CAPEC-237 - Calling Signed Code From Another Language Within A Sandbox Allow This

The attacker may submit a malicious signed code from another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behave. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.

Severity

Likelihood

Confidentiality

Integrity

Availability

  • Attack Methods 2
  • Analysis
  • API Abuse
  • Purposes 1
  • Exploitation
  • Scopes 3
  • Bypass protection mechanism
  • Authorization
  • Access_Control
  • Execute unauthorized code or commands
  • Authorization
  • Gain privileges / assume identity
  • Non-Repudiation
  • Authorization
  • Authentication
  • Accountability

High level: The attacker must have a good knowledge of the platform specific mechanisms of signing and verifying code. Most code signing and verification schemes are based on use of cryptography, the attacker needs to have an understand of these cryptographic operations in good detail.

A framework-based language that supports code signing and sandbox (such as Java, .Net, JavaScript, and Flash) Deployed code that has been signed by its authoring vendor, or a partner

No special resource is required.

Step 1 - Probing

The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox..

Tecnique ID: 1 - Environment(s) env-All

The attacker probes the target application to see whether calling signed code from another language is allowed within a sandbox.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

The target application allows calling signed code from another language within a sandbox.


Outcome ID: 1

Type: Success

The attacker knows that the target application is calling signed code from another language within a sandbox.


Step 2 - Analysis

The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox..

Tecnique ID: 1 - Environment(s) env-All

The attacker analyzes the target application to get a list of cross code weaknesses in the standard libraries of the sandbox.

Indicator ID: 1 - Environment(s) env-All

Type: Positive

The standard library of the sandbox has some cross code security weaknesses.


Security Control ID: 1

Type: Preventative

Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.

Security Control ID: 2

Type: Preventative

If possible, use obfuscation and other techniques to prevent reverse engineering the libraries.


Outcome ID: 1

Type: Success

The attacker gets a list of cross code security weaknesses in the standard libraries.



Step 1 - Verify the exploitable security weaknesses

The attacker tries to craft malicious signed code from another language allowed by the sandbox to verify the security weaknesses of the standard libraries found in the Explore phase..

Tecnique ID: 1 - Environment(s) env-Web

The attacker tries to explore the security weaknesses by calling malicious signed code from another language allowed by the sandbox.

Security Control ID: 1

Type: Preventative

Sanitize the code of the standard libraries to make sure there are no security weaknesses in them.


Outcome ID: 1

Type: Success

The attacker identifies a list exploitable security weaknesses in the standard libraries.



Step 1 - Exploit the security weaknesses in the standard libraries

The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries verified in the Experiment phase. The attacker will be able to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox..

Tecnique ID: 1 - Environment(s) env-All

The attacker calls signed malicious code from another language to exploit the security weaknesses in the standard libraries.

Security Control ID: 1

Type: Preventative

Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.


Outcome ID: 1

Type: Success

The attacker escapes the sandbox to obtain access to privileges that were not intentionally exposed by the sandbox.



Assurance: Sanitize the code of the standard libraries to make sure there is no security weaknesses in them.

Design: Use obfuscation and other techniques to prevent reverse engineering the standard libraries.

Assurance: Use static analysis tool to do code review and dynamic tool to do penetration test on the standard library.

Configuration: Get latest updates for the computer.