Sunday, February 5, 2017

2017-004-sandboxes, jails, chrooting, protecting applications, and analyzing malware

This week, we discuss sandboxing technologies. Most of the time, infosec people are using sandboxes and similar technology for analyzing malware and malicious software.

Developers use it to create additional protections, or even to create defenses to ward off potential attack vectors.

We discuss sandboxes and sandboxing technology, jails, chrooting of applications, and even tools that keep applications honest, in particular, the pledge(8) function in OpenBSD


HITB announcement:

“Tickets for attendance and training are on sale, And entering special code 'brakeingsecurity' at checkout gets you a 10% discount". Brakeing Down Security thanks #Sebastian Paul #Avarvarei and all the organizers of #Hack In The Box (#HITB) for this opportunity! You can follow them on Twitter @HITBSecConf. Hack In the Box will be held from 10-14 April 2017. Find out more information here:





 Direct Link:




Join our #Slack Channel! Sign up at


#Google Play Store:


Comments, Questions, Feedback, or Suggestions?  Contact us via Email:

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir



#Player.FM :

#Stitcher Network:

#TuneIn Radio App:




Show notes:


Sandboxing tech  -


A sandbox is implemented by executing the software in a restricted operating system environment, thus controlling the resources (for example, file descriptors, memory, file system space, etc.) that a process may use.


Various types of sandbox tech


Jails - freebsd

    Much like Solaris 10’s zones, restricted operating system, also able to install OSes inside, like Debian


Pledge(8)  - new to OpenBSD

    Program says what it should use, if it steps outside those lines, it’s killed


Chroot - openbsd, linux (chroot jails)

    “A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children”

    Example: “www” runs in /var/www. A chrooted www website must contain all the necessary files and libraries inside of /var/www, because to the application /var/www is ‘/’


Rules based execution - AppArmor, PolicyKit, SeLinux

    Allows users to set what will be ran, and which apps can inject DLLs or objects.

    “It also can control file/registry security (what programs can read and write to the file system/registry). In such an environment, viruses and trojans have fewer opportunities of infecting a computer.”


Android VMs


Virtual machines - sandboxes in their own right

    Snapshot capability

    Revert once changes have occurred

    CON: some malware will detect VM environments, change ways of working


Containers (docker, kubernetes, vagrant, etc)

    Quick standup of images

    Blow away without loss of host functionality

    Helpful to run containers as an un-privileged user.


Chrome sandbox:


Emulation Vs. Virtualization  --seems like a good link


VMware Thinapp (emulator):


(continued next page)

Malware lab creation (Alienvault blog):


News: (assuming it goes short)

SHA-1 generated certs will be deprecated soon -


(whitelisting files in Apache)

Here is a new episode of Brakeing Down Security Podcast!

No comments: