Menu
▾
▴
isolated-exec-devel
|
From: Todd D. <des...@gm...> - 2009-04-22 16:44:00
|
Hi,
I just wanted to let you know about a paper that I ran across, in case
you hadn't see it yet:
Accurate Application-Specific Sandboxing for Win32/Intel Binaries
Wei Li Lap-chung Lam Tzi-cker Chiueh
Computer Science Department
Stony Brook University
Abstract:
Comparing the system call sequence of a network application against a
sandboxing policy is a popular approach to detecting control-hijacking
attack, in which the attacker exploits such software vulnerabilities
as buffer overflow to take over the control of a victim application
and possibly the underlying machine. The long-standing technical
barrier to the acceptance of this system call monitoring approach is
how to derive accurate sandboxing policies for Windows applications
whose source code is unavailable. In fact, many commercial computer
security companies take advantage of this fact and fashion a business
model in which their users have to pay a subscription fee to receive
periodic updates on the application sandboxing policies, much like
anti-virus signatures. This paper describes the design, implementation
and evaluation of a sandboxing system called BASS that can
automatically extract a highly accurate application-specific
sandboxing policy from a Win32/X86 binary, and enforce the extracted
policy at run time with low performance overhead. BASS is built on a
binary interpretation and analysis infrastructure called BIRD, which
can handle application binaries with dynamically linked libraries,
exception handlers and multi-threading, and has been shown to work
correctly for a large number of commercially distributed Windowsbased
network applications, including IIS and Apache. The throughput and
latency penalty of BASS for all the applications we have tested except
one is under 8%.
Cheers,
Todd
P.S. I still hope to get back to testing and development on
isolated-exec, but have still been busy with my core research and
projects lately.
--
Todd Deshane
http://todddeshane.net
http://runningxen.com
|
|
From: Passera, P. R <pab...@in...> - 2009-04-30 12:33:04
|
Hi Todd,
I haven't seen this paper. It is interesting. However, for this to work we should have a sandboxing policy of the downloaded file before installing it into our VM sandbox to detect control hijacking. I see this more like a protection for already installed files that has a known behavior than a zero day attack protection. Did I get it right?
Regards,
Pablo
>-----Original Message-----
>From: Todd Deshane [mailto:des...@gm...]
>Sent: Wednesday, April 22, 2009 1:44 PM
>To: iso...@li...
>Subject: [Isolated-exec-devel] Related Work
>
>Hi,
>
>I just wanted to let you know about a paper that I ran across, in case
>you hadn't see it yet:
>
>Accurate Application-Specific Sandboxing for Win32/Intel Binaries
>
>Wei Li Lap-chung Lam Tzi-cker Chiueh
> Computer Science Department
> Stony Brook University
>
>Abstract:
>Comparing the system call sequence of a network application against a
>sandboxing policy is a popular approach to detecting control-hijacking
>attack, in which the attacker exploits such software vulnerabilities
>as buffer overflow to take over the control of a victim application
>and possibly the underlying machine. The long-standing technical
>barrier to the acceptance of this system call monitoring approach is
>how to derive accurate sandboxing policies for Windows applications
>whose source code is unavailable. In fact, many commercial computer
>security companies take advantage of this fact and fashion a business
>model in which their users have to pay a subscription fee to receive
>periodic updates on the application sandboxing policies, much like
>anti-virus signatures. This paper describes the design, implementation
>and evaluation of a sandboxing system called BASS that can
>automatically extract a highly accurate application-specific
>sandboxing policy from a Win32/X86 binary, and enforce the extracted
>policy at run time with low performance overhead. BASS is built on a
>binary interpretation and analysis infrastructure called BIRD, which
>can handle application binaries with dynamically linked libraries,
>exception handlers and multi-threading, and has been shown to work
>correctly for a large number of commercially distributed Windowsbased
>network applications, including IIS and Apache. The throughput and
>latency penalty of BASS for all the applications we have tested except
>one is under 8%.
