDBOXING for PC2: WINDOWS VERSION a Project
    SECURITY SANDBOXING FOR PC2: WINDOWS VERSION A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science by Parita Shah SPRING 2017 SECURITY SANDBOXING FOR PC2: WINDOWS VERSION A Project by Parita Shah Approved by: __________________________________, Committee Chair Dr. John Clevenger __________________________________, Second Reader Dr. V. Scott Gordon ____________________________ Date ii Student: Parita Shah I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the project. __________________________, Graduate Coordinator ___________________ Dr. Jinsong Ouyang Date Department of Computer Science iii Abstract of SECURITY SANDBOXING FOR PC2: WINDOWS VERSION by Parita Shah The purpose of a Sandbox software is to execute a program under restricted environment to protect a computer system from malicious activities. The Security Sandbox tool will be developed to be used for the Programming Contest Control System, called PC2 for short. PC2 software is used to support programming contests of ACM and its International Collegiate Programming Contests around the world. PC2 allows teams to submit their programs to the judges over the network. The judges can perform manual judging for the team’s submitted program. PC2 also supports automatic judging of these submitted programs. These are a few of the many functionalities of PC2. When teams submit their programs for judging, their code might perform malicious activities on the system that is running the judging module.
    [Show full text]
  • Windows Security Sandbox Framework Kyle P
    Eastern Washington University EWU Digital Commons EWU Masters Thesis Collection Student Research and Creative Works 2012 Windows security sandbox framework Kyle P. Gwinnup Eastern Washington University Follow this and additional works at: http://dc.ewu.edu/theses Part of the Computer Sciences Commons Recommended Citation Gwinnup, Kyle P., "Windows security sandbox framework" (2012). EWU Masters Thesis Collection. 68. http://dc.ewu.edu/theses/68 This Thesis is brought to you for free and open access by the Student Research and Creative Works at EWU Digital Commons. It has been accepted for inclusion in EWU Masters Thesis Collection by an authorized administrator of EWU Digital Commons. For more information, please contact [email protected]. WINDOWS SECURITY SANDBOX FRAMEWORK A Thesis Presented To Eastern Washington University Cheney, Washington In Partial Fulfillment of the Requirements for the Degree Master of Science By Kyle P. Gwinnup Summer 2012 THESIS OF KYLE GWINNUP APPROVED BY DATE CAROL TAYLOR, GRADUATE STUDY COMMITTEE DATE BILL CLARK, GRADUATE STUDY COMMITTEE ii iii Abstract Software systems are vulnerable to attack in many different ways. Systems can be poorly implemented which could allow an attacker access to the system through legitimate means such as anonymous access to a server or security controls and access lists can be configured incorrectly which would allow an attacker access to the system by exploiting a logic flaw in the systems configuration. These security vulnerabilities can be limited by implementing software systems properly or in a more restrictive manner. Sandboxing an application allows for interception of a processes system call for verification against a defined policy.
    [Show full text]
  • Appropriate Security and Confinement Technologies
    Appropriate Security and Confinement Technologies Methods for the Design of Appropriate Security and a Case Study on Confinement Technologies for Desktop Computers Steve Dodier-Lazaro UCL A thesis submitted for the degree of Doctor of Philosophy 22nd June 2018 I, Steve Dodier-Lazaro confirm that the work presented in this thesis is my own. Where information has been derived from other sources, I confirm that this has been indicated in the thesis. 3 Abstract Despite significant research, desktop computers remain fundamentally insecure. Mal- ware is a prime culprit for data breaches in organisations. A vast number of user machines are connected to the Internet unprotected, leading to global ransomware attacks costing billions to world economies. Confinement systems are technologies that can thwart mal- ware. Several security researchers have claimed to have designed usable confinement, and both Microsoft and Apple have deployed confinement into their desktop OSs in the form of sandboxes, but application developers avoid supporting it. Commercial off-the-shelf confinement systems exist which users can adopt and use, but very few do. My thesis investigates the design process of confinement technologies, to understand why they are not in use. It is divided in two parts. Firstly, I examine why the methods of usable security may not be judicious when it comes to designing for adoption. I propose alternative methods and goals, focused on the adoption and appropriation of technologies, rather than on their usability. This alternative process, named appropriate security, rests on four principles: security research is about users, not technology; it is about appropriation, not usability; it should not cause harm to users; and it should involve users in shaping security goals, rather than impose others’ goals onto them.
    [Show full text]
  • Virus Contact Tracing
    Security Now! Transcript of Episode #762 Page 1 of 23 Transcript of Episode #762 Virus Contact Tracing Description: This week we follow-up on a bunch of continuing Zoom news, since Zoom appears to be poised to become the teleconferencing platform of choice for the world at large. They've made more changes, have been sued, and have been rapidly taking steps to fix their remaining problems. We have some browser news and another worrisome look into Android apps using a novel approach to quickly characterize them. We have an interesting and sad bit of miscellany, a progress report on my SpinRite work, and then we take the sort of full technical deep dive into the joint Apple/Google Contact Tracing system that our listeners have come to expect from this podcast. By the end of this podcast everyone will understand exactly what Apple and Google have done and how the system functions, in detail. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-762.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-762-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson's here. There is, of course, lots to talk about. A farewell to a guy who was very inspirational to both Steve and me in our youth, another victim of COVID-19. And then Steve will talk about Apple and Google's plan to support quarantine and tracking using your iPhone and Android. Steve breaks it down, says how it works, and explains how it can be used without invading privacy.
    [Show full text]