程龙,杨小虎

2004-01-01

Abstract:This paper illustrates a sandbox system on Linux operating system. Users can put untrusted or flawed programs running in the sandbox system,so they are isolated from other parts of the operating system. It protects the system from application exploits. Thus it greatly improves the system's security level. Deploying this sandbox system needs no modification to existing operating system kernel and applications,because it is implemented as a Linux kernel module.

Tien-Duy B. Le,Lingfeng Bao,David Lo,Debin Gao,Li

DOI: https://doi.org/10.1109/iceccs2018.2018.00014

2018-01-01

Abstract:Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase - occurring, for example, due to malicious code injection during an attack - can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Lingfeng Bao,Tien-Duy B. Le,David Lo

DOI: https://doi.org/10.1109/saner.2018.8330231

2018-01-01

Abstract:The popularity of Android platform on mobile devices has attracted much attention from many developers and researchers, as well as malware writers. Recently, Jamrozik et al. proposed a technique to secure Android applications referred to as mining sandboxes. They used an automated test case generation technique to explore the behavior of the app under test and then extracted a set of sensitive APIs that were called. Based on the extracted sensitive APIs, they built a sandbox that can block access to APIs not used during testing. However, they only evaluated the proposed technique with benign apps but not investigated whether it was effective in detecting malicious behavior of malware that infects benign apps. Furthermore, they only investigated one test case generation tool (i.e., Droidmate) to build the sandbox, while many others have been proposed in the literature. In this work, we complement Jamrozik et al.'s work in two ways: (1) we evaluate the effectiveness of mining sandboxes on detecting malicious behaviors; (2) we investigate the effectiveness of multiple automated test case generation tools to mine sandboxes. To investigate effectiveness of mining sandboxes in detecting malicious behaviors, we make use of pairs of malware and benign app it infects. We build a sandbox based on sensitive APIs called by the benign app and check if it can identify malicious behaviors in the corresponding malware. To generate inputs to apps, we investigate five popular test case generation tools: Monkey, Droidmate, Droidbot, GUIRipper, and PUMA. We conduct two experiments to evaluate the effectiveness and efficiency of these test case generation tools on detecting malicious behavior. In the first experiment, we select 10 apps and allow test case generation tools to run for one hour; while in the second experiment, we select 102 pairs of apps and allow the test case generation tools to run for one minute. Our experiments highlight that 75.5%-77.2% of malware in our dataset can be uncovered by mining sandboxes - showing its power to protect Android apps. We also find that Droidbot performs best in generating test cases for mining sandboxes, and its effectiveness can be further boosted when coupled with other test case generation tools.

Xia Zhou,Yujie Bu,Meng Xu,Yajin Zhou,Lei Wu

DOI: https://doi.org/10.1109/tdsc.2024.3454421

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Multicore embedded systems employ a big.LITTLE architecture to combine different cores into a single microcontroller (MCU). However, resources sharing among cores raises security challenges. Once LITTLE cores (which often receive external inputs) are compromised, the whole system will be affected. Existing hardware-assisted isolation approaches use privilege separation and code instrumentation to enforce memory isolation, which suffer from inefficiencies. This paper presents u BOX , a lightweight sandbox for multicore embedded systems. The goal of u BOX is to enforce memory isolation over untrusted software (on LITTLE cores) at the same privileged level. Specifically, it uses the Memory Protection Unit (MPU) to restrict memory access by untrusted software. To protect sandbox policies, u BOX deprives the write capability of untrusted software towards MPU configurations by replacing its regular store instructions with unprivileged counterparts. Additionally, to protect u BOX 's necessary regular store instructions from being abused, u BOX 's memory is set to read-only and non-executable when running untrusted software. For the normal operation of u BOX , we use an overlooked feature of the MPU and develop secure gates that quickly disable and re-enable the MPU, allowing u BOX to execute at a permissive memory view. Our evaluation demonstrates that u BOX effectively enforces isolation with average 1.27% runtime overhead, 0.83X Flash overhead, and 36.50X SRAM overhead.

