Sandbox-interception Recognition Method Based on Function Injection

ZHAO Xu; YAN Xuexiong; WANG Qingxian; WEI Qiang

doi:10.11999/JEIT151074

Volume 38 Issue 7

Jul. 2016

Turn off MathJax

Article Contents

Article Navigation > Journal of Electronics & Information Technology > 2016 > 38(7): 1823-1830

ZHAO Xu, YAN Xuexiong, WANG Qingxian, WEI Qiang. Sandbox-interception Recognition Method Based on Function Injection[J]. Journal of Electronics & Information Technology, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074

Citation:

ZHAO Xu, YAN Xuexiong, WANG Qingxian, WEI Qiang. Sandbox-interception Recognition Method Based on Function Injection[J]. Journal of Electronics & Information Technology, 2016, 38(7): 1823-1830. doi: 10.11999/JEIT151074

Citation:

PDF( 302 KB)

Sandbox-interception Recognition Method Based on Function Injection

doi: 10.11999/JEIT151074

Funds:

The National 863 Program of China (2012AA012902)

Received Date: 2015-09-21
Rev Recd Date: 2016-03-03
Publish Date: 2016-07-19

Abstract

Abstract

Testing sandbox authentication mechanism needs to recognize the sandbox interception first, i.e. to recognize the intercepted system function sets by the sandbox. Existing Hook recognition methods and tools mainly focus on the existence of the hook, lacking the ability of recognizing sandbox interception. This study proposes a sandbox interception recognition method based on function injection. The method recognizes the sandbox intercepts testing functions by analyzing the trace of system functions. First, the method injects and executes the system functions in untrusted process to record the function trace. Then, according to the features of intercepted system function trace, the paper designs the address space finite state automata and identifies intercepted system functions by analyzing the trace. Next, the function sets are traversed to identify the intercepted system function sets by target sandbox. Finally, a prototype is implementedSIAnalyzer, and tested with Chromium Sandbox and Adobe Reader Sandbox. Results show the method proposed is effective and practical.
- Sandbox interception,
- System functionset,
- Hook,
- Function injection,
- Automata

FullText(HTML)

References(21)

References

YEE B, SEHR D, DARDYK G, et al. Native client: A sandbox for portable, untrusted x86 native code[C]. 2009 IEEE Symposium on Security and Privacy, Oakland, USA, 2009: 79-93.

MAASS M, SALES A, CHUNG B, et al. A systematic analysis of the science of sandboxing[J]. PeerJ Computer Science, 2016, 2: e43. doi: 10.7717/peerj-cs.43.

CVE-2014-0512[OL]. https://web.nvd.nist.gov/view/vuln /detail?vulnId=CVE-2014-0512, 2014.

CVE-2014-0546[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2014-0546, 2014.

CVE-2015-2429[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2015-2429, 2015.

CVE-2011-1353[OL], https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2011-1353, 2011.

CVE-2013-0641[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-0641, 2013.

CVE-2013-3186[OL]. https://web.nvd.nist.gov/view/vuln/ detail?vulnId=CVE-2013-3186, 2013.

崔宝江, 梁晓兵, 王禹, 等. 基于回溯和引导的关键代码区域覆盖的二进制程序测试技术研究[J].电子与信息学报, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.

CUI B J, LIANG X B, WANG Y, et al. The study of binary program test techniques based on backtracking and leading for covering key code area[J]. Journal of Electronics Information Technology, 2012, 34(1): 108-114. doi: 10.3724/SP.J.1146.2011.00532.

欧阳永基, 魏强, 王清贤, 等. 基于异常分布导向的智能Fuzzing方法[J].电子与信息学报, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.

OUYANG Y J, WEI Q, WANG Q X, et al. Intelligent fuzzing based on exception distribution steering[J]. Journal of Electronics Information Technology, 2015, 37(1): 143-149. doi: 10.11999/JEIT140262.

SABABAL P and MARK V Y. Playing in the reader X sandbox[C]. Black Hat USA 2011, Las Vegas, USA 2011. https://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf.

MARK V Y. Understanding the attack surface and attack resilience of project spartans new edgeHtml rendering engine[C]. Black Hat USA 2015, Las Vegas, USA, 2015. https: //www. blackhat. com/ docs/ us-15/materials/us-15-Yason- Understanding-The-Attack-Surface-And-Attack-Resilience-Of-Project-Spartans-New-EdgeHTML-Rendering-Engine-wp.pdf.

JAMES F. Digging for sandbox escapes-finding sandbox breakouts in Internet explorer[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https://www.blackhat.com/docs/ us-14/ materials/us-14-Forshaw-Digging-For_IE11-Sandbox-Escapes. pdf.

LI X N and LI H F. Smart COM fuzzing-auditing IE sandbox bypass in COM objects[C]. CanSecWest Vancouver 2015, Vancouver, Canada, 2015. https://cansecwest.com/ slides/ 2015/Smart_COM_Fuzzing_Auditing_IE_Sandbox_Bypass_in_COM_Objects-Xiaoning_li.pdf.

BRIAN G and JASIEL S. Thinking outside the sandbox: Violating trust boundaries in uncommon ways[C]. Black Hat USA 2014, Las Vegas, USA, 2014. https: //www. blackhat. com/docs/us-14/materials/us-14-Gorenc-Thinking-Outside-The-Sandbox-Violating-Trust-Boundaries-In-Uncommon- Ways-WP.pdf.

LIU Z H and GUILAUME L. Breeding Sandworms: How to fuzz your way out of Adobe Readers Sandbox[C]. Black Hat EUROPE 2012, Amsterdam, Netherlands, 2012. https:// media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf.

Wang Z, JIANG X, CUI W, et al. Countering persistent kernel rootkits through systematic hook discovery[C]. Recent Advances in Intrusion Detection 2008, Cambridge, England, 2008: 21-38.

YIN H, POOSANKAM P, HANNA S, et al. HookScout: proactive binary-centric hook detection[C]. 7th Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, 2010: 1-20.

BELLARD F. QEMU, a fast and portable dynamic translator[C]. Proc. USENIX Annual Technical Conference, Marroitt Anaheim, USA, 2005: 41-46.

Relative Articles

Supplements(0)

Cited By

Proportional views