The Idea of Sandboxing and Its Techniques - Coursework Example

Full Paper Introduction and Review For the applications that are under the security risk, sandbox is implemented. The main function of sandbox is that it generates a remote atmosphere in which the applications run to block malware attacks. There are numerous methods and techniques to generate sandbox atmosphere for applications. Nowadays a number of applications have built-in sandbox atmosphere. Some of the famous sandboxing techniques are discussed in this article. We will also discuss about the dos and don’ts of sandboxing for security purpose. The idea of sandboxing can relate to a child’s sandbox that is made to protect the sand from outer environment and must be kept in a particular place. The idea of sandboxing in the world of information technology is that a virtual area is dedicated for the non-trust worthy applications that can risk other data present in the system can run smoothly in the system without creating mess to other applications. The protected virtual environment is made to protect the data from any malicious attacks. Figure 1.1 demonstrates a generic view of a typical sandbox. In the year 1970 a project was launched with the name of Hydra Operating System at the University of Carnegie Mellon. The concept behind this project is that all the applications are protected and can execute their own area. The dynamic system domains are generated by the Sun to cope with the risk factors. In addition, Solaris Containers are launched by the Sun to execute the environments. The “trusted container” is marked in the Solaris 10. The isolated environments are deployed by the Sun Free BSD. These remote environments are also known as “Jails”. The deployment can be done via OS virtualization in which the jails contains independent files, user accounts and procedures related to different IP address. The sandbox suffers from incomprehensible method that allows remote system calls that are implemented on all the applications present in virtual OS. The virtualization methods have made the sandboxing procedure more easy and hassle free. The testing environments are generated by the virtual machines that help in the implementation of brand new operating system and software’s. These applications are malware free and can be used securely. 1.1 Sandboxing Techniques The software are made sandbox compatible so that all the applications can run smoothly in a system. The Chrome by Google has a built-in sandbox in order to protect the malicious code entering in the system via web. In the security model of Windows a modified sandbox is built-in that automatically blocks any malicious content. However, the sandbox does not work on the system that contains any type of FAT or formatted partition. The applications that are mis-handled by the vendors cannot be protected from malware by sandbox. Moreover, the sandbox also generates isolated environments that are independent for instance; a sandbox is created by the Ronen Tzur. This sandbox runs over Windows 2000 XP, Windows 7 and Vista. The applications that are run by sandbox includes IM consumers, Web browsers, Online games, Emails and other applications that are open for malware attacks. The sandbox helps tp keep these vulnerable applications away from the operating system of Windows. There are several applications that can forever run on sandbox also consumers can create multiple sandbox. The multiple sandboxes creating option is only available in the paid version only. The main advantage of multiple sandboxes is that all the files, driver objects and registry keys can run all along rather that running alone. In fact, it generates a “virtual zone” that works on the internet programs, browsing and downloads installed in the hard drive. Buffer zone is known as a sandboxing resolution. In the year 2009 web sandbox is launched by the Microsoft. The web sandbox is an open source virtualization system that is created for the web developers. The core functions of the web sandbox are to provide protection for the scripts with the help of JavaScript virtual machine to avoid malicious coding on websites. The complete remote functions are made available by the virtual machine including namespaces. The non-trusts worthy codes are avoided by the virtual machines in order to keep the specific HTML documents safe in the system. 1.2 Operating System Virtualization According to the above discussion we know that most famous sandboxing method is focused on virtualization. There are some famous software related to virtualization such as Hyper-V, Virtual PC and VMware to generate remote environment. The sandboxing can also utilize anyone of the mentioned virtualization software in order o provide maximum security. Moreover, the VM software is most commonly used to generate sandboxing in many organizations. Conversely, there are some limitations one needs to follow before using VM software. 1.3 Integration with Desktop The high level of difficulty to use VM software restricts the consumers to use it for risky applications. A virtual machine is created along with the virtualization application to boost the defense against malicious codes. The VM applications are now can be seen on the start menu in the Windows Virtual PC and XP Mode or with VMware Workstation’s Unity feature. This will help the consumers to access the VM applications easily without any hassle of installation and going through complex procedures. The former applications can be run on the XP mode that is specially created by Microsoft. The Windows 7 will allow its users to run any applications that are run on Windows XP previously. The former applications that are compatible on Windows XP and Windows 7 can be run on the Microsoft XP mode. The XP mode cannot be installed by the users that are still using Windows XP or Windows Vista as an initial OS. The virtualized applications that are