0

I am trying to conceptualize a server where users can upload potentially dangerous malware samples to a server. They would not need to be stored in the file system per se but kept in memory long enough to be analyzed by other programs/libraries. (Similar to: VirusTotal)

I'm not opposed to incorporating other open source solutions/libraries, but my main concern is reducing risk to the overall system between when a user uploads the file to a web service and getting it to other programs for analysis.

  1. If the file is never saved, and remains only an input stream (java), would that be a strong mitigating factor?
  2. Do you know of any resources that are relevant/talk about sandboxing while still exposing some ports, in constant use by a program, for exchanging analysis information with another local server?
  3. Do you have any recommendations or warnings for accepting malware sample submissions? (If "don't try", please elaborate on the pitfalls)
schroeder
  • 123,438
  • 55
  • 284
  • 319
user2726232
  • 1
  • 1
  • Have you looked up malware analysis sandbox architecture at all? There are several types, approaches, and most include an explanation of their controls. Can I also ask why you want to make one instead of using one that is already tested? Like cuckoo? – schroeder Oct 19 '20 at 17:26
  • @schroeder I have a bit, but it is early on and I'm just looking for help getting pointed in the right direction as opposed to drowning in a sea of blog posts in a topic I'm still getting familiar with. I'm not opposed to using other tools, but I'm mainly concerned about the mechanism of getting a file in a deployed web service and sending it to where it can be analyzed with mitigating risks to the overall system. I'm going to edit my question to be more clear on that front, please let me know if I can improve – user2726232 Oct 19 '20 at 19:11
  • I'm afraid that you have misunderstood my comment. I'm not talking about libraries. I'm talking about entire sandbox architectures and products that do what you want. Have you looked up cuckoo? – schroeder Oct 19 '20 at 19:18
  • @schroeder The solution I'm concerned with is getting the file to different analysis systems. It seems cuckoo may very well be one, but it cannot be the only one. I haven't looked deep into cuckoo yet, but my need is trying to get a file upload from a web service to different programs with as little risk as possible. – user2726232 Oct 19 '20 at 19:26
  • Then you need to reword your question. Your title states you want a server for analysis, not for routing. And no, cuckoo is not the only one. But it is the *biggest* one. You can *learn* about the concepts and approaches from it. – schroeder Oct 20 '20 at 07:14

1 Answers1

1

You are looking at the wrong problem. Handling the file is not an issue. You can save it in the filesystem if you want. You just need to treat is as data. A database blob, a filesystem entry, an in-memory stream. All of those should work.

From Eicar to NotPetya, they are just bytes.

The point where you need to be careful is where programs start processing them. You have a program extracting the file sections? You might worry that if that program was passed a carefully corrupted input file, it didn't cause a buffer overflow that let the attacker run arbitrary code. And so on.

The issue is not "getting it to other programs", it's that whatever those other programs running over the malicious file won't harm the "master" system. That's why you would run those ancillary programs sandboxed in containers, virtual machines, etc.

Ángel
  • 17,578
  • 3
  • 25
  • 60