ABSTRACT
Sandboxes impose a security policy, isolating applications and their components from the rest of a system. While many sandboxing techniques exist, state of the art sandboxes generally perform their functions within the system that is being defended. As a result, when the sandbox fails or is bypassed, the security of the surrounding system can no longer be assured. We experiment with the idea of in-nimbo sandboxing, encapsulating untrusted computations away from the system we are trying to protect. The idea is to delegate computations that may be vulnerable or malicious to virtual machine instances in a cloud computing environment.
This may not reduce the possibility of an in-situ sandbox compromise, but it could significantly reduce the consequences should that possibility be realized. To achieve this advantage, there are additional requirements, including: (1) A regulated channel between the local and cloud environments that supports interaction with the encapsulated application, (2) Performance design that acceptably minimizes latencies in excess of the in-situ baseline.
To test the feasibility of the idea, we built an in-nimbo sandbox for Adobe Reader, an application that historically has been subject to significant attacks. We undertook a prototype deployment with PDF users in a large aerospace firm. In addition to thwarting several examples of existing PDF-based malware, we found that the added increment of latency, perhaps surprisingly, does not overly impair the user experience with respect to performance or usability.
- AppDB Adobe Reader. http://goo.gl/Fx9pd.Google Scholar
- Chromium sandbox. http://www.chromium.org/developers/design-documents/sandbox/.Google Scholar
- National vulnerability database (NVD) national vulnerability database (CVE-2010-3019). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3019.Google Scholar
- National vulnerability database (NVD) national vulnerability database (CVE-2013-0768). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0768.Google Scholar
- PDF x-RAY. https://github.com/9b/pdfxray_public.Google Scholar
- What is protected view? - word - office.com. http://office.microsoft.com/en-us/word-help/what-is-protected-view-HA010355931.aspx.Google Scholar
- PDF Reference, sixth edition ed. Adobe Systems Incorporated, Nov. 2006.Google Scholar
- Two new vulnerabilities in Adobe Acrobat Reader. http://www.f-secure.com/weblog/archives/00001671.html, Apr. 2009.Google Scholar
- Anatomy of a malicious PDF file. http://goo.gl/VlLmU, Feb. 2010.Google Scholar
- Military targets. http://www.f-secure.com/weblog/archives/00002203.html, July 2011.Google Scholar
- National vulnerability database (NVD) national vulnerability database (CVE-2011-2949). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2949, Oct. 2011.Google Scholar
- Understanding and working in protected mode internet explorer. http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx, Feb. 2011.Google Scholar
- 4.8.11 the canvas element - HTML5. http://www.w3.org/TR/html5/the-canvas-element.html#the-canvas-element, Mar. 2012.Google Scholar
- Adobe PDF library SDK | adobe developer connection. http://www.adobe.com/devnet/pdf/library.html, Aug. 2012.Google Scholar
- Google warns of using adobe reader - particularly on linux. http://www.h-online.com/security/news/item/Google-warns-of-using-Adobe-Reader-particularly-on-Linux-1668153.html, Aug. 2012.Google Scholar
- National vulnerability database (NVD) national vulnerability database (CVE-2010-2937). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2937, Jan. 2012.Google Scholar
- Arkin, Brad. Illegal access to Adobe source code. http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html, Oct. 2013.Google Scholar
- Buchanan, K., Evans, C., Reis, C., and Sepez, T. Chromium blog: A tale of two pwnies (Part 2). http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html, June 2012.Google Scholar
- Clarkson, M. R., and Schneider, F. B. Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157--1210. Google ScholarDigital Library
- Delugre, G. Bypassing ASLR and DEP on Adobe Reader X - Sogeti ESEC Lab. http://esec-lab.sogeti.com/post/Bypassing-ASLR-and-DEP-on-Adobe-Reader-X, June 2012.Google Scholar
- Esparza, J. peepdf - PDF analysis and creation/modification tool. http://code.google.com/p/peepdf/.Google Scholar
- Fratantonio, Y., Kruegel, C., and Vigna, G. Shellzer: a tool for the dynamic analysis of malicious shellcode. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (Berlin, Heidelberg, 2011), RAID'11, Springer-Verlag, pp. 61--80. Google ScholarDigital Library
- Friedl, S. Best practices for UNIX chroot() operations. http://www.unixwiz.net/techtips/chroot-practices.html.Google Scholar
- Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (New York, NY, USA, 2003), SOSP '03, ACM, pp. 193--206. Google ScholarDigital Library
- Goodin, D. At hacking contest, Google Chrome falls to third zero-day attack (Updated). http://arstechnica.com/business/news/2012/03/googles-chrome-browser-on-friday.ars, Mar. 2012.Google Scholar
- Hamlen, K. W., Morrisett, G., and Schneider, F. B. Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems (TOPLAS) 28, 1 (2006), 175--205. Google ScholarDigital Library
- Higgins, K. Spear-phishing attacks out of China targeted source code, intellectual property. http://goo.gl/8RzyT, Jan. 2010.Google Scholar
- International Organization for Standardization, I. ISO 15929:2002 - International Organization for Standardization. http://goo.gl/SUP1A.Google Scholar
- International Organization for Standardization, I. ISO 19005-2:2011 - International Organization for Standardization. http://goo.gl/mtHWw.Google Scholar
- International Organization for Standardization, I. ISO 32000-1:2008 - International Organization for Standardization.Google Scholar
- Jana, S., Porter, D. E., and Shmatikov, V. TxBox: Building secure, efficient sandboxes with system transactions. In 2011 IEEE Symposium on Security and Privacy (SP) (May 2011), IEEE, pp. 329--344. Google ScholarDigital Library
