17

In testing suspicious files for malware, the typical method is to search for known malicious code. This is why zero-day malware attacks can be so dangerous — their malicious code is previously unknown to antivirus software. The ideal solution is to test every file and program in a sandbox before it is used, and this has been tried, but as far as I know, typically unusual processes appear that can be detected by a smart enough mouse. The malware detects that it is being sandboxed, and holds back on its malicious behavior to keep from being discovered.

The question is, can it be possible, and more importantly practical, to build a sandbox that's identical to an actual computer, and then implement in today's operating systems (Windows, OS X, Linux, iOS, Android) a software which which uses it to test everything before it is run, or even better, uses it as the running environment for that file?

TheEnvironmentalist
  • 505
  • 3
  • 10
  • A virtual machine? – Ismael Miguel Apr 22 '15 at 16:29
  • 1
    Why not just buy all your hardware in duplicate? It will double your hardware budget. – emory Apr 22 '15 at 16:54
  • 1
    What research have you done? See "red pill" research, the Garfinkel et al paper from HOTOS 2007, http://security.stackexchange.com/q/10577/971, http://stackoverflow.com/q/154163/781723, http://stackoverflow.com/q/39533/781723. You probably want to use a bare-metal machine, though this limits your ability to observe its execution (you can observe the state before it executes and the state afterwards but it may be difficult to observe and interact with its state while it is executing). – D.W. Apr 22 '15 at 17:35
  • @D.W. Not a duplicate, because I'm not looking for a VM solution specifically, rather the confirmation that it is possible and practical with hardware, software or both to solve this problem. If you can sandbox everything in real-time, malware becomes a thing of the past (surprisingly), so I'm asking about the feasibility of it. It's not directly related to a question about existing virtualization softwares. – TheEnvironmentalist Apr 22 '15 at 18:41
  • @TheEnvironmentalist, those answers are phrased in terms of VMs but similar barriers/challenges apply to other kinds of sandboxes as well (e.g., OS-level sandboxes, application-level sandboxes, and so on). Did you read the Garfinkel paper? The standard advice on this site is that if your question is not answered by those answers, you should edit your question to narrow its focus on specifically the part that's not covered, and consider stating explicitly what question you have that's not answered there. – D.W. Apr 22 '15 at 18:45
  • @D.W. if you look though the answers, you'll find answers discussing hardware, answers discussing software, and answers discussing a mix of the two. I used the word 'sandbox' rather than referencing a specific implementation (existing virtualization software for instance) because narrowing the focus to hardware-only would eliminate one of the most important points of the question: would hardware, software, or both make the better mousetrap? This question digs into large portions of the most important research in Turing machines, and wouldn't be nearly as relevant if it were narrowed. – TheEnvironmentalist Apr 22 '15 at 18:51
  • Philosophical question: if the malware only delivers its payload when it detects it's not in a VM, why not just do your work in a VM? You're immune to that malware! ;-) – Steve Jessop Apr 23 '15 at 12:52

5 Answers5

17

Yes, it can be done as (theoretically) every "computing device" is computationally equivalent to every other computing device. Look up the Church-Turing thesis if you are interested.

However your question is grounded in practice and in this case the answer is "yes, but it would cost too much". Effort in virtualisation today aims at speeding up the virtual environment as much as possible to the point where it is quite trivial to detect if you are running in a virtual machine. Which means that any effort in replicating a system running 100% "native" is limited by the number of people with your same interest.

In other words there is very little commercial interest in doing what you are aiming for and the ROI would be limited only to the few hobbyists and companies that have a vetted interest in the matter. How much would you pay for such system? How much time can you devote? How many people do you know that are willing to spend years on this project?

While there are efforts to research this I haven't yet seen a fully working system that's not terribly slow. For example, Skype employs anti-debugging techniques that detects slowdowns (see slide 30 of this presentation). I suspect any malware could do similar tricks to measure execution against a fixed time server and detect when it's running in a (necessarily slow) emulator.

I think that a different approach would be more economically sound: run the malware sample on an actual machine, and observe what happens. Then "ghost" its disk and memory and look at the differences with an identical, "clean" sample. It might take less time to do, overall, than developing a simulator like the one you have in mind.

