DOCSLIB.ORG

Automated Analysis of Marginalized Malware

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Automated Analysis of Marginalized Malware Noname manuscript No. (will be inserted by the editor) The Other Guys: Automated Analysis of Marginalized Malware Marcus Felipe Botacin · Paulo L´ıciode Geus · Andr´eRicardo Abed Gr´egio Received: date / Accepted: date Abstract In order to thwart dynamic analysis and by- defensive tools, users are still being infected from mali- pass protection mechanisms, malware have been using cious attachments from phishing e-mail messages, cam- several file formats and evasive techniques. While pub- paigns of malware variants are continuously arising, and licly available dynamic malware analysis systems are operating systems protection, as well as third-party se- one of the main sources of information for researchers, curity mechanisms may be subverted by simple, older security analysts and incident response professionals, techniques. they are unable to cope with all types of threats. There- An effective way to understand and work on miti- fore, it is difficult to gather information from pub- gation of malware infections is to monitor the actions lic systems about CPL, .NET/Mono, 64-bits, reboot- exhibited by suspicious samples in a dynamic anal- dependent, or malware targeting systems newer than ysis system. There are several systems proposed in Windows XP, which result in a lack of understanding the literature and available as online services to cope about how current malware behave during infections with this task. The latter are a useful resource for re- on modern operating systems. In this paper, we discuss searchers, incident response professionals and security the challenges and issues faced during the development analysts, which take advantage of the information pre- of this type of analysis system, mainly due to security sented in the reports to assess specific threats. However, features available in NT 6.x kernel versions of Windows most of the publicly available dynamic analysis systems OS. We also introduce a dynamic analysis system that are only able to run PE32 executable files on Win- addresses the aforementioned types of malware as well dows XP virtual/emulated machines1, whereas modern as present results obtained from their analyses. MS-Windows can run PE+ files (64-bits) and .NET framework-dependent samples natively. Another con- Keywords Malware analysis systems · Evasive cern of these systems is the ability to analyze samples malware · OS security · 64-bit systems · CPL malware · that require rebooting the OS to complete the infec- .Net malware tion and, therefore, exhibit important actions of their malicious behavior. The analysis of this type of malware relies on a sys- 1 Introduction tem that has to overcome some design and implementa- tion issues related to the security mechanisms present Desktop malicious programs continue to threaten users on newer versions of MS-Windows systems, which dif- on a daily basis. Despite all security mechanisms and ficult kernel-based monitoring of subsystems (Registry, file system, processes) in a way more privileged than the Marcus Botacin · Paulo L´ıciode Geus University of Campinas, Campinas-SP, Brazil malware process. In this paper, we propose a dynamic E-mail: [email protected] analysis system to monitor \marginalized" malware, E-mail: [email protected] i.e., those samples that have not been addressed by pub- Andr´eRicardo Abed Gr´egio licly available systems. Our proposed system is able to Federal University of Paran´a,Curitiba-PR, Brazil E-mail: [email protected] 1 As detailed on Section 4.4 2 Marcus Felipe Botacin et al. analyze PE32 (Portable Executable 32-bits), PE+ (PE the CPlApplet function [28] and can be directly exe- 64-bit version), CPL (Control Panel) and .NET/Mono cuted by users' double-click, often leading to a back- files in Windows 7 and 8 environments, as well as to ground execution. CPL malware is a Brazilian phe- monitor reboot-activated malware and extract their be- nomenon mostly related to Internet Banking attacks, havior. The main contributions of this paper are: (i) we whose actions are recognized by antivirus vendors as provide an overview on CPL and .NET/Mono file types significant threats [21]. and discuss their role in current malware attacks; (ii) we .NET/Mono. Mono is a software platform that al- present the challenges of designing and implementing a lows the creation of cross-platform applications (http: malware dynamic analysis system using modern Win- //www:mono-project:com/) and it is an open source im- dows operating systems (7 and 8 | kernel NT 6.x); plementation of Microsoft's .NET framework. This kind (iii) we introduce a new dynamic analysis system to of sample has the same range of actions that traditional monitor both 32 and 64-bits malware samples, which PE ones, but it usually crashes on or does not work is able to analyze reboot-activated malware, as well as on .NET framework