We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byAlexandro Holyoak
Modified about 1 year ago
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Practical Sandboxing on Windows with Chromium Tom Keetch
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 About Me Verizon Business – Lead consultant for Code Review in EMEA Previous Presentations – CONfidence Assessing Practical Sandboxes (Updated) – BlackHat Europe 2011 – Assessing Practical Sandboxes – Hack.LU Protected Mode Internet Explorer All attack-orientated, this is more defence-orientated Exploit mitigations are my favourite topic! –How to make exploits prohibitively expensive to find and exploit…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Agenda What is Practical Sandboxing? What are the Pros and Cons? Should an application implement practical sandboxing? How can I implement a sandbox? What can go wrong? (Real-world sandbox escapes)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Introduction
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 What is Practical Sandboxing? Methodology - combination of techniques Popularised by David LeBlanc and others at Microsoft Allows User-mode only sandboxing (no kernel drivers) Based on OS facilities Used by: – Protected Mode Internet Explorer (IE7+, Vista+) – Microsoft Office Isolated Conversion Environment (MOICE, 2007) – Adobe Reader X (2010) – Google Chrome
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Introduction to Practical Sandboxing Combines many overlapping mechanisms Restricted Tokens Job Objects Integrity Levels (Optional, Vista+) Desktop / ‘Window Station’ Isolation Brief Introduction to each of these…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Restricted Tokens Any Access Token from CreateRestrictedToken() – Primary Tokens for Processes – Secondary Tokens for Threads Three types of access control – Discretionary Access Control is under the control of the resource owner – Mandatory Access Control is enforced system-wide – Capabilities are enforced by the subsystems that allow specific actions Three ways in which they can be restricted – Remove group membership SIDs – Discretionary Access Control – Lower the Integrity Level of the Token – Mandatory Integrity Control – Remove privileges – Capability Access Control A “naked” token has no groups or privileges
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Job Objects Introduced in Windows 2000 Allows a group of processes to be managed as a unit – Resource limitations – Accounting – Scheduling – UI Restrictions Can prevent sandboxed processes from: – Spawning new processes – Accessing resources associated with Desktops and Window Stations – Interfering with the user’s visual desktop Sandboxed processes are placed in Job Objects
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Desktop / ‘WindowStation’ Isolation A “Window Station” contains all the resources that applications share in a single user environment In a multi-user environment (Terminal Services) – Each user has their own Window Station (WinSta0) Each Window Station can contain multiple “Desktops” – Interactive Session WinStation has 3 desktops by default – “Default”, “Secure” & “Screensaver” Every app on a Desktop was in same security context – e.g. “Shatter Attacks”, UI Hooks Every app sharing a Window Station shared resources – Clipboard, Global Atom Table, … Sandboxed applications need their own Desktop & Window Station
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Mandatory Integrity Control Better Known as “Integrity Levels” – First added in Windows Vista – Introduces the concept of a “less-trusted” process Every securable object has an integrity level including processes, but not threads – Low – Sandboxed processes – Medium – Default – Normal user processes – High – Administrator processes (UAC) – System – Services launched by the SCM 3 “Rules” – No Write-Up (Default Rule) – No Read-Up – No Execute-Up Low Integrity is an optional part of Practical Sandboxing
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 An Introduction to Handles A Handle is an opaque reference to an securable object – Securable objects are stored in Kernel Memory – Reference is passed to kernel whenever the object is accessed – Similar to a File Descriptor on Unix Handles are scoped per-process Access Checks are performed at open time – Refers to a single securable kernel object – Has a set of granted access rights – It can only be used for operations for which rights were granted – Once a handle is open, no further access checks are performed It is possible to duplicate a handle – And make it valid in another process – This is crucial to how sandboxes are implemented
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandbox Designs
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandbox Design Sandbox Target (Partial/No-Trust) Simplest Mode of operation – A Single Process launched with limited privileges – Restricts self, post-initialisation Normal loading process requires certain privileges Process can lock itself down if still “trustworthy” Least Functional Option – Any securable objects have to be opened pre-lockdown – Useful for batch processing (?)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandbox Design Sandbox Target (Partial/No-Trust) Broker (Full Trust) More Functional Option allows the sandbox to communicate with a broker Broker can be used implement very granular policies Broker performs more privileged operations Secure IPC required Used by Adobe Reader X
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandbox Design Sandbox Target (Un-trusted) Target (Full trust) Broker (Full Trust) Broker can co-ordinate multiple components Sandboxing some, but not others Used by Protected Mode IE
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Sandbox Design Sandbox Target (Un-trusted) Broker (Full Trust) Component (Full Trust) Sandbox Component (Un-trusted) Fully compartmentalised architecture Different sandbox for each component Used by Google Chrome
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium Sandboxing
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Introduction to the Chromium Sandbox Re-usable framework – Part of Google Chrome browser – Applies the full “Practical Sandboxing” Methodology Used by Adobe Reader X – BSD License – Does the heavy-lifting of: – Process-lockdown – Secure IPC.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium Sandboxing Token Restriction Level Job Object Restriction Level Integrity Level Window Station Isolation (Y/N) Desktop Isolation (Y/N)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Chromium Sandboxing
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 When are Sandboxes Effective?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Theory of Exploit Mitigations Two options for exploit mitigation: 1) Increase cost of exploitation 2) Decrease target value But a second stage exploit, can usually bypass the sandbox for finite cost...