Community
  • 1
lorenzog
  • 1,911
  • 11
  • 18
  • 1
    I thought that there was an ongoing battle where Nvidia wants to detect virtualized environments so they can prevent their non multi-OS videocards from being passed through and the hypervisor developers (e.g., Xen and KVM) who would like them to work. – StrongBad Apr 22 '15 at 12:05
  • 2
    This answer practically sings to the "**`and more importantly practical`**" requirement of OP's question so I think it is the best one so far. +1 – MonkeyZeus Apr 22 '15 at 15:05
  • 1
    Indeed. I used a program called bochs once. If they don't have a specific detector for it they can't know. They just think I've got 90MHz Pentium 1 processor and an IDE SSD hard disk. – Joshua Apr 22 '15 at 17:42
  • 1
    @StrongBad: Ugh. Yet another reason to not like Nvidia. Seriously, how difficult is it to understand a simple concept like "my property is mine to use as I please"? – Mason Wheeler Apr 22 '15 at 19:12
  • According to [this page](http://charette.no-ip.com:81/programming/2009-12-30_Virtualization/index.html), detecting a VM is not as trivial as you make it sound *(that link comes from a comment in your SO link, with the claim that the techniques on that page don't work correctly)*. – BlueRaja - Danny Pflughoeft Apr 23 '15 at 01:54
  • @BlueRaja-DannyPflughoeft yes, it is an arms race but detection techniques will always get better. They might not work today (in fact it's already a few years old) but writing efficient malware has a monetary incentive, whereas writing undetectable virtualisation software doesn't. – lorenzog Apr 23 '15 at 08:42
  • 1
    @lorenzog until malware authors start using 'Blue Pill' like rootkits. Undetectable virtualisation would be a great tool for the bad guys. – richardb Apr 23 '15 at 10:49
7

Actually lorenzo's answer does not quite cut it. The Church-Turing thesis only provides us with a model of computing, it can't tell us anything about virtualization because it is not concerned with other aspects of a machine.

But there is theoretical analysis for the ability of a machine to be virtualized by Popek et al: http://cs.nyu.edu/courses/fall14/CSCI-GA.3033-010/popek-goldberg.pdf

This said, current architectures and most importantly x86-64 do NOT fullfill those requirements. So the conclusion would be, it is unfortunately impossible for the cpu architectures currently in use. But one could always think about new cpu architectures...

Tobias Würfl
  • 71
  • 1
  • 1
    I think the thesis per se does not provide the answer to this question, but it is a logical derivation of it (in fact I linked to the 'variations' of the thesis, but did not explain it properly). Thank you for clarifying it. – lorenzog Apr 22 '15 at 20:45
3

Put an actual computer in a physical sandbox environment. The computer itself isn't a sandbox and don't virtualize anything.

Need active directory? Put active directory in the sandbox environment.

Do your tests, verify what has changed, review computer and network logs.

This is more practical than building a sandboxed OS which limits normal hardware functions.

ponsfonze
  • 1,332
  • 11
  • 13
1

...practical, to build a sandbox that's identical to an actual computer... test every file and program in a sandbox before it is used...

I think this is the wrong question to ask. The real challenge is not to build a sandbox which behaves like a real computer, but one which behaves like a real computer used by the targeted user.

Malware actually uses techniques to detect presence of a user, sometimes even a specific user (targeted attacks). Some possible techniques for web based drive-by-downloads are

  • Check if specific positions on a page gets clicked or wait for some input by displaying some kind of captcha.
  • Check if some resources are cached and others are not and thus check for the presence of a browser actually used by a human for some time.
  • Check if user is logged in to facebook, has access to some specific internal website, resource etc.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
0

Let's take another look on this question: detecting malware purely on behaviour is very hard --- not only malware can try detect whether it is running in a virtualised enviorment, but it can (for example) wait some time before activating malicious behaviours (a kind-of-related example: some time ago a chrome extension that waited 7 days before activating malicious activity passed Google's screening process for chrome extensions).

Most of antiviruses already do some behaviour malware detection, let's assume that a malware program waits 5 minutes before trying to wipe / partition. Antivirus that does behaviour analysis can either:

  • Run this program in sandbox for couple of seconds and then decide it is OK.
  • Run this program is super-fast sandbox in which time passes very fast (faster than realtime) --- but this sandbox would be easy to detect by contacting time server.
  • Run this (and every other!) program in sandbox for 5 minutes before running it on real PC --- which renders the computer unusable.
jb.
  • 111
  • 3