integrated in the OS cannot be formed on the Microsoft Virtual PC 2007 but users can generate the sandbox environment without any problem. Another main feature includes Unity desktop integration that allows the users to VMware their computer-based system and can achieve virtual environment. On the Windows 7 pro and XP mode the VMware is free for the users. The Microsoft Enterprise Desktop Virtualization (MED-V) is present in the environmental organizations. The main purpose is to provide the safe environment to run the applications successfully and compatible space for risky applications. This can be done straight away working with the host operating system. The virtual environment is basically controlled by the MED-V and allows the computer-based clients to uses applications without any fear of risk. 2 Sandbox Implementation Sandboxing is a security application in the field of information technology (IT). The main purpose of sandboxing is to protect the system from any malware and detect any existing malware code that is present in computer based system. Moreover, sandboxing can be used basically as a substitute for previous technology i.e. signature-based malware defense system. The sandbox provides full support for computer-based systems and helps to maintain zero day malware attacks and silent defense system. The sandboxing technology if used by the start-up last line, it provides effective defense system and also notifies security associates about the upcoming malware attack. Network administrators or security specialists conduct the administration and configuration of a firewall. Later, these concerned personnel monitors and modify changes as per the requirements of business processes and policies of an organization. The features of a typical firewall facilitates security specialist with a great extent. Many products in the market are designed to offer more than one WAN port connections as they are categorized in low bandwidth usage and high bandwidth usage. Consequently, administrators can connect a lower bandwidth connection in the low bandwidth usage port and high bandwidth connection can be used to connect high profile users who require high bandwidth Internet connectivity. As two connections can be terminated on the firewall, load-balancing features are also achievable. Moreover, if any connection from the two mediums goes offline, the firewall switches the traffic on the other medium that is operational resulting in efficient WAN network connectivity (Soho firewalls.2002). 2.1 Supports Packet Filtering Furthermore, firewalls are integrated with proxy servers to provide an optimum level of security for the network. Although, some configuration procedures are mandatory to follow in order to establish firewall security based on configurations. A typical packet filtering firewall is required. The packet filtering firewalls judge the behavior of each packet and then verifies the rule base that includes exceptions and firewall security policies in order to deny or grant permission to a particular data packet. After receiving a data packet, the firewall will determines whether the packet requires proxy filtering. Consequently, firewall plays a role as a dynamic filter on a control channel linking the application layer and the proxy layer. This combined security mechanism significantly amplifies security for the network (Nelson, 1998). 2.2 Advanced Mechanism Currently there are two conventional methods to detect threats and vulnerabilities on the network i.e. anomaly based IDS and signature based IDS. The signature based IDS analyze and identify specific patterns of attacks that are recognized by raw data that is in terms of byte sequences called strings, port number, protocol types etc. Likewise, apart from the normal operational pattern, signature based firewall detects any activity that is unusual from previously defined patterns. Moreover, the patterns are monitored with strict control algorithms. The signatures are stored in a signature repository. The prime object of a ‘signature based IDS’ is to search signatures in order to detect a threat or vulnerability that is similar to antivirus software that also detects viruses. The functionality includes the detection of attacks that are initiated directly towards the network. Whereas, the Intrusion Prevention System controls the access management functions of the network. Likewise, it is a bit similar to firewall but the differentiating factor is that it inspects the payload and deep packet inspection also. However, the IPS requires high computing power such as high CPU processing power and memory as well (Rash, Orebaugh, & Clark, 2005). IPS provides end to end protection that provides mechanism to classify all types of threats such as ad wares, malwares, viruses, malicious codes and Trojans before intrusion within the network. Some of the techniques for IPS incorporate Pervasive network integration, collaborative prevention from threats and adaption of proactive posture. The Christopher Kruegel, professor of university of California at Santa Barbara “a sandbox shouldnt be considered a silver bullet," during the detection of malware. Christopher Kruegel also serves as a chief scientist at the Lastline. In addition, the Lastline contains its personal sandboxing technology. The warning signs are mentioned by the sandboxing if the malware tends to attack the emails. The sandboxing technology is working hard to provide zero day attacks and data security for the organizations that are contain sensitive information. There are a number of organizations such as, FireEye, Trend Micro, Palo Alto along with WildFire service, GFI, AhnLab, Damballa, Norman and Sourcefire that are using sandboxing technologies in the form of McAfee. Currently, McAfee has obtained Valid Edge in order to increase sandboxing methodology. On the other hand, the malware creators are now advancing their