How To Automatically Sandbox Iis With Zero False Positive And Negative presented at Blackhat Europe 2006

by Tzi-cker Chiueh,

Tags: Security Infrastructure Monitoring Analysis Business

Summary : Comparing the system call sequence of a network application against a sandboxing policy is a popular approach to detecting control-hijacking attack, in which the attacker exploits such software vulnerabilities as buffer overflow to grab the control of a victim application and possibly the underlying machine. The main barrier to the acceptance of this system call monitoring approach is the availability of accurate sandboxing policies, especially for Windows applications whose source code is unavailable. In fact, many commercial computer security companies take advantage of this fact and fashion a business model in which their users have to pay a subscription fee to receive periodic updates on the application sandboxing policies, much like anti-virus signatures. This paper describes the design, implementation and evaluation of a sandboxing system called BPAID that can automatically extract a highly accurate application-specific sandboxing policy from a Win32/X86 binary, and enforce the extracted policy at run time with low overhead. BPAID is built on a binary interpretation and analysis infrastructure called BIRD, supports application binaries with dynamically linked libraries, exception handlers, and multi-threading, and has been shown to work correctly for a large number of native Windows-based network applications, including IIS and Apache. The measured throughput and latency penalty for all the applications tested under BPAID, except one, is under 8%.