research-article

In-nimbo sandboxing

Authors:
Michael Maass

Carnegie Mellon University

Carnegie Mellon University
View Profile

,
William L. Scherlis

Carnegie Mellon University

Carnegie Mellon University
View Profile

,
Jonathan Aldrich

Carnegie Mellon University

Carnegie Mellon University
View Profile

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of SecurityApril 2014Article No.: 1Pages 1–12https://doi.org/10.1145/2600176.2600177

Published:08 April 2014Publication History

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

Pages 1–12

ABSTRACT

Sandboxes impose a security policy, isolating applications and their components from the rest of a system. While many sandboxing techniques exist, state of the art sandboxes generally perform their functions within the system that is being defended. As a result, when the sandbox fails or is bypassed, the security of the surrounding system can no longer be assured. We experiment with the idea of in-nimbo sandboxing, encapsulating untrusted computations away from the system we are trying to protect. The idea is to delegate computations that may be vulnerable or malicious to virtual machine instances in a cloud computing environment.

This may not reduce the possibility of an in-situ sandbox compromise, but it could significantly reduce the consequences should that possibility be realized. To achieve this advantage, there are additional requirements, including: (1) A regulated channel between the local and cloud environments that supports interaction with the encapsulated application, (2) Performance design that acceptably minimizes latencies in excess of the in-situ baseline.

To test the feasibility of the idea, we built an in-nimbo sandbox for Adobe Reader, an application that historically has been subject to significant attacks. We undertook a prototype deployment with PDF users in a large aerospace firm. In addition to thwarting several examples of existing PDF-based malware, we found that the added increment of latency, perhaps surprisingly, does not overly impair the user experience with respect to performance or usability.

