I want to find out if it's possible to check if an image file like JPEG, PNG, GIF or BMP is safe and don't have a virus in it.
I want to filter an image file before I send them to sandbox to check if it's not suspicious and I know its safe file. The response from the sandbox takes 2-3 minutes and I want to reduce the time if I can filter some files that definitely clean.
Is there a method to find out if an image file is definitely safe?
It is not possible to verify with certainty that an image is clean, short of manually analyzing it to see if it conforms perfectly to the standards, and that your image viewer likewise conforms to the standards. Instead, you can encode the image between a simple format. Converting an image to a trivial format carries with it the risk of exploitation, but converting from a trivial format to a more complex format does not. You can exploit this reduced attack surface area, for example:
Load the suspect image into a sandboxed image converter. The image converter must not have any filesystem access, X11 access, or access to unnecessary syscalls. The sandboxed image converter must be untrusted as it will be using potentially vulnerable libraries.
Have the sandboxed image converter re-encode the image into a trivial pixelmap format, such as PPM. The format must be simple enough that it would be infeasible to exploit. The assumption is that this conversion process may compromise the converter, so all subsequent steps must not need to trust this stage. A pixmap is trivial enough for these purposes.
A second, unsandboxed image converter then takes hold of the pixmap, e.g. through shared memory. This image converter is trusted, as its only input will be a format so trivial that exploitation is infeasible. The pixmap can then be converted into a more proper image format, assuming of course you do not want the output to be a large, uncompressed, raw image.
So why not just have a single sandboxed process convert the image? If you assume that the image parsing library for the input is vulnerable, then even a sandboxed process can no longer be trusted. If you ask it to convert a JPEG to a PNG and the JPEG is malicious, it could embed a different exploit into the PNG output. This is not going to be likely, but it is possible, making this a no-go.
If this is overkill, then there are still some other, simpler ways to decrease the likelihood of falling victim to an image parsing exploit. A non-exhaustive list of recommendations is:
Keep all your software up to date, especially image libraries.
Verify that the image format matches the extension, e.g. by checking the MIME type.
Do not accept images from untrusted sources if possible.
Use only common image formats such as JPEG, PNG, and GIF.
There are a few questions to address here:
Firstly, the real file type. You need to check the file extension but that doesn't necessarily indicate the real file type, you need to check the file type indicator - the "magic bytes", there are libraries for many development platforms to do this for you and you can read more about it here.
On virus scanning, you can either run a scanning engine on a server and submit files to that or you can use an API like Virus Total. There are a few issues to consider with sending the file out to an API.
Where is the API located? Is it in the same country as you, there may be data law restrictions on sending the file out to a scan engine in another country if those images may contain personal information (like faces, names, email addresses etc)
Files uploaded to certain scan engines may be available to other people, consider if this presents any problems for you or your users. You can mitigate this by running your own 'on-prem' system but this will require infrastructure to run and possibly incur additional licensing.
The second consideration is when do you scan? If a user uploads an image, do you scan on demand as soon as they attempt an upload? This will cause a delay in the upload but prevent any viruses getting into your file storage. The alternative is to allow uploads without scanning first and have an agent that runs, scanning files, removing problem files as it goes. It depends on the requirements you have.
Images are collections of pixels. Those are usually harmless. They can only be dangerous if they are malformated and the user uses an image viewing software which has a crucial security bug or if they are mistaken for an executable and someone tries to run them.
An easy way which defeats most of these attacks is to re-encode any images on your server. Use a library on your server to decode the images to an in-memory array of RGBA values and then re-encode those values to a new image in the same format. That checks if it is actually a valid image file and should strip any junk data from it.
However, if you do this, be aware that it opens up your server to potential attacks:
It also has the side-effect that it won't just strip malicious metadata from the image files but also metadata which is beneficial (like color profiles). If you want to preserve certain kinds of metadata, you need to take special care of that.
If you want to mention software exploitation (like 0 day/zero day), it's hard to say that the image is totally safe/clean also it's hard for hacker to create an image which would run the exploitation code in any image reader (it cost so much $$).
So if you want the "image content" of that image, just convert/transform the original image to another one by using online tool and then use that file (After converting, only the "meaning" data will be kept so the payload for exploitation could be eliminated)