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

王少平,李善平

DOI: https://doi.org/10.3969/j.issn.1001-3695.2004.01.041

2004-01-01

Abstract:This paper comes up with an innovative idea: Non Executable Directory in Linux/UNIX environment.It helps promoting the safety of UNIX/Linux system by preventing attackers with ordinary rights from running evil programs (exploits, etc) in the system. At the game time,ordinary users working with Non Executable Directories still can run programs already in the system to finish their works.

Wu Zhou,Zhi Wang,Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1145/2557547.2557558

2014-01-01

Abstract:App repackaging remains a serious threat to the emerging mobile app ecosystem. Previous solutions have mostly focused on the postmortem detection of repackaged apps by measuring similarity among apps. In this paper, we propose DIVILAR, a virtualization-based protection scheme to enable self-defense of Android apps against app repackaging. Specifically, it re-encodes an Android app in a diversified virtual instruction set and uses a specialized execute engine for these virtual instructions to run the protected app. However, this extra layer of execution may cause significant performance overhead, rendering the solution unacceptable for daily use. To address this challenge, we leverage a light-weight hooking mechanism to hook into Dalvik VM, the execution engine for Dalvik bytecode, and piggy-back the decoding of virtual instructions to that of Dalvik bytecode. By compositing virtual and Dalvik instruction execution, we can effectively eliminate this extra layer of execution and significantly reduce the performance overhead. We have implemented a prototype of DIVILAR. Our evaluation shows that DIVILAR is resilient against existing static and dynamic analysis, including these specific to VM-based protection. Further performance evaluation demonstrates its efficiency for daily use (an average of 16.2 and 8.9 increase to the start time and run time, respectively).

Chenglin Xie,Yujie Guo,Shaosen Shi,Yu Sheng,Xiarun Chen,Chengyang Li,Weiping Wen

DOI: https://doi.org/10.1109/trustcom53373.2021.00099

2021-01-01

Abstract:Sandbox is an excellent tool for dynamic malware analysis. However, the sandbox detection techniques are increasingly adopted to develop malwares, which has been a significant threat to sandbox analysis. These malwares can detect the running environment and show different behaviors in corresponding environments. So far, there have been several studies about countermeasures, but most of them concentrate on Windows OS. Environmental features in Linux sandbox have not been summarized yet. Besides, existing popular sandboxes can hardly combat against sandbox detecting techniques. In this paper, we focus on Linux sandbox. We firstly propose Linux environmental features from six aspects and implement an effective tool to collect features from running environment to tell the discrepancy among physical machine, virtual machine and sandbox. More importantly, we present EnvFaker, an effective method to reinforce Linux sandbox against environmental-sensitive malware. This method uses tracer to track child process and injected process, filters to intercept sandbox detecting behaviors, and emulator to disguise wear-and-tear and network environment. The experimental results further demonstrate that our method is effective against detecting techniques for Linux sandbox.

Zhiyuan Wan,David Lo,Xin Xia,Liang Cai

DOI: https://doi.org/10.1007/s10664-019-09737-2

IF: 3.762

2019-01-01

Empirical Software Engineering

Abstract:A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through the system call interface. In this paper, we present an approach that mines sandboxes and enables fine-grained sandbox enforcement for containers. We first explore the behavior of a container by running test cases and monitor the accessed system calls including types and arguments during testing. We then characterize the types and arguments of system call invocations and translate them into sandbox rules for the container. The mined sandbox restricts the container’s access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine a sandbox for each of the containers. The estimation of system call coverage of sandbox mining ranges from 96.4% to 99.8% across the containers under the limiting assumptions that the test cases are complete and only static system/application paths are used. The enforcement of mined sandboxes incurs low performance overhead. The mined sandboxes effectively reduce the attack surface of containers and can prevent the containers from security breaches in reality.

