rafal wojtczuk - endpoint security via application sandboxing and virtualization past, present,...
DESCRIPTION
TRANSCRIPT
![Page 1: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/1.jpg)
Endpoint security via Application sandboxing and virtualization:Past, present, future
Rafal Wojtczuk [email protected]
![Page 2: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/2.jpg)
Bromium Confidential
• We will talk mostly about securing Windows client systems
• Application sandboxes• Sandboxie• Chrome sandbox
• Virtualization-based sandboxes• Qubes OS• Bromium vSentry
Agenda
![Page 3: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/3.jpg)
Bromium Confidential
• Environment designed to run untrusted (or exploitable) code, in a manner that prevents the encapsulated code from damaging the rest of the system
• The aim of a sandbox is to isolate threats• Protection by isolation, not detection
What is a sandbox?
![Page 4: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/4.jpg)
Bromium Confidential
• Infeasible or too expensive to write a bug-free complex code
• Many approaches (AV, HIPS, NIPS) have limited effectiveness• Particularly against 0days
• Containing a malicious code in a jail is doable• How effective?
Why we need sandboxing?
![Page 5: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/5.jpg)
Bromium Confidential
• Type A: OS enhancement based: Sandboxie, Buffer Zone Pro etc.
• Type B: Master/slave model: Adobe ReaderX, Chrome browser
Types of application sandboxes
![Page 6: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/6.jpg)
Bromium Confidential
• Example: Sandboxie (available since 2006), BufferZone Pro
• Custom kernel driver modifies Windows behavior, so that change to protected system components is prevented
• Use cases: Most of such sandboxes are used for controlled execution of applications
• Sandboxie is widely used for malware analysis
TYPE A
![Page 7: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/7.jpg)
Bromium Confidential
Application Sandbox Type A
![Page 8: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/8.jpg)
Architectural Discussion: Type A
• There is a lot of kernel interaction that the sandbox needs to allow for applications to work as designed
• It relies on the assumption that OS kernel is not compromised
• The sandbox cannot protect against malicious kernel mode malware
![Page 9: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/9.jpg)
Bromium Confidential
• Example: Google Chrome (available since 2008), Adobe Reader
• Two processes - master and slave, talking over IPC channel
• Slave is confined using OS access control facilities • Master mediates access to resources• Use case: protect the application from exploitation• Google Chrome and Adobe Reader are popular
applications mainly for web and content rendering
TYPE B
![Page 10: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/10.jpg)
Bromium Confidential
Application Sandbox Type B
![Page 11: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/11.jpg)
Architectural Discussion: Type B
• Master has smaller codebase, the point being – it should be tougher to exploit it
• Slave has a bigger attack surface that needs to be ‘brokered’ by the master
• Slave still directly interacts with the OS Kernel – the attack surface is limited but far from zero (win32k.sys)
![Page 12: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/12.jpg)
App Sandboxes: Important Points
• Application sandboxes are fundamentally vulnerable to kernel mode attacks• The sandbox is entirely bypassed, not penetrated• Layering sandboxes doesn’t help
• The attack surface of commodity OS kernels is large, with no reasonable hope of securing them
![Page 13: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/13.jpg)
Bromium Confidential
• Windows kernel issues are discovered increasingly frequently
• 25 CVE items for Windows kernel in 2012• 30+ CVE items in the first 3 months of 2013• There have been targeted attacks like Duqu that
have targeted kernel vulnerabilities• Cansecwest 2013 Chrome sandbox bypass by MWR
Labs used two stage exploit• First compromise the slave• Then compromise the kernel
• Yes… it’s a big problem!
Is this a problem?
![Page 14: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/14.jpg)
CVE-2012-1515CVE-2012-0178CVE-2012-2527CVE-2012-1890CVE-2011-2016CVE-2011-2018CVE-2011-3402CVE-2012-1864CVE-2012-1865CVE-2012-1866CVE-2012-1867CVE-2012-1868CVE-2012-0217CVE-2012-0179CVE-2012-0157CVE-2012-0148CVE-2012-0149CVE-2011-5046CVE-2012-0154CVE-2012-0001CVE-2013-1278CVE-2013-1279CVE-2013-1280CVE-2013-0008CVE-2012-2556CVE-2012-4786CVE-2012-2530CVE-2012-2553CVE-2012-2897CVE-2013-1248CVE-2013-1249CVE-2013-1250CVE-2013-1251CVE-2013-1252CVE-2013-1253CVE-2013-1254CVE-2013-1255CVE-2013-1256CVE-2013-1257CVE-2013-1258CVE-2013-1259CVE-2013-1260CVE-2013-1261CVE-2013-1262CVE-2013-1263CVE-2013-1264CVE-2013-1265CVE-2013-1266CVE-2013-1267CVE-2013-1268CVE-2013-1269CVE-2013-1270CVE-2013-1271CVE-2013-1272CVE-2013-1273CVE-2013-1274CVE-2013-1275CVE-2013-1276CVE-2013-1277
CVE-2011-3402
Exploit: MS11-087
SANDBOX BASEDDEFENSE “IN-DEPTH”
#EPICFAIL
![Page 15: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/15.jpg)
User Mode Exploitation
• Type A and Type B do not restrict network connectivity for a sandboxed process.