References

AppDB Adobe Reader. http://goo.gl/Fx9pd.Google Scholar
Chromium sandbox. http://www.chromium.org/developers/design-documents/sandbox/.Google Scholar
National vulnerability database (NVD) national vulnerability database (CVE-2010-3019). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3019.Google Scholar
National vulnerability database (NVD) national vulnerability database (CVE-2013-0768). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0768.Google Scholar
PDF x-RAY. https://github.com/9b/pdfxray_public.Google Scholar
What is protected view? - word - office.com. http://office.microsoft.com/en-us/word-help/what-is-protected-view-HA010355931.aspx.Google Scholar
PDF Reference, sixth edition ed. Adobe Systems Incorporated, Nov. 2006.Google Scholar
Two new vulnerabilities in Adobe Acrobat Reader. http://www.f-secure.com/weblog/archives/00001671.html, Apr. 2009.Google Scholar
Anatomy of a malicious PDF file. http://goo.gl/VlLmU, Feb. 2010.Google Scholar
Military targets. http://www.f-secure.com/weblog/archives/00002203.html, July 2011.Google Scholar
National vulnerability database (NVD) national vulnerability database (CVE-2011-2949). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2949, Oct. 2011.Google Scholar
Understanding and working in protected mode internet explorer. http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx, Feb. 2011.Google Scholar
4.8.11 the canvas element - HTML5. http://www.w3.org/TR/html5/the-canvas-element.html#the-canvas-element, Mar. 2012.Google Scholar
Adobe PDF library SDK | adobe developer connection. http://www.adobe.com/devnet/pdf/library.html, Aug. 2012.Google Scholar
Google warns of using adobe reader - particularly on linux. http://www.h-online.com/security/news/item/Google-warns-of-using-Adobe-Reader-particularly-on-Linux-1668153.html, Aug. 2012.Google Scholar
National vulnerability database (NVD) national vulnerability database (CVE-2010-2937). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2937, Jan. 2012.Google Scholar
Arkin, Brad. Illegal access to Adobe source code. http://blogs.adobe.com/asset/2013/10/illegal-access-to-adobe-source-code.html, Oct. 2013.Google Scholar
Buchanan, K., Evans, C., Reis, C., and Sepez, T. Chromium blog: A tale of two pwnies (Part 2). http://blog.chromium.org/2012/06/tale-of-two-pwnies-part-2.html, June 2012.Google Scholar
Clarkson, M. R., and Schneider, F. B. Hyperproperties. Journal of Computer Security 18, 6 (2010), 1157--1210. Google ScholarDigital Library
Delugre, G. Bypassing ASLR and DEP on Adobe Reader X - Sogeti ESEC Lab. http://esec-lab.sogeti.com/post/Bypassing-ASLR-and-DEP-on-Adobe-Reader-X, June 2012.Google Scholar
Esparza, J. peepdf - PDF analysis and creation/modification tool. http://code.google.com/p/peepdf/.Google Scholar
Fratantonio, Y., Kruegel, C., and Vigna, G. Shellzer: a tool for the dynamic analysis of malicious shellcode. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (Berlin, Heidelberg, 2011), RAID'11, Springer-Verlag, pp. 61--80. Google ScholarDigital Library
Friedl, S. Best practices for UNIX chroot() operations. http://www.unixwiz.net/techtips/chroot-practices.html.Google Scholar
Garfinkel, T., Pfaff, B., Chow, J., Rosenblum, M., and Boneh, D. Terra: A virtual machine-based platform for trusted computing. In Proceedings of the Nineteenth ACM Symposium on Operating Systems Principles (New York, NY, USA, 2003), SOSP '03, ACM, pp. 193--206. Google ScholarDigital Library
Goodin, D. At hacking contest, Google Chrome falls to third zero-day attack (Updated). http://arstechnica.com/business/news/2012/03/googles-chrome-browser-on-friday.ars, Mar. 2012.Google Scholar
Hamlen, K. W., Morrisett, G., and Schneider, F. B. Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems (TOPLAS) 28, 1 (2006), 175--205. Google ScholarDigital Library
Higgins, K. Spear-phishing attacks out of China targeted source code, intellectual property. http://goo.gl/8RzyT, Jan. 2010.Google Scholar
International Organization for Standardization, I. ISO 15929:2002 - International Organization for Standardization. http://goo.gl/SUP1A.Google Scholar
International Organization for Standardization, I. ISO 19005-2:2011 - International Organization for Standardization. http://goo.gl/mtHWw.Google Scholar
International Organization for Standardization, I. ISO 32000-1:2008 - International Organization for Standardization.Google Scholar
Jana, S., Porter, D. E., and Shmatikov, V. TxBox: Building secure, efficient sandboxes with system transactions. In 2011 IEEE Symposium on Security and Privacy (SP) (May 2011), IEEE, pp. 329--344. Google ScholarDigital Library
Landesman, M. Free PDF readers: Alternatives to Adobe Reader and Acrobat. http://antivirus.about.com/od/securitytips/tp/Free-Pdf-Readers-Alternatives-To-Adobe-Reader-Acrobat.htm.Google Scholar
Laskov, P., and Srndic, N. Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th Annual Computer Security Applications Conference (New York, NY, USA, 2011), ACSAC '11, ACM, pp. 373--382. Google ScholarDigital Library
Maiorca, D., Corona, I., and Giacinto, G. Looking at the bag is not enough to find the bomb: An evasion of structural methods for malicious PDF files detection. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security (New York, NY, USA, 2013), ASIA CCS '13, ACM, pp. 119--130. Google ScholarDigital Library
Maiorca, D., Giacinto, G., and Corona, I. A pattern recognition system for malicious PDF files detection. In Proceedings of the 8th International Conference on Machine Learning and Data Mining in Pattern Recognition (Berlin, Heidelberg, 2012), MLDM'12, Springer-Verlag, pp. 510--524. Google ScholarDigital Library
Mantel, H. On the composition of secure systems. In Proceedings of the IEEE Symposium on Security and Privacy, 2002 (2002), IEEE, pp. 88--101. Google ScholarDigital Library
Martignoni, L., Poosankam, P., Zaharia, M., Han, J., McCamant, S., Song, D., Paxson, V., Perrig, A., Shenker, S., and Stoica, I. Cloud Terminal: Secure access to sensitive applications from untrusted systems. In Proceedings of the 2012 USENIX conference on Annual Technical Conference (Berkeley, CA, USA, 2012), USENIX ATC'12, USENIX Association, pp. 14--14. Google ScholarDigital Library
McCune, J. M., Li, Y., Qu, N., Zhou, Z., Datta, A., Gligor, V., and Perrig, A. TrustVisor: Efficient TCB reduction and attestation. In IEEE Symposium on Security and Privacy (SP), 2010 (2010), IEEE, pp. 143--158. Google ScholarDigital Library
McCune, J. M., Parno, B., Perrig, A., Reiter, M. K., and Seshadri, A. How low can you go?: Recommendations for hardware-supported minimal TCB code execution. SIGOPS Oper. Syst. Rev. 42, 2 (Mar. 2008), 14--25. Google ScholarDigital Library
McCune, J. M., Parno, B. J., Perrig, A., Reiter, M. K., and Isozaki, H. Flicker: An execution infrastructure for TCB minimization. SIGOPS Oper. Syst. Rev. 42, 4 (Apr. 2008), 315--328. Google ScholarDigital Library
McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside Adobe Reader Protected Mode - part 1 - design. http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-part-1-design.html, Oct. 2010.Google Scholar
McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside adobe reader protected mode - part 2 - the sandbox process. http://blogs.adobe.com/asset/2010/10/inside-adobe-reader-protected-mode-%E2%80%93-part-2-%E2%80%93-the-sandbox-process.html, Oct. 2010.Google Scholar
McQuarrie, L., Mehra, A., Mishra, S., Randolph, K., and Rogers, B. Inside adobe reader protected mode - part 3 - broker process, policies, and inter-process communication. http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-3-broker-process-policies-and-inter-process-communication.html, Nov. 2010.Google Scholar
Michael Howard, and Steve Lipner. The Security Development Lifecycle. Microsoft Press, May 2006. Google ScholarDigital Library
Nedim Srndic, and Pavel Laskov. Detection of malicious PDF files based on hierarchical document structure. In Network and Distributed System Security Symposium (2013).Google Scholar
Obes, J., and Schuh, J. Chromium blog: A tale of two pwnies (Part 1). http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html, May 2012.Google Scholar
Sabanal, P., and Yason, M. Playing in the Reader X sandbox. Black Hat USA Briefings (July 2011).Google Scholar
Schuh, J. Chromium blog: The road to safer, more stable, and flashier flash. http://blog.chromium.org/2012/08/the-road-to-safer-more-stable-and.html, Aug. 2012.Google Scholar
Sewell, P., and Vitek, J. Secure composition of insecure components. In Proceedings of the 12th IEEE Computer Security Foundations Workshop, 1999. (1999), IEEE, pp. 136--150. Google ScholarDigital Library
Singaravelu, L., Pu, C., Hartig, H., and Helmuth, C. Reducing TCB complexity for security-sensitive applications: three case studies. SIGOPS Oper. Syst. Rev. 40, 4 (Apr. 2006), 161--174. Google ScholarDigital Library
Smutz, C., and Stavrou, A. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th Annual Computer Security Applications Conference (New York, NY, USA, 2012), ACSAC '12, ACM, pp. 239--248. Google ScholarDigital Library
Stender, S. Inside adobe reader protected mode - part 4 - the challenge of sandboxing. http://blogs.adobe.com/asset/2010/11/inside-adobe-reader-protected-mode-part-4-the-challenge-of-sandboxing.html, Nov. 2010.Google Scholar
Stiegler, M., Karp, A. H., Yee, K.-P., Close, T., and Miller, M. S. Polaris: Virus-safe computing for windows XP. Commun. ACM 49, 9 (Sept. 2006), 83--88. Google ScholarDigital Library
Tzermias, Z., Sykiotakis, G., Polychronakis, M., and Markatos, E. P. Combining static and dynamic analysis for the detection of malicious documents. In Proceedings of the Fourth European Workshop on System Security (New York, NY, USA, 2011), EUROSEC '11, ACM, pp. 4:1--4:6. Google ScholarDigital Library
Uhley, P., and Gwalani, R. Inside flash player protected mode for firefox. http://blogs.adobe.com/asset/2012/06/inside-flash-player-protected-mode-for-firefox.html, June 2012.Google Scholar
Wahbe, R., Lucco, S., Anderson, T. E., and Graham, S. L. Efficient software-based fault isolation. SIGOPS Oper. Syst. Rev. 27, 5 (Dec. 1993), 203--216. Google ScholarDigital Library
Yee, B., Sehr, D., Dardyk, G., Chen, J. B., Muth, R., Ormandy, T., Okasaka, S., Narula, N., and Fullagar, N. Native client: a sandbox for portable, untrusted x86 native code. Commun. ACM 53, 1 (Jan. 2010), 91--99. Google ScholarDigital Library

