| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Mar 2007 20:49:11 +0000 From: John Smith <genericjohnsmith@...il.com> To: Arne Vidstrom <arne.vidstrom@...ecurity.nu> Cc: bugtraq@...urityfocus.com Subject: Re: Evading the Norman SandBox Analyzer This is the same as the results found > 2 years ago as published by Joanna Rutkowska as RedPill (http://invisiblethings.org/papers/ redpill.html) (and before that in a Usenix paper) and therefore everyone who is interested in emulated/virtualized security already knows that SIDT is a problem instruction. John On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote: > Hi all, > > Summary: > > The Norman SandBox Analyzer (http://sandbox.norman.no/live.html) > runs malicious code samples in an emulated environment while > logging their actions. In practice it is more or less impossible to > make an emulated environment perfectly similar to the real thing. > It is therefore possible to write malicious code that does not > behave maliciously when run in the Sandbox Analyzer. Here I will > give one example of such a technique. > > Full text at: > > http://www.ntsecurity.nu/onmymind/2007/2007-02-27.html > > I have notified Norman about the problem but have chosen not to > wait for them to patch it. The reason being that this is not a > regular vulnerability, but rather an example of an inherent > weakness in emulated sandboxes in general. I assume they will patch > this particular case shortly though since it should be very easy to > do. > > Regards /Arne > > http://ntsecurity.nu > http://vidstrom.net
Powered by blists - more mailing lists