Sandbox
Speaker : Erica
2019 / 11 / 24
- Introduction of Sandbox
- Implementations
- Sandbox in Windows 10
- Chrome Sandbox
- Open-sourcing Sandboxed API
- Sandbox-evading Malware
- Conclusion
- Reference
Contents
Introduction of
Sandbox
What is Sandbox?
In computer security, a "sandbox" is a security tool for isolating running programs, usually to lessen system failures or software vulnerabilities from spreading.
It is often used to execute untested or untrusted programs or code, possibly from untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.
Safe
The concept of Sandbox
Let the program to be executed in a virtual or simulated environment before being executed in the formal environment.
Sandbox
Implementations
Examples of sandbox implementations include the following:
- Google Sandboxed API
- A jail
- Virtual machines emulate a complete host computer
- Sandboxing on native hosts
- etc
The current anti-virus software will use sandboxing to ensure security.
Sandbox in
Windows 10
Sandbox in Windows 10
It is a new feature in the major update of Windows 10 May 2019. But Windows 10 Home does not provide this feature.
Some properties that Windows Sandbox has :
- Pristine
- Disposable
- Secure
Chrome Sandbox
New page
New page
Each page is a sandbox.
New page
New page
malicious
Open-sourcing Sandboxed API
by Google
Sandboxed API
The Sandboxed API automatically generates sandboxes for C/C++ libraries and produces reusable and secure functional implementations in popular software libraries to protect the remaining software infrastructure.
Sandbox-evading Malware
Well-known malware not afraid of sandbox simulation analysis:
- RANSOM_LOCKY
- encrypted DLLs
- Windows script files
- spam attachment files
- Disttrack
- OSX_KERANGER
- etc.
fileless attack
Here are a few fileless attack avoidance tips:
| tips | fileless attack | sandbox |
|---|---|---|
| Avoid file scanning | Do not use files | random file scanning |
| Avoid behavioral association analysis | Use scripts to hide in the system execution programs | Intercept system-level API |
| Avoid sandbox simulation analysis | Delayed execution | Limited observation time |
| tips | fileless attack | sandbox |
|---|
Conclusion
How to avoid?
Since the techniques for evading sandbox simulation are becoming increasingly popular among malware.
The sandbox environment must be customized to accurately reflect the system configuration in the real world.
Reference
-
35頁PPT!動力電池回收新技術—物理法回收技術介紹。Retrieved from: https://kknews.cc/news/5lv9b52.html
- SandBox (沙盒) 是什麼 ? 。Retrieved from: https://www.arthurtoday.com/2011/06/sandbox.html
- 教你使用 Windows 10 Sandbox 沙箱功能。Retrieved from: https://www.kocpc.com.tw/archives/267581
- Python Sandbox Escape. Retrieved from: https://ctf-wiki.github.io/ctf-wiki/pwn/linux/sandbox/python-sandbox-escape-zh/
Reference - 2
-
Python 沙盒逃逸备忘。Retrieved from: https://www.k0rz3n.com/2018/05/04/Python%20%E6%B2%99%E7%9B%92%E9%80%83%E9%80%B8%E5%A4%87%E5%BF%98/
- Windows Sandbox. Retrieved from: https://techcommunity.microsoft.com/t5/Windows-Kernel-Internals/Windows-Sandbox/ba-p/301849
- 一文看懂Python沙箱逃逸。Retrieved from: https://www.jishuwen.com/d/2F7p/zh-tw
Thanks for listening.