0. 引言 1. sandbox introduction 2. Sandboxie 3. seccomp(short for secure computing mode): API级沙箱 4. 利用do_syscall_trace一次性对所有系统调用进行Hook监控 5. cuckoo 6. Detux 7. remnux 8. Noriben Malware Analysis Sandbox 9. Limon Sandbox for Analyzing Linux Malwares 10. 基于docker的malware analysis 11. Joe Sandbox Desktop 12. Zero Wine: Malware Behavior Analysis
0. 引言
0x1:what is malware
1. code that is malicious 2. viruses、worms、keyloggers、backdoors、rootkits
0x2: malware behaviour
1. disrupt computer operation 2. ddos/cc attack 3. stealing sensitive information 4. gain access to computer systems 5. spy on computer users
0x3: Types of malware analysis
1. static analysis: analysis without executing the malware 1) determine file type 2) determine file size 3) HASH 3.1) SSDEEP: comparison of fuzzy hash with previously submitted samples to determine similar variants 3.2) MD5 3.3) SHA1 4) Strings(可疑字符串) 4.1) Unicode 4.2) ASCII 5) determines packers using YARA rules 6) File Obfuscations(packers, cryptors) 7) Submission to multi AV Scanning engines 7.1) VirusTotal api 8) ELF characteristics 8.1) display program header structures 9) symbols 9.1) static symbols 9.2) dynamic symbols 10) sections 11) Disassembly 2. dynamic analysis: analysis by executing the malware 1) File system activity 2) process activity 3) network activity 3.1) DNS summary 3.2) TCP conversations 3.3) packet captures 3.4) event trace dump 4) system call tracing 3. memory analysis: analysis of RAM(main memory)after executing the malware 1) list running process 1.1) process listing with process arguments 1.2) thread associated with each process 2) list network connections 2.1) display process running with RAW sockets 3) list shared libraries 4) kernel modules 4.1) module list 4.2) SYSFS 5) detect hooking(user and kernel mode) 5.1) checks netfilter hooks 5.2) check for PLT/GOT hooks 5.3) keyoard notifier hooks 5.4) TTY Hooks 5.5) check for userland api hooks 6) code or binary injection 7) rootkit detection 7.3) system call table modification 7.4) check for modified file operation structures 7.5) checks hooked network operation function structures 8) detect hidden artifacts
Relevant Link:
1. sandbox introduction
在计算机安全领域,沙盒(sandbox 沙箱)是一种安全机制,为运行中的程序提供的隔离环境。通常是作为一些来源不可信、具破坏力或无法判定程序意图的程序提供实验之用
0x1: sandbox具体实现形式
1. chroot chroot是在unix系统的一个操作,针对正在运作的软件进程和它的子进程,改变它外显的根目录。一个运行在这个环境下,经由chroot设置根目录的程序,它不能够对这个指定根目录之外的文件进行访问动作,不能读取,也不能更改它的内容,由chroot创造出的那个根目录,叫做"chroot监狱"(chroot jail / chroot prison) 2. Sandboxie Sandboxie是一个沙盒计算机程序用于将浏览器限制在一个虚拟沙箱中运行,由Ronen Tzur开发,可以在32位及64位的、基于Windows NT的系统上运行(如Windows XP、Windows 7等)。它创造了一个类似沙盒的独立作业环境,在其内部运行的程序并不能对硬盘产生永久性的影响。其为一个独立的虚拟环境,可用以测试不受信任的应用程序或上网行为 3. 软件监狱(Jail) 限制网络访问、受限的文件系统命名空间。软件监狱最常用于虚拟主机上(例如VM) 4. LSM MAC访问控制 基于规则的执行,通过系统安全机制,按照一系列预设规则给用户及程序分配一定的访问权限,完全控制程序的启动、代码注入及网络访问。也可控制程序对于文件、注册表的访问。在这样的环境中,病毒木马感染系统的几率将会减小。Linux中,安全增强式Linux和AppArmor正使用了这种策略 5. 虚拟机 模拟一个完整的宿主系统,可以如运行于真实硬件一般运行虚拟的操作系统(客户系统)。客户系统只能通过模拟器访问宿主的资源,因此可算作一种沙盒 6. 主机本地沙盒 通过创建一个模拟真实桌面的环境,研究人员就能够观察恶意软件是如何感染一台主机的。若干恶意软件分析服务使用了沙盒技术,例如Docker技术就是一种典型的用户态沙盒,在Docker容器中的操作被严格进行配置和限制 7. 安全计算模式(seccomp) Linux内核内置的一个沙盒。启用后,seccomp仅允许write()、read()、exit()和sigreturn()这几个系统调用。 8. KERNEL级Sandbox 一种类似于影子系统的,比带有宿主的虚拟机更深层的系统内核级技术。它可以接管病毒调用接口或函数的行为。并会在确认病毒行为后实行回滚机制,让系统复原
0x2: sandbox技术思想
1. 将对数据的修改、对系统的操作重定向到一个受保护的虚拟区域 2. ROLLBACK(回滚),当发生策略规定范围之外的操作事件时,及时对异常状态进行回滚 3. 策略限制,例如defensewall、SELINUX、AppArmor、Smack
Relevant Link:
2. Sandboxie
Relevant Link:
3. seccomp(short for secure computing mode): API级沙箱
seccomp (short for secure computing mode) is a computer security facility that provides an application sandboxing mechanism in the Linux kernel; it was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.
