Sandboxes are getting more popular, with Chrome, Internet Explorer, Adobe Reader and FlashPlayer all implementing some version of a sandbox. So far these sandboxes have been very effective – attacks against these programs either don’t exist or they’ve shrunken down to fairly rare events. While attackers have momentarily shifted their focus to unsandboxed programs, such as older versions of these programs, or other plugins like Java, there will likely come a point where they’re faced with actually dealing with them. So how will they fair?
There are two ways hackers will monetize a situation in which a sandbox is involved. Given the scenario where the vast majority of users are now only running sandboxed processes (no more silverlight or Java) an attacker will be forced to either:
1) Break out of the sandbox
2) Monetize from within the sandbox
In my last post I briefly wrote about Chrome getting hacked at Pwn2Own. The bypass of Chrome’s notoriously strong sandbox took place on Windows, and it made use of a kernel vulnerability to get privilege escalation.
While breaking Chrome’s sandbox through design issues is very difficult, and the code for the broker process is relatively small, the Windows Kernel is large and complicated, ripe for exploitation.
The kernel isn’t the only vulnerable piece of software viable for sandbox escalation. Security software is constantly poking holes in sandboxes – you can get a full bypass of Chrome’s sandbox just by attacking the AV that injects into it.
Hackers are very likely to make use of local privilege escalation attacks, especially for high value targets, in order to monetize systems that use sandboxes.
Attackers do one thing really well, and it’s pretty much universal – they make money. It doesn’t matter if they’re just getting your emails, some paypal info, or whatever else they can get their hands on, they will usually be able to find a way to sell or use that information to their advantage.
Just because an attacker is stuck in a sandbox does not mean they can’t make money. Depending on sandbox architecture they can potentially have more than enough information, just by compromising your browser, to steal bank info, credit card credentials, email passwords, and more.
There is one thing we can be sure of – attackers won’t just give up. Maybe they’ll accept losses, maybe they’ll change their focus, but hackers aren’t going anywhere. There is still far too much money to be made.
Whether they break the sandboxes or learn to work within them attacks are still going to happen.