versions for Windows XP (used in samples encapsulated in other executable file formats most publicly available sandboxes). We observed an in- (specifically CPL and .NET/Mono). Our work provides crease in the number of malware samples using this file richer behavioral information than other available sys- type2, but did not find specific literature about them. tems, showing how current malware samples act and PE+. Portable Executable [35] is a file format used helping in a better understanding of them. on Windows systems mainly for executable and library The remainder of this paper is organized as follows: files. There are two versions of it: PE32 and PE+, In Section 2, we provide a background on different file for 32 and 64-bits files, respectively. Analysis support types being used to deploy malware (PE+, CPL, and for PE32 is widespread, but there is a lack of specific .NET/Mono files), on new Windows internal mecha- PE+ malware analysis tools. As reported in [5], 64-bits nisms and their implications on current in-system mon- malware is an inevitable move. The more 64-bits plat- itoring tools, and we present the related works; in Sec- forms are deployed, the more it becomes attractive for tion 3, we detail the architecture of our proposed dy- malware creators. Malware developers do not need to namic analysis system and choices about its design; in move immediately from coding 32 to 64-bit malicious Section 4, we present some case studies to evaluate our programs|modern Windows are still compatible with proposed system using malware samples collected in the both (WoW64 [26] is responsible for such translation)| wild, mainly the ones marginalized by currently avail- , but if they do, researchers must be able to analyze able public analysis systems; in Section 5, we discuss those samples, since 64-bits malware is already in the the limitations of our system, and, finally, in Section 6, wild: in [5], the authors present a version of the Zeus we provide our final considerations. malware that is able to inject 32 and 64-bits versions of itself, depending on the host; Regin [18] samples also have 64-bits modules. In spite of that, there is still a 2 Background and Related Work lack of malware analysis literature for 64-bits samples' We present a brief background about file types used by analysis and execution. For instance, a reference text- malicious programs, simple techniques malware uses to book [40] covers PE Header changes and the new 64-bit prevent analysis, dynamic analysis systems, and tools calling convention but do not address changes in dy- from literature and the monitoring techniques they namic execution. Furthermore, as far as we know, there make use of. are no portable and publicly available sandboxes able to adequately handle PE+ files in the context of malware analysis3. Thomas et al. [43] discuss some differences of 2.1 File Encapsulation executing 32-bits samples on 64-bits modern operating systems (from Windows 7 forensics procedures perspec- Executable file formats that run correctly in a victim's tive), while Corregedor et al. [6] provides a first step on system may hinder the dynamic analysis, if used to analyzing a 32-bit modern Windows, which makes us encapsulate malware. We have observed a significant to consider the results on 64-bits ones. number of CPL and .NET binaries in our dataset (we collected these samples in the wild during the last few 2 We identified as .NET 0.6%, 1.1%, and 7.6% of all samples years), apart from the prevalence of PE files. Below, we from our dataset collected in 2013, 2014, and the first quarter of 2015, respectively. discuss the file types available among our samples. 3 Solutions like Sandboxie (http://www:sandboxie:com) are CPL. It is the file extension of Control Panel ap- not designed for this purpose and can be detected due to their plets, which are dynamic libraries (DLL) that export userland modules. The Other Guys 3 2.2 Dynamic Analysis Evasion and Reboot struction to the trampoline function in order to redi- rect the execution flow. Some drawbacks include it be- Malware creators use a varied set of techniques to by- ing userland-based (more prone to be bypassed) and pass sandbox-based analysis, such as virtual machine requiring the injection of the DLL in each of the to be detection and fingerprinting [16,34,12]. Different ap- monitored processes. Examples of tools employing this proaches are required to address them, such as the mon- techniques are CWsandbox [46] and Cuckoo [11]. itoring of split behavior [2] and the use of bare metal Virtual Machine Introspection. Consists of in- systems [15]. An effective evasive technique against dy- strumenting the virtual machine hypervisor to collect namic analysis system is to delay the execution of a information about the guest system. It allows for finer- sample, either by stalling it or requiring a reboot to grained analysis, since it is possible to obtain assembly complete the process of performing malicious actions.