Yinzhi Cao,Zhichun Li,Vaibhav Rastogi,Yan Chen,Xitao Wen

DOI: https://doi.org/10.1145/2414456.2414460

2012-01-01

Abstract:Third party JavaScripts not only offer much richer features to the web and its applications but also introduce new threats. These scripts cannot be completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all existing approaches without native sandbox support can secure only a subset of third party JavaScripts, and they are vulnerable to attacks encoded in non-standard HTNIL/Java-Script (browser quirks) as these approaches will parse third party JavaScripts independently at server side without considering client-side non-standard parsing quirks. At the same time, native sandboxes are vulnerable to attacks based on unknown native lava,Script, engine bugs.In this paper, we propose Virtual Browser, a full browser level virtualized environment within existing browsers for executing untrusted third party code. Our approach supports more complete JavaScript language features including those hard-to-secure functions, such as with and eval. Since Virtual Browser does not rely on native browser parsing behavior, there is no possibility of attacks being executed through browser quirks. Moreover, given the third-party Javascripts are running in Virtual Browser instead of native browsers, it is harder for the attackers to exploit unknown vulnerabilities in the native JavaScript engine. In our design, we first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security. The evaluation of the Virtual Browser prototype shows that our execution speed is the same as Microsoft, Web Sandbox[27], a state of the art runtime web-level sandbox. In addition, Virtual Browser is more secure and supports more complete JavaScript for third party JavaScript development.

Zhiyuan Wan,David Lo,Xin Xia,Liang Cai,Shanping Li

DOI: https://doi.org/10.1109/ICST.2017.16

2017-12-15

Abstract:A container is a group of processes isolated from other groups via distinct kernel namespaces and resource allocation quota. Attacks against containers often leverage kernel exploits through system call interface. In this paper, we present an approach that mines sandboxes for containers. We first explore the behaviors of a container by leveraging automatic testing, and extract the set of system calls accessed during testing. The set of system calls then results as a sandbox of the container. The mined sandbox restricts the container's access to system calls which are not seen during testing and thus reduces the attack surface. In the experiment, our approach requires less than eleven minutes to mine sandbox for each of the containers. The enforcement of mined sandboxes does not impact the regular functionality of a container and incurs low performance overhead.

Cryptography and Security

Chengyu Song,Chao Qin,Jianwei Zhuge,Zhiyin Liang,Zhiyuan Ye

2009-01-01

Abstract:Malware is a major threat to the cyber world and the number of unique malware samples captured by antivirus software venders is making an explosive growth in recent years. To improve the malware analysis efficiency, researchers have developed several automated coarse-grained dynamic malware analysis systems, including Norman Sandbox, CWSandbox and TTAnalyze, etc. However, these systems' analysis capabilities still cannot compare with the growth of malware, because they rely on heavy virtual machines to build malware execution environments. To further improve the efficiency, this paper analyzes the bottlenecks in these systems and proposes two mechanisms, flash revert and VM fork to reduce the found overheads. Experiments on an OS-level VMM based prototype implementation (MwSandbox) show that the efficiency is improved at least an order of magnitude without losing analysis quality.

Yinzhi Cao,Zhichun Li,Vaibhav Rastogi,Yan Chen

DOI: https://doi.org/10.1145/1866307.1866387

2010-01-01

Abstract:Third-party JavaScript offers much more diversity to Web and its applications but also introduces new threats. Those scripts cannot he completely trusted and executed with the privileges given to host web sites. Due to incomplete virtualization and lack of tracking all the data flows, all the existing works in this area can secure only a subset of third-party JavaScript. At the same time, because of the existence of not so well documented browser quirks, attacks may be encoded in non standard HTML/JavaScript so that they can bypass existing approaches as these approaches will parse third party JavaScript twice, at both server and clint side.In this paper, we propose Virtual Browser, a completely virtualized environment within existing browsers for executing untrusted third-party code. We secure complete JavaScript, including all the hard-to-secure functions of JavaScript programs, such as with and eval. Since this approach parses scripts only once, there is no possibility of attacks being executed through browser quirks. We first completely isolate Virtual Browser from the native browser components and then introduce communication by adding data flows carefully examined for security.

