This week my colleague Rafal and I had a fun talk @BH EU, Amsterdam in which we demonstrated bypassing some of the popularly available application sandboxes on Windows viz: Sandboxie, BufferZone Pro, Google Chrome and Adobe ReaderX. We played this game a bit differently; we did not spend any time trying to find vulnerabilities in the sandbox implementation. That’s a different game, different attack surface and a lot of fellow researchers play it regularly (mostly for fun and sometimes lot’s of profit). Our game was focused on leveraging Windows OS kernel vulnerabilities to bypass the sandbox when it was not really the fault of the sandbox. So it was good to see that few of the vendors came back and said ‘good luck for the talk’ a.k.a I can’t really help you there buddies!!? (one did not bother to respond back to us, but that’s ok as ‘it was not their fault’).
In case you missed the talk (yeah just to avoid the Dutch winter), the summary of the talk is:
– Application sandboxes have a fundamental architectural limitation, they cannot reliably protect against vulnerabilities in the underlying Operating System. So your application sandbox is as secure as the next upcoming kernel advisory from Microsoft.
– Attackers are getting sophisticated; kernel vulns are getting more prevalent. Just last month there were 30 kernel mode vulns patched, ok ok… it might be a slight deviation in the curve, but in 2012 itself there were 25 kernel patches from Microsoft. Kernel interfaces are a huge attack surface and it’s getting interesting there.
Nope, sandboxing is not bad, it’s definitely decent. But, as we just demonstrated, it’s not good enough to tackle the emerging threat vectors. Last week’s pwn2own contest at Cansecwest conference seems to have used a kernel OS exploit to bypass the sandbox, we don’t have full details yet, but it looks like a neat escape.
Recommendation: Run an application sandbox inside a VM environment – especially if you are a malware pro or an enterprise that cares about its IP. You don’t want be the innocent victim of next Duqu equivalent kernel zero day malware.
The Whitepaper is available here and the slides are available here.
P.S: Roulette was fun (and yes we like winning!); our next stop is launching a ‘Sandstorm’ @InfoSec London next month. Hope to see you there! (nope I won’t comment on the English weather!!)