Load more

Recommended publications
  • A Client Honeypot
    MASARYKOVA UNIVERSITY FACULTY OF INFORMATICS A CLIENT HONEYPOT MASTER’S THESIS BC. VLADIMÍR BARTL BRNO, FALL 2014 STATEMENT OF AUTHORSHIP Hereby I declare that this thesis is my original work, which I accomplished independently. All sources, references and literature I use or refer to are accurately cited and stated in the thesis. Signature:............................................ i ACKNOWLEDGEMENT I wish to express my gratitude to RNDr. Marian Novotny, Ph.D. for governance over this thesis. Furthermore, I wish to thank my family and my girlfriend for their support throughout the process of writing. TUTOR: RNDr. Marian Novotny, Ph.D. ii ABSTRACT This thesis discusses a topic of malicious software giving emphasis on client side threats and vulnerable users. It gives an insight into concept of client honeypots and compares several implementations of this approach. A configuration of one selected tool is proposed and tested in the experiment. KEYWORDS client honeypot, low-interaction, high-interaction, malware, attacker, exploit, vulnerability, Cuckoo Sandbox iii TABLE OF CONTENTS 1 INTRODUCTION .......................................................................................................................... 3 1.1 MOTIVATION ........................................................................................................................ 4 1.2 CONTRIBUTION .................................................................................................................... 6 2 BACKGROUND THEORY ..........................................................................................................
    [Show full text]
  • Application Sandboxes: a Pen-Tester's
    Application Sandboxes: A Pen-Tester’s Perspective Rahul Kashyap, [email protected] Rafal Wojtczuk, [email protected] 1 Table of Contents 1.0.0 Executive Summary 4 2.0.0 Results Summary 4 3.0.0 Methodology and Techniques Used 4 4.0.0 Introduction 5 4.1.0 What is a Sandbox? 5 4.2.0 Products Tested 6 5.0.0 Windows Architecture Overview 10 5.1.0 Windows Integrity Mechanisms 11 5.2.0 Malware Trends 12 6.0.0 Type A Sandbox 12 6.1.0 Architecture 12 7.0.0 Type B Sandbox 16 7.1.0 Chromium Sandbox Architecture 16 8.0.0 Exploitation 18 8.1.0 Category 1: Vulnerabilities in OS Kernel 18 8.1.1.0 Kernel Exploit 1 19 8.1.1.1 Type A Sandbox 19 8.1.2.0 Kernel Exploit 2 22 8.1.2.1 Type A Sandbox 23 8.1.2.2 Type B Sandbox 24 8.1.3.0 Kernel Exploit 3 25 8.1.3.1 Type A Sandbox 25 8.1.3.2 Type B Sandbox 26 8.1.4.0 Summary 28 8.2.0 Category 2: Vulnerabilities in OS User Mode Components 28 8.2.1 TCP/IP Networking in Sandboxes 28 8.2.1.1 ALPC Ports 29 8.2.2 User Mode Exploit 31 8.2.2.1 Type A Sandbox 31 8.2.2.2 Type B Sandbox 34 8.2.3 Summary 36 8.3.0 Category 3: Sandbox Leakage 37 8.3.1 Webcam Access 37 8.3.2 Screen Scraping 39 8.3.3 Keylogging 40 8.3.4 ClipBoard Hijack 42 8.3.5 Steal Files 44 8.3.6 Network Shares Access 45 8.3.7 Summary 47 8.4.0 Category 4: Sandbox Vulnerabilities 47 8.4.1 Summary 48 8.5.0 A sandbox Inside a Sandbox 48 8.5.1 Type A Sandbox + Type B Sandbox 48 9.0.0 Conclusion 50 10.0.0 Bibliography 51 11.0.0 Appendix A.
