基于函数注入的沙箱拦截识别方法

赵旭; 颜学雄; 王清贤; 魏强

doi:10.11999/JEIT151074

基于函数注入的沙箱拦截识别方法

doi: 10.11999/JEIT151074

基金项目:

国家863计划项目(2012AA012902)

计量
- 文章访问数: 1309
- HTML全文浏览量: 72
- PDF下载量: 407
- 被引次数: 0
出版历程
- 收稿日期: 2015-09-21
- 修回日期: 2016-03-03
- 刊出日期: 2016-07-19

Sandbox-interception Recognition Method Based on Function Injection

Funds:

The National 863 Program of China (2012AA012902)

摘要

摘要: 沙箱验证机制的测试需要首先识别沙箱拦截，即识别沙箱截获的系统函数集。已有的Hook识别方法大多仅关注钩子的存在性，识别沙箱拦截的能力不足。该文设计了一种基于函数注入的沙箱拦截识别方法，该方法分析系统函数的指令执行记录(Trace)来识别沙箱截获的系统函数。首先，向不可信进程注入并执行系统函数来获取函数的执行记录；其次，根据沙箱截获系统函数执行记录的特点，设计了地址空间有限状态自动机，并在自动机内分析获取的执行记录来判别沙箱截获的系统函数；最后，遍历测试函数集来识别目标沙箱截获的系统函数集。该文设计实现了原型系统SIAnalyzer，并对Chromium和Adobe Reader进行了沙箱拦截识别测试，测试结果验证了方法的有效性和实用性。
- 沙箱拦截 /
- 系统函数集 /
- 钩子 /
- 函数注入 /
- 自动机
Abstract: Testing sandbox authentication mechanism needs to recognize the sandbox interception first, i.e. to recognize the intercepted system function sets by the sandbox. Existing Hook recognition methods and tools mainly focus on the existence of the hook, lacking the ability of recognizing sandbox interception. This study proposes a sandbox interception recognition method based on function injection. The method recognizes the sandbox intercepts testing functions by analyzing the trace of system functions. First, the method injects and executes the system functions in untrusted process to record the function trace. Then, according to the features of intercepted system function trace, the paper designs the address space finite state automata and identifies intercepted system functions by analyzing the trace. Next, the function sets are traversed to identify the intercepted system function sets by target sandbox. Finally, a prototype is implementedSIAnalyzer, and tested with Chromium Sandbox and Adobe Reader Sandbox. Results show the method proposed is effective and practical.
- Sandbox interception /
- System functionset /
- Hook /
- Function injection /
- Automata

HTML全文

参考文献(21)

YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]. 2009 IEEE Symposium on Security and Privacy, Oakland, USA, 2009: 79-93.

MAASS M, SALES A, CHUNG B, et al. A systematic analysis of the science of sandboxing[J]. PeerJ Computer Science, 2016, 2: e43. doi: 10.7717/peerj-cs.43.

CVE-2014-0512[OL]. https://web.nvd.nist.gov/view/vuln /detail?vulnId=CVE-2014-0512, 2014.

CVE-2014-0546[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0546, 2014.

CVE-2015-2429[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-2429, 2015.

CVE-2011-1353[OL], https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1353, 2011.

CVE-2013-0641[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-0641, 2013.

CVE-2013-3186[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-3186, 2013.

崔宝江, 梁晓兵, 王禹, 等. 基于回溯和引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.

CUI B J, LIANG X B, WANG Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics Information Technology, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.

欧阳永基, 魏强, 王清贤, 等. 基于异常分布导向的智能Fuzzing方法[J].电子与信息学报, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.

OUYANG Y J, WEI Q, WANG Q X, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics Information Technology, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.

SABABAL P and MARK V Y. Playing in the reader X sandbox[C]. Black Hat USA 2011, Las Vegas, USA 2011. https://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf.

MARK V Y. Understanding the attack surface and attack resilience of project spartans new edgeHtml rendering engine[C]. Black Hat USA 2015, Las Vegas, USA, 2015. https: //www. blackhat. com/ docs/ us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf.

JAMES F. Digging for sandbox escapes-finding sandbox breakouts in Internet explorer[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https://www.blackhat.com/docs/ us-14/ materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes. pdf.

LI X N and LI H F. Smart COM fuzzing-auditing IE sandbox bypass in COM objects[C]. CanSecWest Vancouver 2015, Vancouver, Canada, 2015. https://cansecwest.com/ slides/ 2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf.

BRIAN G and JASIEL S. Thinking outside the sandbox: Violating trust boundaries in uncommon ways[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https: //www. blackhat. com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon- Ways-WP.pdf.

LIU Z H and GUILAUME L. Breeding Sandworms: How to fuzz your way out of Adobe Readers Sandbox[C]. Black Hat EUROPE 2012, Amsterdam, Netherlands, 2012. https:// media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf.

Wang Z, JIANG X, CUI W, et al. Countering persistent kernel rootkits through systematic hook discovery[C]. Recent Advances in Intrusion Detection 2008, Cambridge, England, 2008: 21-38.

YIN H, POOSANKAM P, HANNA S, et al. HookScout: proactive binary-centric hook detection[C]. 7th Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, 2010: 1-20.

BELLARD F. QEMU, a fast and portable dynamic translator[C]. Proc. USENIX Annual Technical Conference, Marroitt Anaheim, USA, 2005: 41-46.

施引文献

资源附件(0)

访问统计