• The exception to this rule is Google Chrome that has been hardened to restrict TCP/IP networking in case the renderer got exploited.
• All vulns in these services are a sandbox escape vector
• Even properly functioning code can be abused
![Page 16: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/16.jpg)
Bromium Confidential
• ALPC ports [12] are a low-level mechanism used for interprocess communication on the Windows OS. Again, many Windows services listen on ALPC ports; if a sandboxed code can connect to these services, it can attempt to exploit a vulnerability in it.
• Chrome sandbox documentation correctly states that the sandboxed process cannot obtain new handles to almost all existing interesting objects, including ALPC ports. However, it is not enough – care must be taken to not leak important handles from the pre-sandbox process state into the sandbox.
ALPC Ports
![Page 17: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/17.jpg)
Bromium Confidential
• Wrap the OS in a sandbox such that OS (and other application) vulnerabilities are nonfatal – this can be achieved using a Virtual Machine based environment
What are the alternatives?
![Page 18: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/18.jpg)
Bromium Confidential
• Just do unsafe activities in a standalone VM• Manageability problems
• Ultimately, VM will get dirty
• How about using many VMs?• Managing multiple OS images is painful
First approximation – standalone VM(s)
![Page 19: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/19.jpg)
Bromium Confidential
• Manageability• Performance• Hypervisor and supporting environment is still an
attack vector, arguably small enough to be defensible• Security vs features tradeoff, e.g. GPU virtualization
Virtualization-based sandboxing challenges
![Page 20: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/20.jpg)
Bromium Confidential
Qubes OS (available since 2010)
![Page 21: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/21.jpg)
Bromium Confidential
• Based on a bare-metal hypervisor (Xen)• All user applications run in “AppVMs”, lightweight
VMs based on Linux – one VM per each “role”• Qubes GUI virtualization presents applications like if
they were running locally (aka “seamless” mode)• Networking code sand-boxed in an unprivileged VM
(using IOMMU/VT-d)• Centralized updates of all AppVMs based on the
same template• Disposable VMs
Qubes OS main features
![Page 22: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/22.jpg)
Bromium Confidential
• Requires some discipline/training from the user: • To perform each task in the proper AppVM or disposable VM• To manage files scattered across VMs
• Using off-the-shelf multipurpose large hypervisor• Vulnerable to “sysret” vulnerability, CVE-2012-0217• On the other hand, very careful to introduce as little
supporting privileged code as possible, good
• Linux focused, limited support for Windows VMs• Using type 1 hypervisor means deployment issues
Qubes OS deficiencies
![Page 23: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/23.jpg)
Bromium Confidential
Bromium vSentry
![Page 24: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/24.jpg)
Bromium Confidential
• Available since 2012• For Windows, based on type 2 hypervisor (derived from
Xen)• Easily deployable – just install .msi file• Mac OSX version almost ready
• Each instance of application runs in a separate VM• No need for the human to be involved in VM management• Possible due to ultra-optimized VM creation time
• Heavily customized/stripped hypervisor• By design, NOT Vulnerable to “sysret” vulnerability, CVE-2012-0217
• Many enterprise-friendly features• E.g. transparent support for web proxies that require NTLM
authentication
Bromium vSentry main features
![Page 25: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/25.jpg)
Bromium Confidential
• No support for dedicated networking VM• … yet
• In comparison with Qubes, more supporting privileged code• Still managable from security viewpoint• Ultimately, at least partially solvable by using Intel Trusted
Execution technology and deprivileging the host
Bromium vSentry current deficiencies
![Page 26: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/26.jpg)
Bromium Confidential
• Will someday virtualization-based sandboxing become omnipresent (well, at least as Chrome sandbox currently)?
• Some features are unique• E.g. vSentry sandboxes MS Office applications
• The resilience against kernel exploits should be relevant• Any chance for secure Windows kernel soon?• Some mitigations, e.g. SMAP, are interesting, but not a silver bullet
• Functionality concerns• Intel will provide hardware-assisted GPU virtualization some day
• So yes, there is a fair chance• Assuming in real life the number of vulnerabilities will be close to 0
Future
![Page 27: Rafal Wojtczuk - Endpoint security via Application sandboxing and virtualization Past, present, future](https://reader033.vdocuments.site/reader033/viewer/2022051108/546399d7b1af9fd5588b45c2/html5/thumbnails/27.jpg)
Bromium Confidential
• Most of the above material was prepared in cooperation with Rahul Kashyap ([email protected])
Acknowledgements