- Landesman, M. Free PDF readers: Alternatives to Adobe Reader and Acrobat. http://antivirus.about.com/od/securitytips/tp/Free-Pdf-Readers-Alternatives-To-Adobe-Reader-Acrobat.htm.Google Scholar
- Laskov, P., and Srndic, N. Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th Annual Computer Security Applications Conference (New York, NY, USA, 2011), ACSAC '11, ACM, pp. 373--382. Google ScholarDigital Library
- Maiorca, D., Corona, I., and Giacinto, G. Looking at the bag is not enough to find the bomb: An evasion of structural methods for malicious PDF files detection. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (New York, NY, USA, 2013), ASIA CCS '13, ACM, pp. 119--130. Google ScholarDigital Library
- Maiorca, D., Giacinto, G., and Corona, I. A pattern recognition system for malicious PDF files detection. In Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition (Berlin, Heidelberg, 2012), MLDM'12, Springer-Verlag, pp. 510--524. Google ScholarDigital Library
- Mantel, H. On the composition of secure systems. In Proceedings of the IEEE Symposium on Security and Privacy, 2002 (2002), IEEE, pp. 88--101. Google ScholarDigital Library
- Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., and Stoica, I. Cloud Terminal: Secure access to sensitive applications from untrusted systems. In Proceedings of the 2012 USENIX conference on Annual Technical Conference (Berkeley, CA, USA, 2012), USENIX ATC'12, USENIX Association, pp. 14--14. Google ScholarDigital Library
- McCune, J. M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., and Perrig, A. TrustVisor: Efficient TCB reduction and attestation. In IEEE Symposium on Security and Privacy (SP), 2010 (2010), IEEE, pp. 143--158. Google ScholarDigital Library
- McCune, J. M., Parno, B., Perrig, A., Reiter, M. K., and Seshadri, A. How low can you go?: Recommendations for hardware-supported minimal TCB code execution. SIGOPS Oper. Syst. Rev. 42, 2 (Mar. 2008), 14--25. Google ScholarDigital Library
- McCune, J. M., Parno, B. J., Perrig, A., Reiter, M. K., and Isozaki, H. Flicker: An execution infrastructure for TCB minimization. SIGOPS Oper. Syst. Rev. 42, 4 (Apr. 2008), 315--328. Google ScholarDigital Library
- McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside Adobe Reader Protected Mode - part 1 - design. http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html, Oct. 2010.Google Scholar
- McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside adobe reader protected mode - part 2 - the sandbox process. http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html, Oct. 2010.Google Scholar
- McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside adobe reader protected mode - part 3 - broker process, policies, and inter-process communication. http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html, Nov. 2010.Google Scholar
- Michael Howard, and Steve Lipner. The Security Development Lifecycle. Microsoft Press, May 2006. Google ScholarDigital Library
- Nedim Srndic, and Pavel Laskov. Detection of malicious PDF files based on hierarchical document structure. In Network and Distributed System Security Symposium (2013).Google Scholar
- Obes, J., and Schuh, J. Chromium blog: A tale of two pwnies (Part 1). http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html, May 2012.Google Scholar
- Sabanal, P., and Yason, M. Playing in the Reader X sandbox. Black Hat USA Briefings (July 2011).Google Scholar
- Schuh, J. Chromium blog: The road to safer, more stable, and flashier flash. http://blog.chromium.org/2012/08/the-road-to-safer-more-stable-and.html, Aug. 2012.Google Scholar
- Sewell, P., and Vitek, J. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, 1999. (1999), IEEE, pp. 136--150. Google ScholarDigital Library
- Singaravelu, L., Pu, C., Hartig, H., and Helmuth, C. Reducing TCB complexity for security-sensitive applications: three case studies. SIGOPS Oper. Syst. Rev. 40, 4 (Apr. 2006), 161--174. Google ScholarDigital Library
- Smutz, C., and Stavrou, A. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference (New York, NY, USA, 2012), ACSAC '12, ACM, pp. 239--248. Google ScholarDigital Library
- Stender, S. Inside adobe reader protected mode - part 4 - the challenge of sandboxing. http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-4-the-challenge-of-sandboxing.html, Nov. 2010.Google Scholar
- Stiegler, M., Karp, A. H., Yee, K.-P., Close, T., and Miller, M. S. Polaris: Virus-safe computing for windows XP. Commun. ACM 49, 9 (Sept. 2006), 83--88. Google ScholarDigital Library
- Tzermias, Z., Sykiotakis, G., Polychronakis, M., and Markatos, E. P. Combining static and dynamic analysis for the detection of malicious documents. In Proceedings of the Fourth European Workshop on System Security (New York, NY, USA, 2011), EUROSEC '11, ACM, pp. 4:1--4:6. Google ScholarDigital Library
- Uhley, P., and Gwalani, R. Inside flash player protected mode for firefox. http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html, June 2012.Google Scholar
- Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. Efficient software-based fault isolation. SIGOPS Oper. Syst. Rev. 27, 5 (Dec. 1993), 203--216. Google ScholarDigital Library
- Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native client: a sandbox for portable, untrusted x86 native code. Commun. ACM 53, 1 (Jan. 2010), 91--99. Google ScholarDigital Library
Index Terms
- In-nimbo sandboxing
Recommendations
Sandboxing and Virtualization: Modern Tools for Combating Malware
It's more likely that you will infect yourself with malware via your browser or a PDF document than any other way, including hackers trying to break onto your network. Underground economies in spam, adware, identity theft and banking fraud are driving ...
Segmented sandboxing - A novel approach to Malware polymorphism detection
MALWARE '15: Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE)Malware polymorphic and metamorphic obfuscation techniques combined with so-called "sandboxing evasion techniques" continue to erode the effectiveness of both static detection (signature matching), and dynamic detection (sandboxing). Specifically, ...
Comments