    [Show full text]
  • Transparent System Introspection in Support of Analyzing Stealthy Malware
    Transparent System Introspection in Support of Analyzing Stealthy Malware A Dissertation Presented to the faculty of the School of Engineering and Applied Science University of Virginia In partial fulfillment of the requirements for the degree Doctor of Philosophy Computer Engineering by Kevin Joseph Leach December 2016 APPROVAL SHEET The dissertation is submitted in partial fulfillment of the requirements for the degree of Doctor of Philosophy Kevin Joseph Leach, author The dissertation has been read and approved by the examining committee: Dr. Westley Weimer, Advisor Dr. Joanne Dugan, Committee Chair Dr. Marty Humphrey Dr. Ronald D. Williams Dr. Laura E. Barnes Dr. Angelos Stavrou Accepted for the School of Engineering and Applied Science: Craig H. Benson, Dean, School of Engineering and Applied Science December 2016 Abstract The proliferation of malware has increased dramatically and seriously degraded the privacy of users and the integrity of hosts. Millions of unique malware samples appear every year, which has driven the development of a vast array of analysis tools. Malware analysis is often performed with the assistance of virtualization or emulation for rapid deployment. Malware samples are run in an instrumented virtual machine or analysis tool, and existing introspection techniques help an analyst determine its behavior. Unfortunately, a growing body of malware samples has begun employing anti-debugging, anti-virtualization, and anti- emulation techniques to escape or otherwise subvert these analysis mechanisms. These anti-analysis techniques often require measuring differences between the analysis en- vironment and the native environment (e.g., executing more slowly in a debugger). We call these measurable differences artifacts. Malware samples that use artifacts to exhibit stealthy behavior have increased the effort required to analyze and understand each stealthy sam- ple.
    [Show full text]
  • Set Shortcut Clean Defrag Set Shortcut Clean Defrag Winrescue
    RE-SETUP WINDOWS XP sp 2 – 31/05/2009 Personal/Corporate) ver. 5.1.2600.2180 – 040803.2158 7. Explorer right click My Document Properties Move (F5=system, F8=select boot) 8. Outlook Express (OE) Tools Options General : When starting, go directly to Inbox A. BACKUP Send : Automatically put people …. 1. Data, Pasword, Program Data by manual or program Maintenance : Store Folder = change OK Yes 2. Doc.Set.\username\Appl.Data\Microsoft\Templates 9. Regedit 3. Doc.Set.\username\ Favorites HKLM\System\CurrentControlSet\Control : 4. Doc.Set.\username\Loc.Set.\Appl.Data\ Microsoft\Outlook WaitToKillServiceTimeout < 2000 (200 is OK) 5. Doc.Set.\username\Loc.Set.\Appl.Data\Identities\ HKLM\System\CurrentControlSet\Control\SM\MM\PP : {37462A10……}\Microsoft\Outlook Express EnablePrefetcher=3 6. Hasil dari backup E.6. HKLM\Software\Microsoft\Windows\CV\Explorer\RC\NS : B. PARTITION Delete {D6277990-4C6A-11CF-8D87-00AA0060F5BF} C:\15GB\FAT32\Win98SE (HQ6K2-QPC42-3HWDM-BF4KJ-W4XWJ) HKCU\Control Panel\Desktop : MenuShowDelay=0 D:\50GB\FAT32\TEMPORARY (dibuat setelah Virtual Memory) HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced 1. Temp : win (TWF, Recent, Program), int (TIF, Cache, Cookies, History) buat DWORD dgn nama EnableBallonTips=0 2. Backup HKCU&HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer 3. ProgramData buat DWORD dgn nama NoDriveTypeAutorun=ff 4. Draft : Project, Exercise HKCU(&HKLM?)\Software\Microsoft\Windows\CurrentVersion\ E:\65GB\FAT32\DATA Explorer\ShellFolders&UserShellFolders Documents (Corporate, Personal, Program), Masterbox (Setup, FlashDisk), HKLM\System\CurrentControlSet\Services\LanmanServer\Parameter Multimedia, Reference (buat DWORD untuk IRPStackSize = 11~50 (decimal) HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall C. PARTITION HIDING (delete folder u/ ngilangin nama program di Add/Remove, export dulu) 1.
