Feb 6, 2017
This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.
Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.
We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(2) function in OpenBSD
“Tickets for attendance and
training are on sale, And entering special code
'brakeingsecurity' at checkout gets you a 10% discount".
Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all
the organizers of #Hack In The Box (#HITB) for this opportunity!
You can follow them on Twitter @HITBSecConf. Hack In the Box will
be held from 10-14 April 2017. Find out more information here:
Join our #Slack Channel! Sign up at
#Google Play Store: https://play.google.com/music/m/Ifp5boyverbo4yywxnbydtzljcy?t=Brakeing_Down_Security_podcast
Comments, Questions, Feedback, or Suggestions? Contact us via Email: firstname.lastname@example.org
#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir
#Player.FM : https://player.fm/series/brakeing-down-security-podcast
#Stitcher Network: http://www.stitcher.com/s?fid=80546&refid=stpr
#TuneIn Radio App: http://tunein.com/radio/Brakeing-Down-Security-Podcast-p801582
Sandboxing tech - https://hangouts.google.com/call/yrpzdahvjjdbfhesvjltk4ahgmf
A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.
Various types of sandbox tech
Jails - freebsd
Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian
Pledge(8) - new to OpenBSD
Program says what it should use, if it steps outside those lines, it’s killed
Chroot - openbsd, linux (chroot jails)
“A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”
Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’
Rules based execution - AppArmor, PolicyKit, SeLinux
Allows users to set what will be ran, and which apps can inject DLLs or objects.
“It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”
Virtual machines - sandboxes in their own right
Revert once changes have occurred
CON: some malware will detect VM environments, change ways of working
Containers (docker, kubernetes, vagrant, etc)
Quick standup of images
Blow away without loss of host functionality
Helpful to run containers as an un-privileged user.
Emulation Vs. Virtualization
http://labs.lastline.com/different-sandboxing-techniques-to-detect-advanced-malware --seems like a good link
VMware Thinapp (emulator):
(continued next page)
Malware lab creation (Alienvault blog):
News: (assuming it goes short)
SHA-1 generated certs will be deprecated soon - https://threatpost.com/sha-1-end-times-have-arrived/123061/
(whitelisting files in Apache)