Sebastian Neuner,Victor van der Veen,Martina Lindorfer,Markus Huber,Georg Merzdovnik,Martin Mulazzani,Edgar Weippl

DOI: https://doi.org/10.48550/arXiv.1410.7749

2014-10-29

Abstract:Expecting the shipment of 1 billion Android devices in 2017, cyber criminals have naturally extended their vicious activities towards Google's mobile operating system. With an estimated number of 700 new Android applications released every day, keeping control over malware is an increasingly challenging task. In recent years, a vast number of static and dynamic code analysis platforms for analyzing Android applications and making decision regarding their maliciousness have been introduced in academia and in the commercial world. These platforms differ heavily in terms of feature support and application properties being analyzed. In this paper, we give an overview of the state-of-the-art dynamic code analysis platforms for Android and evaluate their effectiveness with samples from known malware corpora as well as known Android bugs like Master Key. Our results indicate a low level of diversity in analysis platforms resulting from code reuse that leaves the evaluated systems vulnerable to evasion. Furthermore the Master Key bugs could be exploited by malware to hide malicious behavior from the sandboxes.

Cryptography and Security

Quan Zhang,Chijin Zhou,Yiwen Xu,Zijing Yin,Mingzhe Wang,Zhuo Su,Chengnian Sun,Yu Jiang,Jiaguang Sun

DOI: https://doi.org/10.1145/3622842

2023-01-01

Proceedings of the ACM on Programming Languages

Abstract:Attack surface reduction is a security technique that secures the operating system by removing the unnecessary code or features of a program. By restricting the system calls that programs can use, the system call sandbox is able to reduce the exposed attack surface of the operating system and prevent attackers from damaging it through vulnerable programs. Ideally, programs should only retain access to system calls they require for normal execution. Many researchers focus on adopting static analysis to automatically restrict the system calls for each program. However, these methods do not adjust the restriction policy along with program execution. Thus, they need to permit all system calls required for program functionalities. We observe that some system calls, especially security-sensitive ones, are used a few times in certain stages of a program’s execution and then never used again. This motivates us to minimize the set of required system calls dynamically. In this paper, we propose , which gradually disables access to unnecessary system calls throughout the program’s execution. To accomplish this, we utilize partial order analysis to transform the program into a partially ordered graph, which enables efficient identification of the necessary system calls at any given point during program execution. Once a system call is no longer required by the program, can restrict it immediately. To evaluate , we applied it to seven widely-used programs with an average of 615 KLOC, including web servers and databases. With partial order analysis, restricts an average of 23.50, 16.86, and 15.89 more system calls than the state-of-the-art Chestnut, Temporal Specialization, and the configuration-aware sandbox, C2C, respectively. For mitigating malicious exploitations, on average, defeats 83.42% of 1726 exploitation payloads with only a 5.07% overhead.

A. Sachenko,O. Savenko,P. Rehida,George Markowsky

DOI: https://doi.org/10.1109/DESSERT61349.2023.10416467

2023-10-13

Abstract:This paper deals with the problem of detecting the malware by using emulation approach. Modern malware include various avoid techniques, to hide its anomaly actions. Advantages of using sandbox and emulation technologies are described. Various anti-emulation techniques that are used in modern malware considered. Obfuscation as one primary approach to hide malware malicious actions described and discussed. State of emulator is presented, and the advantages of its usage are covered. Distributed model for malware detection is considered. Basic emulator and its current capabilities presented. Prepared files that represent malware are described. Experimental results for developed files that differs with included avoid techniques are presented. Disadvantages of proposed approach is described. Future research and sandbox improvement are described.