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Theory of Exploit Mitigations
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Theory of Exploit Mitigations
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Theory of Exploit Mitigations Two Potential Failures: 1) The cost of bypassing the exploit mitigation is too low to deter a potential attacker. Trivial to bypass? High Target Value? 2) The reduction of value of the target is not sufficient to deter a potential attacker. Protecting the wrong assets? Some assets cannot be protected by a sandbox.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 When are Sandboxes Ineffecive?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Common Sandbox Flaws Incomplete “Practical Sandbox” implementation Un-sandboxed components Broker vulnerabilities Broker Policy Errors Handle Leaks
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Real-world problems - Example #1 Affected:Internet Explorer 7 Problem Type:Handle Leak Details: – Handles leaked to Low Integrity Process – Handles referred to Medium Integrity Process and Thread objects – Manipulation of Process or Thread allowed code injection – Code injection into broker allows sandbox escape Discovered by SkyWing (Uninformed.org, 2007)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Real-world problems - Example #2 Affected:Internet Explorer 7, Adobe Reader X (both un-patched) Problem Type:Incomplete Sandbox, Memory Corruption Details: – Local BNO Namespace Squatting – BNO contains shared memory sections and synchronisation objects – Creating a specific shared section allows privilege escalation – IE bug, but exploitable from any sandbox which allows creation of named objects in BNO namespace. Still un-patched in Internet Explorer 9!
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Real-world problems - Example #3 Affected:Internet Explorer, Google Chrome Problem Type:Insecure Plug-ins Details: – Flash and other plug-ins not sandboxed in Chrome – Plug-ins can opt-out of the sandbox in IE – Internet Explorer does not sandbox sites in “more trusted zones” Generally difficult to sandbox legacy 3 rd party components
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Other Issues None of these sandboxes limit network access Adobe Reader X Handle Leak through ‘Wininet’ PMIE and Adobe Reader X allow full read access to all user files – PMIE because only Integrity Levels are used. – AR-X through broker policy. PMIE Bypass if Local Intranet Zone is enabled – (e.g. on a typical corporate desktop)
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Is a Sandbox Appropriate for your Application?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Should you implement a sandbox? Questions you should ask: – Have remote code execution exploits been developed, or are they likely to, for your application ? – Is it high-value application? – Will a sandbox be able to segregate key assets? Also, questions that affect the cost: – Is it a legacy application? – Are the libraries it uses suitable for sandboxing? » [D]COM is not suitable. » WinInet may not be suitable. » I don’t have hard data on which libraries are not suitable…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Should you implement a sandbox? Have you implemented… – ‘banned.h’? – /GS Stack Cookies? – ASLR-compatible binaries? – SafeSEH-compatible binaries? – Removal of all RWX shared-sections? – EMET compatibility? – Developer security training? – Semi-regular “fuzzing”? – Security design reviews? – Internal security testing? – External security reviews? If no to any of the above, then don’t implement a sandbox! – You can get more “bang for your buck” elsewhere…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Roadmap for Implementing a sandbox 1. Vulnerability Prevention before Mitigation 2. Ensure other cheaper mitigations are implemented first 3. Determine the level of need 4. Identify High Risk Components 5. Allow components to interact across process boundaries 6. Restrict Privileges of high-risk components 7. Sandbox high-risk components 8. Validate 9. Iterate, you won’t get it right first time…
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Summary & Conclusions
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Pros and Cons of a Sandbox Layered Defence Minimum privilege Componentisation improves reliability. Only really protects against remote code execution vulnerabilities Increased development costs Increased maintenance costs
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Conclusions Sandboxing can be very expensive! – Only effective in certain situations – Prevention is better than cure – Many other exploit mitigations options to consider first Implementing minimum privilege and application compartmentalisation – Makes sandboxing much easier – Good engineering practise! Not all “sandboxes” are created equal – But a powerful exploit mitigation technique when implemented correctly – Much easier if built in from day 0.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 A Practical Guide to Relative Sandbox Security Google Chrome Renderer Adobe Reader X Protected Mode Internet Explorer Google Chrome Flash Plug-in Privilege / ‘Admin Rights’ Stripping No Sandbox More Protection Less Protection
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 More Conclusions Exploitation is a market driven economy – Supply & Demand (for exploits) – Marginal Cost (of exploitation) – Return on Investment (ratio of cost of exploit to value of targets) – Barriers to Entry Effective defence raises the cost of exploitation – Exploit mitigations achieve this to varying degrees – Exploit mitigations are only part of the solution Effective exploit mitigations can be implemented for a low cost and greatly increase the difficulty of attack
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 My Soap Box If you implement a security sandbox… …or something that just looks like a “sandbox”. 1. Please be honest about it's limitations 2. Be clear about what it achieves Otherwise someone will show it to be insecure and blame you! –You can replace “sandbox” with any potential security feature
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Any Questions?