    [Show full text]
  • Operating System Based Virtualization Models in Cloud Computing Dev Ras Pandey, Bharat Mishra, S
    World Academy of Science, Engineering and Technology International Journal of Computer and Information Engineering Vol:11, No:3, 2017 Operating System Based Virtualization Models in Cloud Computing Dev Ras Pandey, Bharat Mishra, S. K. Tripathi 1 virtualization causes a single point of failure, and taking Abstract—Cloud computing is ready to transform the structure of control over the hypervisor from virtual machine level is not businesses and learning through supplying the real-time applications possible [3]. OS based virtualization model is also categorized and provide an immediate help for small to medium sized businesses. as container based and hypervisor based virtualization. Under The ability to run a hypervisor inside a virtual machine is important feature of virtualization and it is called nested virtualization. In this, a wide group of models is available with their today’s growing field of information technology, many of the specification, which makes difficult to select one. On the basis virtualization models are available, that provide a convenient of user’s requirements, different models of OS based approach to implement, but decision for a single model selection is virtualization and both type of techniques container based and difficult. This paper explains the applications of operating system hypervisor based are selected for further study incorporated based virtualization in cloud computing with an appropriate/suitable with requirements of users. model with their different specifications and user’s requirements. In the present paper, most popular models are selected, and the selection was based on container and hypervisor based virtualization. Selected II. OS BASED VIRTUALIZATION models were compared with a wide range of user’s requirements as Host OS enables virtualization that supports multiple number of CPUs, memory size, nested virtualization supports, live isolated, virtualized guests – OS instances, nested migration and commercial supports, etc.
    [Show full text]
  • Sandbox" Programskih Alata CCERT-PUBDOC-2009-03-259
    Usporedba "sandbox" programskih alata CCERT-PUBDOC-2009-03-259 Revizija 1.06 CCERT-PUBDOC-2009-03-259 Stranica 1/21 Sigurnosni problemi u računalnim programima i operativnim sustavima područje je na kojem CARNet CERT kontinuirano radi. Rezultat toga rada je i ovaj dokument, koji je nastao suradnjom CARNet CERT– a i LS&S–a, a za koji se nadamo se da će Vam koristiti u poboljšanju sigurnosti Vašeg sustava. CARNet CERT, www.cert.hr Nacionalno središte za sigurnost računalnih mreža i sustava. LS&S, www.LSS.hr Laboratorij za sustave i signale pri Zavodu za elektroničke sustave i obradbu informacija Fakulteta elektrotehnike i računarstva Sveučilišta u Zagrebu. Ovaj dokument je vlasništvo CARNet–a (CARNet CERT–a). Namijenjen je za javnu objavu, njime se može svatko koristiti, na njega se pozivati, ali samo u izvornom obliku, bez ikakvih izmjena, uz obavezno navođenje izvora podataka. Korištenje ovog dokumenta protivno gornjim navodima, povreda je autorskih prava CARNet–a, sukladno Zakonu o autorskim pravima. Počinitelj takve aktivnosti podliježe kaznenoj odgovornosti koja je regulirana Kaznenim zakonom RH. Revizija 1.06 CCERT-PUBDOC-2009-03-259 Stranica 2/21 Sadržaj 1. UVOD ............................................................................................................................................................. 4 2. OPIS „SANDBOX“ MEHANIZMA ................................................................................................................... 5 3. PRIMJENA „SANDBOX” ALATA ...................................................................................................................
    [Show full text]
  • Bypassing Modern Sandbox Technologies
    Gustav Lundsgård & Victor Nedström Bypassing modern sandbox technologies technologies sandbox modern Bypassing Master’s Thesis Bypassing modern sandbox technologies An experiment on sandbox evasion techniques — Gustav Lundsgård An experiment on sandbox evasion techniques Victor Nedström Series of Master’s theses Department of Electrical and Information Technology LU/LTH-EIT 2016-517 Department of Electrical and Information Technology, http://www.eit.lth.se Faculty of Engineering, LTH, Lund University, 2016. Bypassing modern sandbox technologies An experiment on sandbox evasion techniques Gustav Lundsgård Victor Nedström Department of Electrical and Information Technology Lund University Advisor: Paul Stankovski June 21, 2016 Printed in Sweden E-huset, Lund, 2016 Abstract Malware (malicious software) is becoming an increasing problem, as it continu- ously grows both in numbers and complexity. Traditional, signature based anti- virus systems are often incapable of detecting new, sophisticated malware, which calls for more advanced tools. So called sandboxes are tools which automate the process of analyzing malware by actually running them in isolated environments and observing their behavior. Although this approach works very well in theory, some malware have recently begun deploying sandbox detection techniques. With the help of these techniques, malware may detect when they are being analyzed and manage to evade the sandbox by hiding their malicious behavior. The authors of this Master’s Thesis have developed and compared differ- ent types of sandbox detection techniques on five market leading products. It was shown that an average of roughly 43% of the detection techniques devel- oped were capable of both detecting and bypassing the sandboxes, and that the best performing sandbox caught as much as 40% more of the techniques than the worst.
