Dailydave mailing list archives

Re: VPC

From: "Andrew R. Reiter" <arr () watson org>
Date: Fri, 22 Feb 2008 19:05:39 -0500 (EST)


On Fri, 22 Feb 2008, Thierry Zoller wrote:

Dear All,
TZ> Hint : There are better ones than CWsandbox,
Since the CWSandbox author is on this list, I wanted to clarify that I
have  no  intention  on  making  CWsandbox  look  less  performant, my
impression is from several tests I made myself and based on the fact
that  it  can  be  esaily  detected.  However  I am not sure about the
internal  improvements,  maybe  the  sandbox  is  better now. Again no
intention to harm here.


Are you sure he means performance improvements (and I hope you mean 
performance because I do not believe "performant" is an englih word)?  I 
think he was inferring security issues.  The previous comment was "can't 
these hooks be bypassed  by doing direct system calls?"  not "why isn't 
this fast enough?"   While I understand the need for quick analysis, I 
think for automated systems, there needs to be an understanding that there 
must be correct and safe (relatively speaking) analysis -- or else you 
*should* assume your system will get hacked and will produce false 
negatives (in the end).  While this is not truely ideal, I tended to do 
alot of analysis of windows executables in a WinE-based environment (there 
were hand made modifications).  I can understand that this does not likely 
handle _all_ cases because WinE != M$ Windows -- so ... duh on that point. 
But, my point is... instead of going hack-for-hack ("you make certain 
calls? ok we'll hook them."  "oh, you're hooking them? ... in userland? 
hm, ok we'll call the system call api instead of your std lib call" "oh, 
you do that? hmm... we'll hook kernel land"  "oh? reaaally?.... " .... ) 
just turn the tables completely in terms of the very basic "expected 
state" of the runtime environment of the executable but still be able to 
run (and analyze) it.  This is why I truely like the folks who do rev eng 
of windows system code -- they can reveal the idiosyncrisis of the OSes 
tht the code is targetting and therefore be able to emulate it even "more 
better."

Cheers,
andrew
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

VPC Dave Aitel (Feb 21)
- Re: VPC Jared DeMott (Feb 21)
  - Re: VPC Thierry Zoller (Feb 22)
    - Re: VPC Thierry Zoller (Feb 22)
    - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Andrew R. Reiter (Feb 22)
    - Re: VPC Eduardo Tongson (Feb 22)
    - Re: VPC Jared DeMott (Feb 22)
    - Re: VPC Thierry Zoller (Feb 23)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC dan (Feb 25)
    - Re: VPC Joanna Rutkowska (Feb 25)
    - Re: VPC Kurt Baumgartner (Feb 22)
    - Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Thorsten Holz (Feb 21)
  - Re: VPC Jared DeMott (Feb 22)

(Thread continues...)