technologies in order to avoid the detection related to the sandboxing. This is a warning sign for all the firms by stating this attack as “arms race” against sandboxing technology by the malware creators. There are various malware avoiding methods used by the malware creators some of them are mentioned below: Stalling Code: is a procedure that holds up the malware code from attacking computer-based system until the sandbox times out. The holding up procedure does not allow malicious code to sleep. However, it continues to do some computation in order to show some activity on the computer. The research reveals that the stalling code method is somewhat working due to its execution techniques for the malware. This execution of malware creates a “blind spot” in the sandbox. Blind Spot: the blind spot in the deployment of sandbox is considered as the hooks. For the library or function calls, the hooks are introduced straight away into the application to get call backs. The application with the direct hook inserted needs to customize its code. Therefore, the malware can identify and interfere in the application via dynamic code unpacking. The sandbox does not identify any of the directions that are conducted by the malware in the hook system calling. This particular blind-spot can be attacked by the malware creators and can attack the stalling codes that are running in between system calls. The third type of malware attack can be done by the environment. Environmental Checks: that the zero day attack days can be added by the malware creators for the systems that are operated through environmental checks. The attackers try to manipulate the codes through tricks and ensure that the organizations will patch the sandbox according to the malware creators will. The Previct application is generated that offers security against the environmental check tricks. On the other hand, the Previct application also cannot provide 100% security to its clients against malware attacks. The sandbox is an excellent application that provides security against the malware attacks. However, it is not a perfect malicious identifying device as believed by some security specialist. According to the network security engineer Brad Stroeh, “sandboxing will get some of it”. The customer at the First Financial Bank says that there are a number of security approaches that can be used against the malware attacks. The sandboxing can be used as a powerful defense system in protecting computer-based systems from the malware attacks. Unfortunately, malware can evade the sandbox checking points therefore it is suggested to use former malware identifying products along with sandbox. There are number of sandboxing methods and techniques are available in order to implement wisely to get maximum benefit from malware attacks. 3 Sandbox Limitations The ‘sandbox’ browser that we are using in out solution will execute a virtual container and it is quite possible that any malicious code can penetrate into the operating system. The Green Border is considered to be a ‘sandbox’ browser that was highly appreciated by the Wall Street journal tech guru named as Walt Mossberg. Likewise, the test center of InfoWorld revealed that the current version is not addressing the required security controls (Ciampa, 2014). Later on, the newer version was tested to see any improvements in terms of security, even then the sand box technology was not up to the mark and by clicking a single uniform resource locater, and the malicious code was able to compromise the operating system. Another limitation of the solution is the integration of the browser and the operating system because they are both embedded with each other in a desktop environment. Both of them need communication and it is nearly intolerable to segregate java script, browser plugins, active x controls that is operational on an operating system. If we take an example of the sandbox simulation of an attack, the website having an active malicious code was visited with a patched system and an unpatched system. The system with updated security patches successfully defended all attacks, whereas, the system with outdated security patches was compromised. Similarly, the system of an end user can be breached by clicking the flash file that may cause buffer overflow and transmitting an executable ‘.exe’ file in the computer’s memory. Likewise, the malicious code was utilized in the application programming interface and installed itself similar to a service on the operating system. The sandbox solution needs to be every application programming interface because the malicious code utilize hundreds of API’s to penetrate in the operating system and computer network (Lockhart, 2006). Another limitation of the sandbox solution is the set button, as the sandbox browser has a reset button that can be clicked only on any suspicious activity. By clicking the reset button, browser comes to a clean state and takes a snapshot of the current web session. There is a condition before clicking the rest button i.e. end user must be aware that the system is about to compromise. This is not effective because, today threats are advancing day by day and advanced persistent threats are compromising systems without showing their existence. Likewise, the rest button on the browser do not reset the browser completely, some setting are left unchanged such as user preferences, bookmarks etc. The code signing approach has two primary limitations i.e. this approach assumes that all the entities in the trust zone are trustable. Code received from the trusted sender is granted full privileged access for not only executing the code but modifying the acceptance policy and allowing other threats to follow. Depending on the nature of the threat, communication can also be established later from one attacker to another attacker. These types of attacks are normally known as delayed