Dailydave mailing list archives
Re: VPC
From: "Andrew R. Reiter" <arr () watson org>
Date: Fri, 22 Feb 2008 19:05:39 -0500 (EST)
On Fri, 22 Feb 2008, Thierry Zoller wrote:
Dear All, TZ> Hint : There are better ones than CWsandbox, Since the CWSandbox author is on this list, I wanted to clarify that I have no intention on making CWsandbox look less performant, my impression is from several tests I made myself and based on the fact that it can be esaily detected. However I am not sure about the internal improvements, maybe the sandbox is better now. Again no intention to harm here.
Are you sure he means performance improvements (and I hope you mean performance because I do not believe "performant" is an englih word)? I think he was inferring security issues. The previous comment was "can't these hooks be bypassed by doing direct system calls?" not "why isn't this fast enough?" While I understand the need for quick analysis, I think for automated systems, there needs to be an understanding that there must be correct and safe (relatively speaking) analysis -- or else you *should* assume your system will get hacked and will produce false negatives (in the end). While this is not truely ideal, I tended to do alot of analysis of windows executables in a WinE-based environment (there were hand made modifications). I can understand that this does not likely handle _all_ cases because WinE != M$ Windows -- so ... duh on that point. But, my point is... instead of going hack-for-hack ("you make certain calls? ok we'll hook them." "oh, you're hooking them? ... in userland? hm, ok we'll call the system call api instead of your std lib call" "oh, you do that? hmm... we'll hook kernel land" "oh? reaaally?.... " .... ) just turn the tables completely in terms of the very basic "expected state" of the runtime environment of the executable but still be able to run (and analyze) it. This is why I truely like the folks who do rev eng of windows system code -- they can reveal the idiosyncrisis of the OSes tht the code is targetting and therefore be able to emulate it even "more better." Cheers, andrew _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- VPC Dave Aitel (Feb 21)
- Re: VPC Kurt Baumgartner (Feb 22)
- Re: VPC John H. Sawyer (Feb 23)
- Re: VPC Jared DeMott (Feb 22)