An introduction to the Katsuni theorem and its application to sandboxing and software emulation

Jonathan Brossard (Toucan System)

25/09/2013

Who am I ?

-Security researcher, publishing since 2005.

-Past research : vulnerabilities in BIOSes, Microsoft Bitlocker, Truecrypt, McAfee Endpoint (Defcon 2008), PMCMA debugger (Blackhat USA 2011), « Rakshasa » supply chain backdoor PoC (Blackhat 2012), 2 SAP notes (2013).

-Speaker/trainer at HITB, CCC, Ruxcon...

-Co-founder of the Hackito Ergo Sum and NoSuchCon research conferences (France).

Disclaimer : contains research

This was supposed to be a short research on finding/exploiting a few cool low level bugs in sandboxes.

It ended up leading to more questions than answers on my understanding of what the industry is doing in the AV/sandbox space.

If you have better understanding, I'd really like if you took the time to explain me

([email protected],+PGP).

Disclaimer (rephrased)

WTF is the AV industry doing ? Well, I'm not so sure I understand anymore …

But read the qemu source code, it's an awesome source of knowledge on system programming, compilers, binary translation and plenty other things :)

What's hot in the AV industry in

2013 ?

AV industry : 2013 trends

-Desktop AV is essentially a thing of the past

-Focus moves technologies hopefully able to « detect 0days »[1] like sandboxing.

=> The new cool thing is emulation and sandboxing.

[1] Don't laugh yet.

How it all started... (/story telling)

CVE-2013-0640

(Adobe Sandbox bypass)

Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.

CVE-2013-0640

(Adobe Sandbox bypass)

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

Their « analysis » :

Here is the sequence of the ROP shellcode: msvcr100!fsopen()

msvcr100!write()

mvvcr100!fclose()

kernel32!LoadLibraryA()

kernel32!Sleep()

Upon loading the malicious library, it will enter a long sleep and ensure that the thread has not crashed because the whole stack in the thread is already manipulated for creating a ROP chain.

=> In trivial english, this is called bullshitting. They clearly have no idea what the exploit is trying to do here.

What I believe really happens in this

case (wild guess)

Sleep 5 minutes to attempt bypass sanboxing detection :)

After all, it's a hardened exploit, found in the wild and the first of its kind to bypass Adobe sandboxing technology...

Limits of such technologies (imho)

-Good at finding artefacts (it's still « something »).

-Pretty bad at understanding what is actually happening inside the exploit.

That being said...

The raise of sandboxes...

The raise of sandboxes...

The raise of sandboxes...

The raise of sandboxes...

Note to self : I don't find quite reasonable to add to your corporate network something nobody really understands.

Note : lack of third party assessment

Note : lack of third party assessment

Note : lack of third party assessment

Note : lack of third party assessment

The whole concept of sandboxing vendors is to not have the perceived enemy take a look at the technology. Ok, agreed.

Note : lack of third party assessment

-It also means no third party assessment has been done by the security community...

-In real life, having software due dilligence done by the community has proved to be a good thing for the quality of the said software.

-See similar requests from Tavis Ormandi and Pipacs to have a look at Bromium's technology...

Note : well, they're not Bromium clients, so we have a problem... as an industry, really.

Note 2 : Afaik, Bromium has researchers like Nergal and Jarred Demott. Who of this caliber works for FireEye really ?

Room for problems

(research leads)