#include <sys/prctl.h> int prctl(int option, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5); option = PR_SET_SECCOMP (since Linux 2.6.23) Set the secure computing (seccomp) mode for the calling thread, to limit the available system calls. The more recent seccomp(2) system call provides a superset of the functionality of PR_SET_SECCOMP.
seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17) via the seccomp(2) system call.
0x1: seccomp-bpf
seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux.
从本质上讲,seccomp filters相当于PHP中的"safe mode",通过提前限制进程可以使用系统API范围,来达到Jail限制沙箱的目的
0x2: Uses
1. As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player 2. As of Chrome version 23, seccomp-bpf is used to sandbox the renderers 3. Vsftpd uses seccomp-bpf sandboxing as of version 3.0.0 4. OpenSSH has supported seccomp-bpf since version 6.0 5. LXD, which is a "hypervisor" for containers 6. Firefox and FirefoxOS use seccomp-bpf to sandbox the child processes and certain plugins
0x3: Detecting seccomp features at runtime
#include <stdio.h> #include <stdlib.h> #include <errno.h> #include <string.h> #include <sys/prctl.h> #include <linux/seccomp.h> int main(void) { int ret; ret = prctl(PR_GET_SECCOMP, 0, 0, 0, 0); if (ret < 0) { switch (errno) { case ENOSYS: printf("seccomp not available: pre-2.6.23n"); return 0; case EINVAL: printf("seccomp not available: not built inn"); return 0; default: fprintf(stderr, "unknown PR_GET_SECCOMP error: %sn", strerror(errno)); return 1; } } printf("seccomp availablen"); ret = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0); if (ret < 0) { switch (errno) { case EINVAL: printf("seccomp filter not availablen"); return 0; case EFAULT: printf("seccomp filter availablen"); return 0; default: fprintf(stderr, "unknown PR_SET_SECCOMP error: %sn", strerror(errno)); return 1; } } printf("PR_SET_SECCOMP unexpectedly succeeded?!n"); return 1; }
0x4: Code Example Use
seccomp是操作系统通过API方式(Glibc/System call)提供的一种API调用访问控制能力,在程序开发中需要调用seccomp相关的API将这种控制能力"引入进来",可以理解为程序在编译阶段就给自己施加对应的限制,这样即使发生了溢出攻击,被Exploit的程序也会由于API沙箱的限制而无法执行太多危险操作
/* * seccomp example with syscall reporting * * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ #define _GNU_SOURCE 1 #include <stdio.h> #include <stddef.h> #include <stdlib.h> #include <unistd.h> #include "config.h" #include "seccomp-bpf.h" static int install_syscall_filter(void) { struct sock_filter filter[] = { VALIDATE_ARCHITECTURE, /* Validate architecture. */ EXAMINE_SYSCALL, /* Grab the system call number. */ ALLOW_SYSCALL(rt_sigreturn), /* List allowed syscalls. */ #ifdef __NR_sigreturn ALLOW_SYSCALL(sigreturn), #endif ALLOW_SYSCALL(exit_group), ALLOW_SYSCALL(exit), ALLOW_SYSCALL(read), ALLOW_SYSCALL(write), KILL_PROCESS, }; struct sock_fprog prog = { .len = (unsigned short)(sizeof(filter)/sizeof(filter[0])), .filter = filter, }; if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)) { perror("prctl(NO_NEW_PRIVS)"); goto failed; } if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &prog)) { perror("prctl(SECCOMP)"); goto failed; } return 0; failed: if (errno == EINVAL) { fprintf(stderr, "SECCOMP_FILTER is not available. :(n"); } return 1; } int main(int argc, char *argv[]) { char buf[1024]; if (install_syscall_filter()) { return 1; } printf("Type stuff here: "); fflush(NULL); buf[0] = '