Derbycon Bromium Labs: Sandboxes
Upcoming SlideShare
Loading in...5

Derbycon Bromium Labs: Sandboxes



Sandboxes: A pen tester's perspective. Analysis of various publicly available sandboxes

Sandboxes: A pen tester's perspective. Analysis of various publicly available sandboxes



Total Views
Slideshare-icon Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Derbycon Bromium Labs: Sandboxes Derbycon Bromium Labs: Sandboxes Presentation Transcript

    • Sandboxes: A Pen-tester’s perspective Rahul Kashyap Rahul Kashyap,
    • Bromium Confidential • Previously led McAfee Labs vuln research • Done security startups and offense/defense security research • Bromium Labs • Team has discovered several vulnerabilities in multiple platforms • Spoken at several cool conferences About I’m Hiring!
    • Bromium Confidential • Sandboxes: Introduction  Architecture  Types • Sandboxes: Exploitation  Kernel Mode  User Mode • Conclusion Agenda
    • Bromium Confidential • Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code from damaging the rest of the system • The aim of a sandbox is to isolate threats • Our research focuses on security effectiveness of the isolation primitives for application sandboxes What is a sandbox?
    • Bromium Confidential • Type A: OS enhancement based (Sandboxie, Buffer Zone Pro, Dell DDP) • Type B: Master/slave model (Adobe ReaderX, Chrome browser) Types of Sandboxes
    • Bromium Confidential • A lot of commonly used code reliant on kernel components and various services • Large exposure to kernel interfaces Digression: Windows OS
    • Bromium Confidential • Sandboxed app: dear kernel, please open a file for me, the file name is at address X • Kernel: X points to “allowed_file.txt” string; here goes a file handle for you • Sandboxed app: dear kernel, please open a file for me, the file name is at address Y • Kernel: Y points to “secret_file.txt” string; you are a sandboxed app, I will not let you access this file How kernel enforces access control
    • Bromium Confidential • Sandboxed app: dear kernel, please draw the text “Hello world” for me please, using the true type font stored at address X • Kernel: You are a sandboxed app, but using a font is a benign operation which you need to function properly • Kernel: OK, just a moment, I need to parse this font • While processing the font, kernel corrupts its own memory because the parser code in the kernel is buggy • Because of memory corruption, kernel starts executing code at X, which allows the app to do anything it wants How kernel exploits work (example)
    • Bromium Confidential • Example: Sandboxie, BufferZone Pro, Dell DDP • Custom kernel driver modifies Windows behavior, so that change to protected system components is prevented • Use cases: Most of such sandboxes are used for controlled execution of applications • Sandboxie is widely used for malware analysis TYPE A
    • Bromium Confidential Application Sandbox Type A
    • Bromium Confidential • Example: Google Chrome, Adobe Reader • Two processes - master and slave, talking over IPC channel • Slave is confined using OS access control facilities • Master mediates access to resources • Use case: protect the application from exploitation • Google Chrome and Adobe Reader are popular applications mainly for web and content rendering TYPE B
    • Architecture: Type B • Master has smaller codebase, the point being – it should be tougher to exploit it • Slave has a bigger attack surface that needs to be „brokered‟ by the master • Slave still directly interacts with the OS Kernel • Slave also has access to certain user mode components
    • Bromium Confidential Application Sandbox Type B
    • Bromium Confidential • Slave runs with low privileges • restricted token • job object • desktop object • integrity level Chromium sandbox on Windows
    • Bromium Confidential • How exhaustive is the OS-based confinement, according to the documentation [2]? • Mounted FAT or FAT32 volumes – no protection • TCP/IP – no protection • Access to most existing securable resources denied • Everybody agrees it is good enough… Chromium sandbox on Windows
    • Bromium Confidential Chromium sandbox in action Slave Master
    • Bromium Confidential • How resistant is Master to a malicious Slave? • This is what most authors focused on • How resistant is OS to a malicious Slave? • We focus on the last aspect • Recently MWRLabs also bypassed Chrome using similar vector Pwn2Own 2013[11] Chromium sandbox on Windows
    • Bromium Confidential Master/slave type sandbox on Windows, Adobe Reader Observe “Low” Integrity level
    • Bromium Confidential • Exhaustive previous related work on methodology of attacking the Master [3], [4] • The first case of Adobe sandbox vulnerability exploited in the wild reported in Feb 2013 [9] • This escape possible because of a bug in Master Master/slave type sandbox on Windows, Adobe Reader
