|
|
Sandbox-interception Recognition Method Based on Function Injection |
ZHAO Xu YAN Xuexiong WANG Qingxian WEI Qiang |
(The PLA Information Engineering University, Zhengzhou 450002, China)
(State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou 450002, China) |
|
|
Abstract Testing sandbox authentication mechanism needs to recognize the sandbox interception first, i.e. to recognize the intercepted system function sets by the sandbox. Existing Hook recognition methods and tools mainly focus on the existence of the hook, lacking the ability of recognizing sandbox interception. This study proposes a sandbox interception recognition method based on function injection. The method recognizes the sandbox intercepts testing functions by analyzing the trace of system functions. First, the method injects and executes the system functions in untrusted process to record the function trace. Then, according to the features of intercepted system function trace, the paper designs the address space finite state automata and identifies intercepted system functions by analyzing the trace. Next, the function sets are traversed to identify the intercepted system function sets by target sandbox. Finally, a prototype is implemented—SIAnalyzer, and tested with Chromium Sandbox and Adobe Reader Sandbox. Results show the method proposed is effective and practical.
|
Received: 21 September 2015
Published: 07 April 2016
|
|
Fund: The National 863 Program of China (2012AA012902) |
Corresponding Authors:
ZHAO Xu
E-mail: zhx0117@sina.cn
|
|
|
|
[1] |
YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]. 2009 IEEE Symposium on Security and Privacy, Oakland, USA, 2009: 79-93.
|
[2] |
MAASS M, SALES A, CHUNG B, et al. A systematic analysis of the science of sandboxing[J]. PeerJ Computer Science, 2016, 2: e43. doi:10.7717/peerj-cs.43.
|
[3] |
CVE-2014-0512[OL]. https://web.nvd.nist.gov/view/vuln /detail?vulnId=CVE-2014-0512, 2014.
|
[4] |
CVE-2014-0546[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0546, 2014.
|
[5] |
CVE-2015-2429[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-2429, 2015.
|
[6] |
CVE-2011-1353[OL], https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1353, 2011.
|
[7] |
CVE-2013-0641[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-0641, 2013.
|
[8] |
CVE-2013-3186[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-3186, 2013.
|
[9] |
崔宝江, 梁晓兵, 王禹, 等. 基于回溯和引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.
|
|
CUI B J, LIANG X B, WANG Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics & Information Technology, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.
|
[10] |
欧阳永基, 魏强, 王清贤, 等. 基于异常分布导向的智能Fuzzing方法[J].电子与信息学报, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.
|
|
OUYANG Y J, WEI Q, WANG Q X, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics & Information Technology, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.
|
[11] |
SABABAL P and MARK V Y. Playing in the reader X sandbox[C]. Black Hat USA 2011, Las Vegas, USA 2011. https://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf.
|
[12] |
MARK V Y. Understanding the attack surface and attack resilience of project spartans new edgeHtml rendering engine[C]. Black Hat USA 2015, Las Vegas, USA, 2015. https: //www. blackhat. com/ docs/ us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf.
|
[13] |
JAMES F. Digging for sandbox escapes-finding sandbox breakouts in Internet explorer[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https://www.blackhat.com/docs/ us-14/ materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes. pdf.
|
[14] |
KOH Y C. Understanding the microsoft office 2013 protected-view sandbox[C]. Recon, Montreal, Canada, 2015. http://recon.cx/2015/slides/recon 2015-16-yong-chuan-koh- Understaning-the-Microsoft-Office-Protected-View-Sandbox.pdf.
|
[15] |
LI X N and LI H F. Smart COM fuzzing-auditing IE sandbox bypass in COM objects[C]. CanSecWest Vancouver 2015, Vancouver, Canada, 2015. https://cansecwest.com/ slides/ 2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf.
|
[16] |
BRIAN G and JASIEL S. Thinking outside the sandbox: Violating trust boundaries in uncommon ways[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https: //www. blackhat. com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon- Ways-WP.pdf.
|
[17] |
LIU Z H and GUILAUME L. Breeding Sandworms: How to fuzz your way out of Adobe Reader’s Sandbox[C]. Black Hat EUROPE 2012, Amsterdam, Netherlands, 2012. https:// media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf.
|
[18] |
Wang Z, JIANG X, CUI W, et al. Countering persistent kernel rootkits through systematic hook discovery[C]. Recent Advances in Intrusion Detection 2008, Cambridge, England, 2008: 21-38.
|
[19] |
YIN H, POOSANKAM P, HANNA S, et al. HookScout: proactive binary-centric hook detection[C]. 7th Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, 2010: 1-20.
|
[20] |
BUTLER J and GREG H. VICE-catch the hookers[C]. Black Hat USA 2004, Las Vegas, USA, 2004. http:// 120.52. 72.44/www.blackhat.com/c3pr90ntcsf0/presentations/bh-usa-04/bh-us-04-butler/bh-us-04-butler.pdf.
|
[21] |
JOANNA R. System Virginity verifier-defining the roadmap for malware detection on windows system[C]. Hack In The Box 2005, Kuala, 2005. http://www.cs.dartmouth.edu/ ~sergey/cs258/rootkits/hitb05_virginity_verifier.ppt.
|
[22] |
HookShark[OL]. http://www.gamedeception.net/threads/ 20596-HookShark-Beta-0-9-highlight=hookshark, 2010.
|
[23] |
BELLARD F. QEMU, a fast and portable dynamic translator[C]. Proc. USENIX Annual Technical Conference, Marroitt Anaheim, USA, 2005: 41-46.
|
|
|
|