Re: Evading the Norman SandBox Analyzer

To: John Smith <genericjohnsmith@xxxxxxxxx>
Subject: Re: Evading the Norman SandBox Analyzer
From: Arne Vidstrom <arne.vidstrom@xxxxxxxxxxxxx>
Date: Sat, 03 Mar 2007 08:39:36 +0100
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <FD8E22F2-0710-4B8C-8D39-A7D514886D7C@xxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <45E56955.1090000@xxxxxxxxxxxxx> <FD8E22F2-0710-4B8C-8D39-A7D514886D7C@xxxxxxxxx>
User-agent: Thunderbird 1.5.0.10 (Windows/20070221)

Hi,

Yes, the same instruction is used, but no, this is not the same thing atall. In the SandBox Analyzer case the problem is that the limit is setto a value which is not according to the Intel specification, which inturn singles out the SandBox Analyzer.

The RedPill technique works because in the virtualization the SIDTinstruction is emulated in ring 0 but run straight on the processor inring 3. Therefore SIDT in ring 3 reveals the address of another IDT thanthe one the OS thinks is in use. In a true emulator there is no reasonwhy the SIDT instruction should give different results in ring 0 andring 3, because everything is emulated both in ring 0 and ring 3. Andespecially there is no reason why the limit should be for example 800hinstead of 7ffh. That is not a problem with the emulator in itself, buta problem with the "OS" running inside the emulator. Which, again, isnot the same problem as the one RedPill uses. So no, this has notalready been published > 2 years ago.


/Arne

John Smith skrev:

This is the same as the results found > 2 years ago as published byJoanna Rutkowska as RedPill(http://invisiblethings.org/papers/redpill.html) (and before that in aUsenix paper) and therefore everyone who is interested inemulated/virtualized security already knows that SIDT is a probleminstruction.
John
On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:
Hi all,

Summary:
The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) runsmalicious code samples in an emulated environment while logging theiractions. In practice it is more or less impossible to make anemulated environment perfectly similar to the real thing. It istherefore possible to write malicious code that does not behavemaliciously when run in the Sandbox Analyzer. Here I will give oneexample of such a technique.
Full text at:

http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
I have notified Norman about the problem but have chosen not to waitfor them to patch it. The reason being that this is not a regularvulnerability, but rather an example of an inherent weakness inemulated sandboxes in general. I assume they will patch thisparticular case shortly though since it should be very easy to do.
Regards /Arne

http://ntsecurity.nu
http://vidstrom.net

References:
- Evading the Norman SandBox Analyzer
  - From: Arne Vidstrom
- Re: Evading the Norman SandBox Analyzer
  - From: John Smith

Prev by Date: BJ Webring XSS
Next by Date: Re: Evading the Norman SandBox Analyzer
Previous by thread: Re: Evading the Norman SandBox Analyzer
Next by thread: [USN-428-1] Firefox vulnerabilities
Index(es):
- Date
- Thread