Index Terms

In-nimbo sandboxing
1. Security and privacy
  1. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

Multi-level sandboxing techniques for execution-based stealthy malware detection
Read More
Sandboxing and Virtualization: Modern Tools for Combating Malware

It's more likely that you will infect yourself with malware via your browser or a PDF document than any other way, including hackers trying to break onto your network. Underground economies in spam, adware, identity theft and banking fraud are driving ...
Read More
Segmented sandboxing - A novel approach to Malware polymorphism detection
MALWARE '15: Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE)

Malware polymorphic and metamorphic obfuscation techniques combined with so-called "sandboxing evasion techniques" continue to erode the effectiveness of both static detection (signature matching), and dynamic detection (sandboxing). Specifically, ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security
April 2014
184 pages
ISBN:9781450329071
DOI:10.1145/2600176
General Chair:
Laurie A. Williams
North Carolina State University
,
Program Chairs:
David M. Nicol
University of Illinois, Urbana-Champaign
,
Munindar P. Singh
North Carolina State University
Copyright © 2014 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 April 2014
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Qualifiers
- research-article
Conference

Acceptance Rates
HotSoS '14 Paper Acceptance Rate12of21submissions,57%Overall Acceptance Rate34of60submissions,57%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 162
  Total Downloads
- Downloads (Last 12 months)5
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

In-nimbo sandboxing

HotSoS '14: Proceedings of the 2014 Symposium and Bootcamp on the Science of Security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Multi-level sandboxing techniques for execution-based stealthy malware detection

Sandboxing and Virtualization: Modern Tools for Combating Malware

Segmented sandboxing - A novel approach to Malware polymorphism detection