mailing list archives
Re: Evading the Norman SandBox Analyzer
From: John Smith <genericjohnsmith () gmail com>
Date: Fri, 2 Mar 2007 20:49:11 +0000
This is the same as the results found > 2 years ago as published by
Joanna Rutkowska as RedPill (http://invisiblethings.org/papers/
redpill.html) (and before that in a Usenix paper) and therefore
everyone who is interested in emulated/virtualized security already
knows that SIDT is a problem instruction.
On Feb 28, 2007, at 11:36 AM, Arne Vidstrom wrote:
The Norman SandBox Analyzer (http://sandbox.norman.no/live.html)
runs malicious code samples in an emulated environment while
logging their actions. In practice it is more or less impossible to
make an emulated environment perfectly similar to the real thing.
It is therefore possible to write malicious code that does not
behave maliciously when run in the Sandbox Analyzer. Here I will
give one example of such a technique.
Full text at:
I have notified Norman about the problem but have chosen not to
wait for them to patch it. The reason being that this is not a
regular vulnerability, but rather an example of an inherent
weakness in emulated sandboxes in general. I assume they will patch
this particular case shortly though since it should be very easy to
- Re: Evading the Norman SandBox Analyzer John Smith (Mar 03)