    • Bromium Confidential Master/slave type sandbox on Windows, Chrome browser Observe “untrusted” Integrity level
    • Bromium Confidential • Slave de-privileged even more than stated in chrome sandbox documentation • “Untrusted” integrity level • Particularly, access to FAT32 file system denied Master/slave type sandbox on Windows, Chrome browser
    • Bromium Confidential • Well-known cases of successful attacks against the master (shown at Pwnium[5], Pwn2own[6]) • The attacks against the master are complex and relatively rare Master/slave type sandbox on Windows, Chrome browser
    • Bromium Confidential • Slave can still exploit a kernel vulnerability • bpf syscall filter on Linux - designed to limit exposure of OS #nice • Some vulnerabilities are not exploitable by Slave • If need to create a process • If need to alter specific locations in the registry • win32k.sys still much exposed A vulnerability in win32k.sys can potentially be exploited at the browser level, yielding full control over the machine directly, without the need to achieve code execution in the sandbox first. Master/slave type sandbox on Windows, Chrome browser
    • Bromium Confidential Exploitation
    • CVE-2012-0217 Exploit: MS12-042 SANDBOX BYPASS DEMO (Kernel Mode Exploitation) Sandbox PWNY!
    • Bromium Confidential • Windows kernel issues are discovered increasingly frequently • 25 CVE for Windows kernel in 2012 • 73+ CVE till Sept 2013 • There have been attacks like Duqu that have targeted kernel vulnerabilities • Yes… it‟s a large attack surface Is this a problem?
    • User Mode Exploitation • Type A and Type B do not restrict network connectivity for a sandboxed process. • The exception to this rule is Google Chrome that has been hardened to restrict TCP/IP networking in case the renderer got exploited. • All vulns in these services are a potential sandbox escape vector • Even properly functioning code can be abused
    • Bromium Confidential • ALPC ports are a low-level mechanism used for interprocess communication on the Windows OS. Again, many Windows services listen on ALPC ports; if a sandboxed code can connect to these services, it can attempt to exploit a vulnerability in it. • Type A sandboxes are wide open to all of these ALPC Ports
    • ALPC Ports: Adobe Reader vs Chrome Adobe Reader XI (version 11.0.3): lkd> !alpc /lpp fffffa80052ffb30 Ports created by the process fffffa80052ffb30: fffffa8004f9fb50('OLEB45817786DEF457D9394B3110F6 B') 0, 1 connections fffffa8005312070 0 -> fffffa8005279990 0 fffffa80078ddb30('svchost.exe') Ports the process fffffa80052ffb30 is connected to: fffffa80053073c0 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe') fffffa80050b7070 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe') fffffa800b4b9e60 0 -> fffffa8007912c30('lsasspirpc') 0 fffffa8007883210('lsass.exe') fffffa8004f1adc0 0 -> fffffa8007b34e60('Audiosrv') 0 fffffa8007a1e9e0('svchost.exe') fffffa8004f0e3f0 0 -> fffffa80079d4e60('epmapper') 31 fffffa80078ddb30('svchost.exe') fffffa800535cb20 0 -> fffffa800798ea70('plugplay') 0 fffffa800797db30('svchost.exe') Google Chrome browser (Version 27.0.1453.110 m) lkd> !alpc /lpp fffffa80053a1060 Ports created by the process fffffa80053a1060: <none> Ports the process fffffa80053a1060 is connected to: fffffa8005397b30 0 -> fffffa80078bf090('ApiPort') 0 fffffa8007ce3060('csrss.exe') fffffa80052c8dd0 0 -> fffffa8007b4ea10('ThemeApiPort') 0 fffffa8007aaab30('svchost.exe')
    • Bromium Confidential • “The vulnerability is caused by CSRSS improperly validating permissions when a lower-integrity process communicates a device event message to a higher-integrity process.” • Actually, the vulnerable versions of CSRSS performed no validation or permission check at all, blindly executing PostMessage with all parameters controllable by the peer. • Errr... Shatter attack redux?? Example: CSRSS vulnerability (MS11-063)
    • CVE-2011-1967 Exploit: MS11-063 SANDBOX User-Mode Exploitation
    • Bromium Confidential Summary perspective/
    • CVE-2011-3402 Exploit: MS11-087 SiS’eh: Sandbox-in-Sandbox?Sandbox) !) Clueless PWNY! DiDi ™ :- Defense in Depth indeed!
    • Bromium Confidential Conclusion • Application sandboxes are fundamentally vulnerable to kernel mode and certain user mode vulnerabilities on the OS • Breaking out of a sandbox by exploiting OS vulns provides far better ROI for the attackers • In our analysis Type A were far easier to escape out than Type B #$$ #Chrome • Definitely avoid malware analysis inside application sandboxes! #D‟0h!
    • Bromium Confidential • Rafal Wojtczuk, Bromium Labs • [1] • [2] • [3] "A Castle Made of Sand - Adobe Reader X Sandbox" Richard Johnson • [4] “Breeding Sandworms” - Zhenhua Liu, Guillaume Lovet • [5] • [6] "Pwn2Own 2012: Google Chrome browser sandbox first to fall" • [7] Dennis Fisher • [8] BufferZone Pro, • [9] • [10] Duqu malware, • [11] Credits/References
    • @rckashyap Thanks!