[Dailydave] VPC

Andrew R. Reiter arr at watson.org
Fri Feb 22 19:05:39 EST 2008 

On Fri, 22 Feb 2008, Thierry Zoller wrote:

> Dear All,
> TZ> Hint : There are better ones than CWsandbox,
> Since the CWSandbox author is on this list, I wanted to clarify that I
> have  no  intention  on  making  CWsandbox  look  less  performant, my
> impression is from several tests I made myself and based on the fact
> that  it  can  be  esaily  detected.  However  I am not sure about the
> internal  improvements,  maybe  the  sandbox  is  better now. Again no
> intention to harm here.
>

Are you sure he means performance improvements (and I hope you mean 
performance because I do not believe "performant" is an englih word)?  I 
think he was inferring security issues.  The previous comment was "can't 
these hooks be bypassed  by doing direct system calls?"  not "why isn't 
this fast enough?"   While I understand the need for quick analysis, I 
think for automated systems, there needs to be an understanding that there 
must be correct and safe (relatively speaking) analysis -- or else you 
*should* assume your system will get hacked and will produce false 
negatives (in the end).  While this is not truely ideal, I tended to do 
alot of analysis of windows executables in a WinE-based environment (there 
were hand made modifications).  I can understand that this does not likely 
handle _all_ cases because WinE != M$ Windows -- so ... duh on that point. 
But, my point is... instead of going hack-for-hack ("you make certain 
calls? ok we'll hook them."  "oh, you're hooking them? ... in userland? 
hm, ok we'll call the system call api instead of your std lib call" "oh, 
you do that? hmm... we'll hook kernel land"  "oh? reaaally?.... " .... ) 
just turn the tables completely in terms of the very basic "expected 
state" of the runtime environment of the executable but still be able to 
run (and analyze) it.  This is why I truely like the folks who do rev eng 
of windows system code -- they can reveal the idiosyncrisis of the OSes 
tht the code is targetting and therefore be able to emulate it even "more 
better."

Cheers,
andrew

More information about the Dailydave mailing list