    [Show full text]
  • Cursor— Page 2 — March 17, 2012 Continued from Page 2 • See for News and Tips About Windows 8
    TThheeCCuurrssoorr Monthly Newsletterofthe WashingtonArea ComputerUserGroup Meeting Location: Next Meeting: OLLI, 4210 Roberts Road March 17, 2012 Fairfax, VA Presidential Bits by GeofGoodrum President WACUG, president(at)wacug.org The February meeting, one of our best attended ever, featured excellent presentations about Digital Photography by Dan Feighery and TrueCrypt disk encryption software by Lorrin Garson. Dan characterized his session as plowing the digital photo field “a mile wide and an inch deep.” Dan covered the characteristics of Paul Howard (left) introduces digital cameras from inexpensive “point & shoot” models to high-end Dan Feighery (right) Digital Single-Lens Reflex (DSLR) models. Even the basic cameras have extensive manuals describing available features, displays, and controls of the camera, and Dan encouraged everyone who buys a Table of Contents camera to spend some time with the manual to understand the camera’s capabilities. One particular function is the histogram, which Useful Bits & Pieces.............2 can help you optimize your pictures. Dan also discussed color Linux News........................... 4 management, a somewhat involved end-to-end process that includes Sandboxie............................. 7 adjustment of video monitor, camera, and printer to ensure that the Using PowerPoint................9 colors captured by the camera are reproduced as accurately as Micro Center Clinics..........10 possible on screen and in print. Dan’s briefing slides are on the WAC Recent Meetings web page (http://www.wacug.org/recmtgs.html) as a 21 MB PDF file, and serves as an invaluable reference to the general Only in the Download concepts of digital photography. Edition: Lorrin Garson returned to talk about “Protecting Private Information with TrueCrypt” software, available as a free download for Microsoft Windows, GNU/Linux, and Apple Macintosh OS X systems.
    [Show full text]
  • SECURITY SANDBOXING for PC2: WINDOWS VERSION a Project
    SECURITY SANDBOXING FOR PC2: WINDOWS VERSION A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science by Parita Shah SPRING 2017 SECURITY SANDBOXING FOR PC2: WINDOWS VERSION A Project by Parita Shah Approved by: __________________________________, Committee Chair Dr. John Clevenger __________________________________, Second Reader Dr. V. Scott Gordon ____________________________ Date ii Student: Parita Shah I certify that this student has met the requirements for format contained in the University format manual, and that this project is suitable for shelving in the Library and credit is to be awarded for the project. __________________________, Graduate Coordinator ___________________ Dr. Jinsong Ouyang Date Department of Computer Science iii Abstract of SECURITY SANDBOXING FOR PC2: WINDOWS VERSION by Parita Shah The purpose of a Sandbox software is to execute a program under restricted environment to protect a computer system from malicious activities. The Security Sandbox tool will be developed to be used for the Programming Contest Control System, called PC2 for short. PC2 software is used to support programming contests of ACM and its International Collegiate Programming Contests around the world. PC2 allows teams to submit their programs to the judges over the network. The judges can perform manual judging for the team’s submitted program. PC2 also supports automatic judging of these submitted programs. These are a few of the many functionalities of PC2. When teams submit their programs for judging, their code might perform malicious activities on the system that is running the judging module.
