Re: [Isolated-exec-devel] Related Work

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Hi Pablo,

I didn't read it in detail since it is not directly related to what I
am doing, but I think you got it about right. Maybe it could be a
future feature?

Cheers,
Todd

On Thu, Apr 30, 2009 at 8:32 AM, Passera, Pablo R
<pab...@in...> wrote:
> Hi Todd,
>        I haven't seen this paper. It is interesting. However, for this to work we should have a sandboxing policy of the downloaded file before installing it into our VM sandbox to detect control hijacking. I see this more like a protection for already installed files that has a known behavior than a zero day attack protection. Did I get it right?
>
> Regards,
> Pablo
>
>>-----Original Message-----
>>From: Todd Deshane [mailto:des...@gm...]
>>Sent: Wednesday, April 22, 2009 1:44 PM
>>To: iso...@li...
>>Subject: [Isolated-exec-devel] Related Work
>>
>>Hi,
>>
>>I just wanted to let you know about a paper that I ran across, in case
>>you hadn't see it yet:
>>
>>Accurate Application-Specific Sandboxing for Win32/Intel Binaries
>>
>>Wei Li Lap-chung Lam Tzi-cker Chiueh
>>      Computer Science Department
>>        Stony Brook University
>>
>>Abstract:
>>Comparing the system call sequence of a network application against a
>>sandboxing policy is a popular approach to detecting control-hijacking
>>attack, in which the attacker exploits such software vulnerabilities
>>as buffer overflow to take over the control of a victim application
>>and possibly the underlying machine. The long-standing technical
>>barrier to the acceptance of this system call monitoring approach is
>>how to derive accurate sandboxing policies for Windows applications
>>whose source code is unavailable. In fact, many commercial computer
>>security companies take advantage of this fact and fashion a business
>>model in which their users have to pay a subscription fee to receive
>>periodic updates on the application sandboxing policies, much like
>>anti-virus signatures. This paper describes the design, implementation
>>and evaluation of a sandboxing system called BASS that can
>>automatically extract a highly accurate application-specific
>>sandboxing policy from a Win32/X86 binary, and enforce the extracted
>>policy at run time with low performance overhead. BASS is built on a
>>binary interpretation and analysis infrastructure called BIRD, which
>>can handle application binaries with dynamically linked libraries,
>>exception handlers and multi-threading, and has been shown to work
>>correctly for a large number of commercially distributed Windowsbased
>>network applications, including IIS and Apache. The throughput and
>>latency penalty of BASS for all the applications we have tested except
>>one is under 8%.
>>
>>Cheers,
>>Todd
>>
>>P.S. I still hope to get back to testing and development on
>>isolated-exec, but have still been busy with my core research and
>>projects lately.
>>
>>--
>>Todd Deshane
>>http://todddeshane.net
>>http://runningxen.com
>>
>>------------------------------------------------------------------------
>>------
>>Stay on top of everything new and different, both inside and
>>around Java (TM) technology - register by April 22, and save
>>$200 on the JavaOne (SM) conference, June 2-5, 2009, San Francisco.
>>300 plus technical and hands-on sessions. Register today.
>>Use priority code J9JMT32. http://p.sf.net/sfu/p
>>_______________________________________________
>>Isolated-exec-devel mailing list
>>Iso...@li...
>>https://lists.sourceforge.net/lists/listinfo/isolated-exec-devel
>

-- 
Todd Deshane
http://todddeshane.net
http://runningxen.com