Computer Science

Antonio Nappa,Panagiotis Papadopoulos,Matteo Varvello,Daniel Aceituno Gomez,Juan Tapiador,Andrea Lanzi

DOI: https://doi.org/10.48550/arXiv.2109.02979

2021-10-06

Abstract:Online malware scanners are one of the best weapons in the arsenal of cybersecurity companies and researchers. A fundamental part of such systems is the sandbox that provides an instrumented and isolated environment (virtualized or emulated) for any user to upload and run unknown artifacts and identify potentially malicious behaviors. The provided API and the wealth of information inthe reports produced by these services have also helped attackers test the efficacy of numerous techniques to make malware hard to <a class="link-external link-http" href="http://detect.The" rel="external noopener nofollow">this http URL</a> most common technique used by malware for evading the analysis system is to monitor the execution environment, detect the presence of any debugging artifacts, and hide its malicious behavior if needed. This is usually achieved by looking for signals suggesting that the execution environment does not belong to a the native machine, such as specific memory patterns or behavioral traits of certain CPU instructions. In this paper, we show how an attacker can evade detection on such online services by incorporating a Proof-of-Work (PoW) algorithm into a malware sample. Specifically, we leverage the asymptotic behavior of the computational cost of PoW algorithms when they run on some classes of hardware platforms to effectively detect a non bare-metal environment of the malware sandbox analyzer. To prove the validity of this intuition, we design and implement the POW-HOW framework, a tool to automatically implement sandbox detection strategies and embed a test evasion program into an arbitrary malware sample. Our empirical evaluation shows that the proposed evasion technique is durable, hard to fingerprint, and reduces existing malware detection rate by a factor of 10. Moreover, we show how bare-metal environments cannot scale with actual malware submissions rates for consumer services.

Cryptography and Security

Dongdong Huo,Chen Cao,Peng Liu,Yazhe Wang,Mingxuan Li,Zhen Xu

DOI: https://doi.org/10.1016/j.sysarc.2021.102114

IF: 5.836

2021-06-01

Journal of Systems Architecture

Abstract:<p>Cyber-Physical-Social Systems are frequently prescribed for providing valuable information on personalized services. The foundation of these services is big data which must be trustily collected and efficiently processed. Though High Performance Computing and Communication technique makes great contributions to addressing the issue of data processing, its effectiveness still relies on the veracity of data generated from Internet of Things (IoT) devices. Nevertheless, IoT devices, as basic production facilities to ensure data's security, are unable to deploy expensive security extensions. Consequently, it causes the implementation of the task sandboxing, the fundamental security mechanism in Real-Time Operating Systems (RTOS), much simpler and more vulnerable. In this paper, we take ARM Mbed uVisor as an example system, utilizing hypervisor-based task sandboxing mechanisms, and presents three new findings: First, we discover vulnerabilities against Mbed task sandboxing, which can be exploited to compromise system-maintained data structure to manipulate any tasks' data. Second, we present LIPS (Lightweight Intra-Mode Privilege Separation), building a special protection domain to isolate particular system-maintained data structures. Finally, thorough evaluation and experimental tests show the efficiency of LIPS to defeat these attacks, with small runtime overheads and good portability.</p>

computer science, software engineering, hardware & architecture

Soo Yee Lim,Xueyuan Han,Thomas Pasquier

2023-08-15

Abstract:For safety reasons, unprivileged users today have only limited ways to customize the kernel through the extended Berkeley Packet Filter (eBPF). This is unfortunate, especially since the eBPF framework itself has seen an increase in scope over the years. We propose SandBPF, a software-based kernel isolation technique that dynamically sandboxes eBPF programs to allow unprivileged users to safely extend the kernel, unleashing eBPF's full potential. Our early proof-of-concept shows that SandBPF can effectively prevent exploits missed by eBPF's native safety mechanism (i.e., static verification) while incurring 0%-10% overhead on web server benchmarks.

Operating Systems,Cryptography and Security