    [Show full text]
  • Windows Security Sandbox Framework Kyle P
    Eastern Washington University EWU Digital Commons EWU Masters Thesis Collection Student Research and Creative Works 2012 Windows security sandbox framework Kyle P. Gwinnup Eastern Washington University Follow this and additional works at: http://dc.ewu.edu/theses Part of the Computer Sciences Commons Recommended Citation Gwinnup, Kyle P., "Windows security sandbox framework" (2012). EWU Masters Thesis Collection. 68. http://dc.ewu.edu/theses/68 This Thesis is brought to you for free and open access by the Student Research and Creative Works at EWU Digital Commons. It has been accepted for inclusion in EWU Masters Thesis Collection by an authorized administrator of EWU Digital Commons. For more information, please contact [email protected]. WINDOWS SECURITY SANDBOX FRAMEWORK A Thesis Presented To Eastern Washington University Cheney, Washington In Partial Fulfillment of the Requirements for the Degree Master of Science By Kyle P. Gwinnup Summer 2012 THESIS OF KYLE GWINNUP APPROVED BY DATE CAROL TAYLOR, GRADUATE STUDY COMMITTEE DATE BILL CLARK, GRADUATE STUDY COMMITTEE ii iii Abstract Software systems are vulnerable to attack in many different ways. Systems can be poorly implemented which could allow an attacker access to the system through legitimate means such as anonymous access to a server or security controls and access lists can be configured incorrectly which would allow an attacker access to the system by exploiting a logic flaw in the systems configuration. These security vulnerabilities can be limited by implementing software systems properly or in a more restrictive manner. Sandboxing an application allows for interception of a processes system call for verification against a defined policy.
    [Show full text]
  • Appropriate Security and Confinement Technologies
    Appropriate Security and Confinement Technologies Methods for the Design of Appropriate Security and a Case Study on Confinement Technologies for Desktop Computers Steve Dodier-Lazaro UCL A thesis submitted for the degree of Doctor of Philosophy 22nd June 2018 I, Steve Dodier-Lazaro confirm that the work presented in this thesis is my own. Where information has been derived from other sources, I confirm that this has been indicated in the thesis. 3 Abstract Despite significant research, desktop computers remain fundamentally insecure. Mal- ware is a prime culprit for data breaches in organisations. A vast number of user machines are connected to the Internet unprotected, leading to global ransomware attacks costing billions to world economies. Confinement systems are technologies that can thwart mal- ware. Several security researchers have claimed to have designed usable confinement, and both Microsoft and Apple have deployed confinement into their desktop OSs in the form of sandboxes, but application developers avoid supporting it. Commercial off-the-shelf confinement systems exist which users can adopt and use, but very few do. My thesis investigates the design process of confinement technologies, to understand why they are not in use. It is divided in two parts. Firstly, I examine why the methods of usable security may not be judicious when it comes to designing for adoption. I propose alternative methods and goals, focused on the adoption and appropriation of technologies, rather than on their usability. This alternative process, named appropriate security, rests on four principles: security research is about users, not technology; it is about appropriation, not usability; it should not cause harm to users; and it should involve users in shaping security goals, rather than impose others’ goals onto them.
    [Show full text]
  • Virus Contact Tracing
    Security Now! Transcript of Episode #762 Page 1 of 23 Transcript of Episode #762 Virus Contact Tracing Description: This week we follow-up on a bunch of continuing Zoom news, since Zoom appears to be poised to become the teleconferencing platform of choice for the world at large. They've made more changes, have been sued, and have been rapidly taking steps to fix their remaining problems. We have some browser news and another worrisome look into Android apps using a novel approach to quickly characterize them. We have an interesting and sad bit of miscellany, a progress report on my SpinRite work, and then we take the sort of full technical deep dive into the joint Apple/Google Contact Tracing system that our listeners have come to expect from this podcast. By the end of this podcast everyone will understand exactly what Apple and Google have done and how the system functions, in detail. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-762.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-762-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson's here. There is, of course, lots to talk about. A farewell to a guy who was very inspirational to both Steve and me in our youth, another victim of COVID-19. And then Steve will talk about Apple and Google's plan to support quarantine and tracking using your iPhone and Android. Steve breaks it down, says how it works, and explains how it can be used without invading privacy.
    [Show full text]