by A sandbox is any environment used to isolate a computer process away from other processes, as well as the host. The process that is being isolated is called the guest. The computer that houses the sandbox (with guest) is called the host. A sandbox escape is any type of exploit that allows the guest process to break free of the constraints of the sandbox, and access the host and/or outside world resources directly.
The sandbox provides a constrained interface (shell) for the guest to operate in. If the guest manages to escape, it has escalated privilege and upgraded its shell to that of the host environment.
Examples of sandboxes include the following.
|
Sandbox Type |
Description |
|
Virtual machines |
Entire operating systems run within their own environments. From a networking perspective, the virtual machine behaves like any other host on the network, with its own IP address and services that serve clients. Most data centers use virtual machines to reduce cost. |
|
Docker containers |
Self-contained applications run in lightweight virtual machines, sharing resources with the host OS kernel. |
|
Web browsers |
Browsers run in low-privilege sandbox mode. If they become compromised, the damage they do will be limited. |
|
Web browser plug-in content |
Plug-ins like Microsoft Silverlight and Adobe Flash isolate games and multimedia they run. This is more controlled and secure than if the games were to run on a desktop. |
|
Web pages |
The browser sandboxes web pages it loads. Scripts that run are restricted from accessing the host file system. |
|
Mobile apps |
Android, iOS, and Windows 8 apps are each run in their own sandbox, separate from the host OS and each other. If the app wants to access resources such as location, camera, contacts, etc., it must ask permission. |
|
PDFs and documents |
PDFs are prevented from escaping the PDF viewer. Microsoft Office documents are run in sandbox mode to prevent unsafe macros from running. |
|
Unknown file temporary quarantine/scanning |
As you upload or download files, either the website or your anti-malware application will temporarily quarantine the files for scanning. |
|
Antivirus quarantine |
Antivirus programs detect and quarantine viruses and malware. |
|
Attachment sandboxing |
Email attachments or downloaded files are quarantined and tested before upload/download. |
Sandbox Exploits
Although sandboxes are meant to be tightly controlled, there have been cases where a guest process escapes the sandbox and is able to run code on the host or interfere with another sandboxed process. Notable examples include the following.
|
Vulnerability |
Description |
Exploit |
|
CVE-2017-4901 – VMware Escape Exploit before VMware WorkStation 12.5.5 |
|
https://github.com/unamer/vmware_escapes://github.com/unamer/vmware_escape |
|
CVE-2016-3321 – Internet Explorer Iframe Sandbox File Name Disclosure |
|
Metasploit module auxiliary/gather/ie_sandbox_findfiles |
|
CVE-2015-0016, MS15-004 – Microsoft Remote Desktop Services Web Proxy IE Sandbox Escape |
|
Metasploit module exploit/windows/local/ms15_004_tswbproxy |
Note: For more Metasploit modules related to sandboxes, at the msf console, enter search sandbox.
Virus and Malware Sandbox Evasion Techniques
Authors of viruses and malware use sandbox evasion techniques to help their malicious files and code avoid detection while being scanned. Common techniques include the following.
|
Evasion Technique |
Description |
|
Extended sleep |
The malware uses extended sleep calls to simply “wait out” the anti-malware analysis time period. |
|
Polymorphic malware |
Malware adds garbage code to itself every time it runs in an effort to change its signature. |
|
Rootkits and bootkits |
Malware attempts to replace parts of the operating system so it can control the system and subvert the anti-malware detection process. |
|
Sandbox detection |
Malware will try to scan the virtual environment to determine if it has been sandboxed, and to fingerprint the sandbox. |
|
Encrypted archives |
Malware is encrypted into an archive or .zip file. The user is socially engineered into opening the package and infecting their system. |
|
Botnet command and control |
Trick the user into installing “clean” code (a dropper) onto a target machine. That code then connects to a malicious site or IP to download malware. |
|
Logic bombs |
The malicious part of the code lies dormant until an event (such as the date) triggers it. |
|
Binary packers |
Small routines that alter the malware, encrypting and obfuscating it so that it cannot be easily analyzed by antivirus software. |
|
Network fast flux |
Botnets use a rapidly changing network of compromised hosts, making it difficult to keep up with constantly changing IP addresses and DNS names. |