[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 2 Mar 2007 20:49:11 +0000
From: John Smith <genericjohnsmith@...il.com>
To: Arne Vidstrom <arne.vidstrom@...ecurity.nu>
Cc: bugtraq@...urityfocus.com
Subject: Re: Evading the Norman SandBox Analyzer
This is the same as the results found > 2 years ago as published by
Joanna Rutkowska as RedPill (http://invisiblethings.org/papers/
redpill.html) (and before that in a Usenix paper) and therefore
everyone who is interested in emulated/virtualized security already
knows that SIDT is a problem instruction.
John
On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:
> Hi all,
>
> Summary:
>
> The Norman SandBox Analyzer (http://sandbox.norman.no/live.html)
> runs malicious code samples in an emulated environment while
> logging their actions. In practice it is more or less impossible to
> make an emulated environment perfectly similar to the real thing.
> It is therefore possible to write malicious code that does not
> behave maliciously when run in the Sandbox Analyzer. Here I will
> give one example of such a technique.
>
> Full text at:
>
> http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html
>
> I have notified Norman about the problem but have chosen not to
> wait for them to patch it. The reason being that this is not a
> regular vulnerability, but rather an example of an inherent
> weakness in emulated sandboxes in general. I assume they will patch
> this particular case shortly though since it should be very easy to
> do.
>
> Regards /Arne
>
> http://ntsecurity.nu
> http://vidstrom.net
Powered by blists - more mailing lists