attacks. Moreover, this concept is preventive for the agents that are from the un-trusted zone, as they are not executed at all. The core disadvantage while generating a sandbox by using OS virtualization is that it can identify by the malware. The virtual detection machine is developed by the malware creators that help them to identify the VME artifacts from the system hardware, running process or registry. In addition, the malware can also search for the VME-specific virtual hardware system or other processing details. For instance, a virtual machine uses a VM tool that helps in running a OS virtually. Moreover, in the year 2004 a popular security specialist Joanna Rutkowska generates a tool known as “Red Pill”. This tool is used to identify the purpose of VM. These kinds of tools are widely available on the internet for the security purpose. The identification at the right time via virtual environment will restrict the functionalities of the malware. Furthermore, by using the VM software for the sandboxing purpose the malware functionalities will be restricted automatically and would not cause any security risk to the virtual OS. On the contrary, security lapse that are present in the VM software can cause some damage to the virtual OS. Many malware creators can attack from these security gaps via virtual machine detection. Therefore, the VM software is focusing on the “virtual machine” escape policy to avoid any further attacks. Thus one cannot totally follow the VM remote capacity to provide protection against malware completely (Dadhich, Dutta, & M.C.Govil, 2010). In order to get the maximum protection the OS needs to patch all the security gaps that are present in the VM. Also, the VM applications need to be cleared by running antimalware and antivirus software. To get the maximum protection for your system the VM is linked to the different network. Therefore, it shows a brand new image for the VM software in the field of malware detection. Another limitation is associated with the cooperating agents, as they transfer from one platform to another via an authentication process for communication information to other cooperating agents (Dadhich, Dutta, & M.C.Govil, 2010). The information incorporates last platform details of the visited agent, the current agent platform along with the details of the next platform that needs to be visited. This process imposes some risks and limitations such as the cost of setting up the authentication process for every transfer. Moreover, if any cooperating agent becomes dead, there is no accountability and if any platform is malicious, no control is available to mitigate the risk of getting the malicious cooperating agent. Furthermore, proof carrying code also imposes some limitations that need to be addressed prior to use it on a large scale. Likewise, the primary issue with the proof carrying code is the generation of the proof, as lot of debate and research has been done for making it an automated proof generation process. For instance, from the compiler, a certified compiler can generate the proof via an automated method. Regrettably, the current scenario demonstrates several proof that need to be processed via hands and the size along with the time taken in the validation process of the proof is also considered to be one of the limitations. 4 Lessons Learned The sandbox should focus on granular level of security that may include security policies addressing upcoming cloud based Internet application. Likewise, a multiple platform supported segregation of functionality and content via various trust limitations, where every platform possesses its own security controls. As it is currently the case of requirements from the server side and client side along with the ownership breakup, adequately demonstrates the boundaries of security policies in this information age. Likewise, a domain of security for a single application along with the same policy that applied to multiple platforms is not enough to address the security issues of this age. Moreover, the augmentation of rich and complex communication between client side with the scripts and frameworks are demanding security policies along with specialized procedures. The sandbox must ensure the three pillars of security i.e. Confidentiality, Integrity and Availability. There is a requirement of specialized policies and procedures, controls on flow of information and secure policy for composition. There is also a requirement of segregating the executable files and data via a restricted system. However the segregation also imposes risks to SQL injection attacks. Figure 1.2 For enforcing the specialized information security policies and procedures, there is a requirement of applying a paradigm incorporating a server driven mechanism, as shown in fig 1.2, data aggregation at the end user’s end is illustrated on the right side and active content aggregation is presented in the left side. Figure 1.3 The fig. 1.3 demonstrated above shows the factual process of applying policies on the server along with the start of hardening service security parameters is essential. Likewise, the code is received References Agnitum outpost persona firewall pro 2.0. (2004). District Administration, 40(2), 68-68. Firewall. (2007). Bloomsbury Business Library - Business & Management Dictionary, , 3113-3113. Nelson, M. (1998). Two faces for the firewall. InfoWorld, 20(41), 1. Rash, M., Orebaugh, A., & Clark, G. (2005). Intrusion prevention and active response: Deploying network and host IPS Elsevier Science. Soho firewalls. (2002). PC Magazine, 21(1), 29. Lockhart, A. (2006). Network security hacks OReilly Media. Ciampa, M. (2014). CompTIA security+ guide to network security fundamentals Cengage Learning. Dadhich, P., Dutta, D. K., & M.C.Govil, D. (2010). Article:Security issues in mobile agents. International Journal of Computer Applications, 11(4), 1-7. Read More