>
>Cheers,
>Todd
>
>P.S. I still hope to get back to testing and development on
>isolated-exec, but have still been busy with my core research and
>projects lately.
>
>--
>Todd Deshane
>http://todddeshane.net
>http://runningxen.com
>
>------------------------------------------------------------------------
>------
>Stay on top of everything new and different, both inside and
>around Java (TM) technology - register by April 22, and save
>$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>300 plus technical and hands-on sessions. Register today.
>Use priority code J9JMT32. http://p.sf.net/sfu/p
>_______________________________________________
>Isolated-exec-devel mailing list
>Iso...@li...
>https://lists.sourceforge.net/lists/listinfo/isolated-exec-devel
|
|
From: Todd D. <des...@gm...> - 2009-05-09 02:26:46
|
Hi Pablo, I didn't read it in detail since it is not directly related to what I am doing, but I think you got it about right. Maybe it could be a future feature? Cheers, Todd On Thu, Apr 30, 2009 at 8:32 AM, Passera, Pablo R <pab...@in...> wrote: > Hi Todd, > I haven't seen this paper. It is interesting. However, for this to work we should have a sandboxing policy of the downloaded file before installing it into our VM sandbox to detect control hijacking. I see this more like a protection for already installed files that has a known behavior than a zero day attack protection. Did I get it right? > > Regards, > Pablo > >>-----Original Message----- >>From: Todd Deshane [mailto:des...@gm...] >>Sent: Wednesday, April 22, 2009 1:44 PM >>To: iso...@li... >>Subject: [Isolated-exec-devel] Related Work >> >>Hi, >> >>I just wanted to let you know about a paper that I ran across, in case >>you hadn't see it yet: >> >>Accurate Application-Specific Sandboxing for Win32/Intel Binaries >> >>Wei Li Lap-chung Lam Tzi-cker Chiueh >> Computer Science Department >> Stony Brook University >> >>Abstract: >>Comparing the system call sequence of a network application against a >>sandboxing policy is a popular approach to detecting control-hijacking >>attack, in which the attacker exploits such software vulnerabilities >>as buffer overflow to take over the control of a victim application >>and possibly the underlying machine. The long-standing technical >>barrier to the acceptance of this system call monitoring approach is >>how to derive accurate sandboxing policies for Windows applications >>whose source code is unavailable. In fact, many commercial computer >>security companies take advantage of this fact and fashion a business >>model in which their users have to pay a subscription fee to receive >>periodic updates on the application sandboxing policies, much like >>anti-virus signatures. This paper describes the design, implementation >>and evaluation of a sandboxing system called BASS that can >>automatically extract a highly accurate application-specific >>sandboxing policy from a Win32/X86 binary, and enforce the extracted >>policy at run time with low performance overhead. BASS is built on a >>binary interpretation and analysis infrastructure called BIRD, which >>can handle application binaries with dynamically linked libraries, >>exception handlers and multi-threading, and has been shown to work >>correctly for a large number of commercially distributed Windowsbased >>network applications, including IIS and Apache. The throughput and >>latency penalty of BASS for all the applications we have tested except >>one is under 8%. >> >>Cheers, >>Todd >> >>P.S. I still hope to get back to testing and development on >>isolated-exec, but have still been busy with my core research and >>projects lately. >> >>-- >>Todd Deshane >>http://todddeshane.net >>http://runningxen.com >> >>------------------------------------------------------------------------ >>------ >>Stay on top of everything new and different, both inside and >>around Java (TM) technology - register by April 22, and save >>$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco. >>300 plus technical and hands-on sessions. Register today. >>Use priority code J9JMT32. http://p.sf.net/sfu/p >>_______________________________________________ >>Isolated-exec-devel mailing list >>Iso...@li... >>https://lists.sourceforge.net/lists/listinfo/isolated-exec-devel > -- Todd Deshane http://todddeshane.net http://runningxen.com |
Thanks for helping keep SourceForge clean.
X