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 More information My Black Hat Briefings Europe 2011 Materials –https://blackhat.com/html/bh-eu-11/bh-eu-11-archives.html#Keetch My Protected Mode IE Whitepaper –http://www.verizonbusiness.com/resources/whitepapers/wp_escapingmicrosoftprotectedmodeinte rnetexplorer_en_xg.pdf My Hack.LU 2010 Presentation on Protected Mode IE –http://archive.hack.lu/2010/Keetch-Escaping-from-Protected-Mode-Internet-Explorer-slides.ppt Richard Johnson: “Adobe Reader X: A Castle Built on Sand” –http://rjohnson.uninformed.org/Presentations/A%20Castle%20Made%20of%20Sand%20- %20final.pdf Stephen Ridley: “Escaping the Sandbox” –http://www.recon.cx/2010/slides/Escaping_The_Sandbox_Stephen_A_Ridley_2010.pdf Skywing: “Getting out of Jail: Escaping Internet Explorer Protected Mode” –http://www.uninformed.org/?v=8&a=6&t=sumry
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Practical Sandboxing on the Windows Platform An assessment of the Internet Explorer, Adobe Reader and.
IEs Protected Mode in Windows Vista TM January 20, 2006 Marc Silbey Program Manager.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
Cracking Windows Access Control Andrey Kolishchak Hack.lu 2007.
M. Alexander Helen J. Wang Yunxin Liu Microsoft Research 1 Presented by Zhaoliang Duan.
Mark Aslett Microsoft Introduction to Application Compatibility.
Windows Vista Security model and vulnerabilities.
ADV. NETWORK SECURITY CODY WATSON What’s in Your Dongle and Bank Account? Mandatory and Discretionary Protections of External Resources.
4P13 Week 5 Talking Points 1. Security Provided by BSD a self-protecting Trusted Computing Base (TCB) spanning kernel and userspace; kernel isolation.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
OWASP Mobile Top 10 Why They Matter and What We Can Do BSides Columbus 2015January 19 th, 2015.
Wireless and Mobile Security Lesson Introduction ●WiFi security ●iOS security ●Android security.
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
On the Privacy of Private Browsing Kiavash Satvat, Matt Forshaw, Feng Hao, Ehsan Toreini Newcastle University DPM’13.
© 2009 Verizon. All Rights Reserved. PTEXXXXX XX/09 Escaping from Protected Mode Internet Explorer Tom Keetch Application Security Specialist Threat &
Mitigating Malware Collin Jackson CS142 – Winter 2009.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input: Information.
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
GOSS iCM Gary Ratcliffe. 2 Agenda Webinar Programme V10 Overview Version Information Supported Browsers Architectural Changes New Features.
G53SEC 1 Reference Monitors Enforcement of Access Control.
SECURITY ZONES. Security Zones A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.
Lecture 14 Page 1 CS 111 Summer 2013 Security in Operating Systems: Basics CS 111 Operating Systems Peter Reiher.
Operating System Organization Chapter 3 Michelle Grieco.
Paul Ratazzi, Yousra Aafer, Amit Ahlawat, Hao Hao, Yifei Wang, Wenliang Du EECS Syracuse University, New York, USA MoST Workshop A Systematic Security.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
G53SEC 1 Access Control principals, objects and their operations.
Understand Database Security Concepts Database Administration Fundamentals LESSON 5.1.
Raiders of the Elevated Token: Understanding User Account Control and Session Isolation Raymond P.L. Comvalius Independent IT Infrastructure Architect.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Slide 1 Using Models Introduced in ISA-d Standard: Security of Industrial Automation and Control Systems (IACS) Rahul Bhojani ISA SP99 WG4 Meeting.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: System Structures.
Java – in context Main Features From Sun Microsystems ‘White Paper’
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Systems Security & Audit Operating Systems security.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
11 Chapter 7: WORKING WITH GROUPS Course 290:. Assigning Permissions in Server 2003 For users to be able to access resources on an Active Directory.
MICROSOFT SECURITY DEVELOPMENT LIFECYCLE امیرحسین علی اکبریان.
Chapter 2 Processes and Threads Introduction 2.2 Processes A Process is the execution of a Program More specifically… – A process is a program.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Operating-System Structures. Operating System Services User Operating System Interface System Calls Types of System Calls System Programs Operating System.
Court IT Issues Windows XP Problem April 8, 2014 Microsoft Ends Security Updates April 9, 2014 XP Computers will contract an OS Infection as soon.
Computer Security and Penetration Testing Chapter 12 Buffer Overflows.
Unix Security Assessing vulnerabilities. Classifying vulnerability types Several models have been proposed to classify vulnerabilities in UNIX-type Oses.
© 2017 SlidePlayer.com Inc. All rights reserved.