It’s been 10 years since the sandbox came into the spotlight when it emerged as the security industry’s savior. But hackers can’t sit idly by, and there are various ways to break the sandbox. It’s time to rethink sandbox security.
Once upon a time, sandboxing was one of the most anticipated technological achievements in the security industry. Today, it is widely used by security researchers, embedded in modern security solutions such as Endpoint Detection and Response (EDR) and Next Generation Antivirus (NGAV), used as part of software development workflows, and used by many users to test Untrusted software in an unknown or secure environment. The sandbox market is forecast to grow from $2.9 billion in 2016 to $9 billion by 2022.
However, if you think about it, sandboxing has not lived up to its original promise. What is the promise of sandbox technology? That is to uncover the true face of the unknown – to turn the unknown into the known. However, there are some threats that cannot be detected even with today’s sandboxing technology, and as a result, many businesses or organizations have been beaten to death for blindly trusting security sandboxes. To what extent can we rely on the sandbox? become a topic worth discussing.
In this article, I’ll focus on the security sandbox story – what is a sandbox and what does it do? What are the types of sandboxes? What are the problems with the sandbox? And why we shouldn’t rely on sandboxing as the only viable security solution today.
What is a sandbox and what does it do?
Sandbox (English: sandbox, also translated as sandbox) is a security mechanism in the field of computer security, providing an isolated environment for running programs. It is usually used for experimentation with programs whose sources are untrustworthy, destructive, or whose intent cannot be determined.
Sandboxes usually strictly control the resources that programs in them can access. For example, sandboxes can provide disk and memory space that is reclaimed after use. In a sandbox, network access, access to the real system, and reading of input devices are usually prohibited or severely restricted. From this perspective, sandboxing is a type of virtualization.
All changes in the sandbox will cause no damage to the operating system. Typically, this technique is widely used by computer technicians to test potentially poisonous programs or other malicious code.
In summary, the role of the sandbox is to prevent applications from accessing all system resources and user data. As such, it becomes the basis for proactive malware analysis and detection. Like a bomb power test in a secure facility. Sandbox testing executes or detonates code in a safely isolated environment where it is safe to observe the behavior of code and output activities. In addition, recently introduced sandboxes even have threat detection and removal capabilities that can detect threats that other tools miss and help administrators quickly remove these threats from production environments.
Types of sandboxes
First, the sandbox creation method can be divided into:
Full System Emulation: A sandbox that emulates the host’s physical hardware, including memory and CPU.
OS Emulation: A sandbox that emulates the end-user OS. It does not emulate machine hardware.
Virtualization: A virtual machine (VM) based sandbox that contains and checks for suspicious programs.
The second is from the sandbox security solutions can be divided into:
Browser sandboxes such as those built into Google Chrome, Firefox, and Safari.
Browser Endpoint Detection and Response (EDR), which allows security teams to understand attacks on endpoint browsers and isolate threats using sandboxing.
General-purpose virtual machines (VMs), such as VirtualBox, can also be used to isolate suspected malware.
Top 5 Reasons Security Sandboxes Are “No Longer Safe”
10 years ago, the sandbox appeared in front of the entire security industry with brilliant light, and it was recognized as the magic magic that can completely solve all security problems. However, just like all security solutions in the world are subject to research and analysis by attackers, sandboxes are beginning to gradually become the focus of attackers. Now, sandboxes, like other security software, are reduced to one of the security solutions that can be hacked.
From the current situation, it is very insecure to blindly trust and trust the sandbox unconditionally. That said, sandboxing alone won’t solve all security issues right now. Here are five reasons why sandboxing is no longer secure and cannot be used as an effective security control in an enterprise environment:
For one, sandboxing is still a good option during investigation and analysis. However, sandboxes are not reliable when it comes to threat detection. Detection in the sandbox takes time because the malware has to actually run to actually trigger the malicious behavior. Therefore, in today’s age of malware and suspicious programs that need to be analyzed, using sandboxes as a detection tool is inefficient. Sandboxing can only be used for investigation and analysis of known or suspicious malware – which means there must be a pre-detection mechanism in place.
Second, it is not difficult for current attackers to escape the sandbox. There are numerous existing vulnerabilities that enable privilege escalation, most of which are related to the Windows kernel. If you get kernel permissions, you can escape the sandbox. It is very simple for an attacker to find and buy an escalated vulnerability on the dark web.
Third, sandboxes are vulnerable to social engineering attacks. Almost all sandbox environments are managed under the privileges of a specific user. That is, if the user in charge of administration is encouraged or deceived to prevent certain software from passing through the sandbox in some way, then the most powerful sandbox will fail. This behavior can be achieved through social engineering attacks, and cyber attackers are often very good at social engineering attacks.
Fourth, the interface of the sandbox is not perfect. Whether it’s a first-time sandbox user, or a user who has lost more vigilance due to being too familiar with the sandbox environment, a single accidental click is enough to release all kinds of malware in the sandbox into the production environment .
Fifth, the newly launched malware basically has evasion detection and detour technology. Attackers have been working on sandbox evasion techniques for many years. Many types of malware use techniques such as delayed execution, analysis of mouse and keyboard input patterns, hardware environment assessment, and other checks to identify whether the malware is in a sandbox or a real user environment. If found in a sandbox environment, the malware will stop working immediately, and it can also infiltrate directly into the host environment, bypassing the sandbox environment. Some attackers can even exploit security flaws in virtual machine software to launch attacks that damage virtual machines.
Based on the above reasons, we can conclude that relying only on the sandbox as the only security measure is not enough and is not safe.
Could a more advanced sandbox solve these problems?
The answer is pessimistic. In an ongoing “arms race” between attackers and sandbox developers, one side develops more sophisticated techniques to evade or escape the sandbox, while the other side improves measures to detect and contain such attacks. However, sandbox technology developers are at a disadvantage in this “race”.
With each advancement in malware technology, an arbitrary number of resources can theoretically be used to circumvent or subvert the sandbox. However, since sandboxing requires a lot of scanning, it has to be very efficient. However, as sandboxes become more complex, they also become more cumbersome and resource-intensive – making sandboxes less and less useful in production activities.
Even so, we do not advocate the abolition of sandboxes, which cannot be said to be useless. Just emphasizing sandbox technology will not escape the “arms race” between hackers and the security industry. The security industry should always be one step ahead of hackers, but in the current state, sandboxing technology cannot do that, and hacking technology is now one step ahead of existing sandboxing technology. “The road is one foot high and the devil is one foot high.” If we want to stand taller, we must solve the five problems just mentioned.
Until then, all organizations that use sandboxing as the basic framework for their defense systems should be soberly aware that “sandboxing is an unsafe technology today.” Based on this fact, we should build a new defense architecture. Even if today’s sandbox technology is one step ahead of hackers, it won’t be too long. Because hackers will continue to improve their attack strategies through research after research. Therefore, we must take a long-term view to improve and protect our sandbox, or start evaluating other security measures to replace or supplement the once prestigious security sandbox.
Sandboxing is a tentative technique for running risky applications or accessing potentially dangerous websites. There are many ways to create a sandbox environment. But first, we need to consider all the factors and all the risks associated with sandboxing. Security protection should always be multi-layered and multi-faceted, so we can’t just rely on sandbox environments to provide comprehensive protection.